How To Install ModSecurity with Apache on AlmaLinux 8

In this comprehensive guide, brought to you by Orcacore, we will walk you through the process of How To Install ModSecurity with Apache on AlmaLinux 8. Web application firewalls (WAFs) are crucial for establishing an external security perimeter, enhancing the protection level, and proactively detecting and preventing attacks before they can compromise your web applications. Let’s dive into How To Install ModSecurity with Apache on AlmaLinux 8.

ModSecurity is a powerful, open-source web application firewall (WAF) that integrates seamlessly with various web servers, including Apache, Nginx, and IIS. It’s designed to shield web applications from a wide range of threats by utilizing flexible rule engines capable of both simple and complex operations. This article provides a step-by-step guide to help you complete the installation and configuration process. Securing your web applications is vital, and understanding How To Install ModSecurity with Apache on AlmaLinux 8 is a great start.

Before proceeding with How To Install ModSecurity with Apache on AlmaLinux 8, ensure you’re logged into your AlmaLinux 8 server as a non-root user with sudo privileges. If you haven’t already, refer to our guide on the Initial Server Setup with AlmaLinux 8 to configure your server appropriately.

Now, let’s begin the steps required to How To Install ModSecurity with Apache on AlmaLinux 8.

1. Install Required Packages for ModSecurity Setup

Compiling LibModsecurity from source requires several build tools and dependencies. First, update your local package index:

sudo dnf update -y

Enable the PowerTools repository on AlmaLinux 8:

sudo dnf config-manager --set-enabled powertools

Install the EPEL and Remi repositories:

# sudo dnf install epel-release -y
# sudo dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y
# sudo dnf config-manager --set-enabled remi

Install the necessary packages and dependencies:

sudo dnf install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config git wget openssl openssl-devel vim GeoIP-devel doxygen yajl-devel libmaxminddb libmaxminddb-devel GeoIP-devel lmdb lmdb-devel ssdeep-devel lua-devel perl-File-Path -y

2. Download ModSecurity from Source

Create a temporary directory to store the source tarballs:

mkdir ~/modsec

Note: You can also use /opt if preferred.

Visit the ModSecurity Release page to download the ModSecurity source code. You can use the wget command:

Switch to the ModSecurity directory:

cd ~/modsec

Download the ModSecurity source code:

sudo wget -P ~/modsec https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.7/modsecurity-v3.0.7.tar.gz

Extract the downloaded file:

sudo tar xzf modsecurity-v3.0.7.tar.gz

3. Compile and Install ModSecurity on AlmaLinux 8

Navigate to the LibModsecurity source directory:

cd modsecurity-v3.0.7

Configure LibModSecurity:

sudo ./build.sh

Note: You can safely ignore the fatal: * messages.

sudo ./configure --with-maxmind=no

Address any dependency issues before proceeding.

Compile and install ModSecurity:

# sudo make
# sudo make install

4. Install ModSecurity-Apache Connector on AlmaLinux 8

Install the ModSecurity-apache connector, which facilitates communication between Apache and libModSecurity.

Clone the git repository for the ModSecurity Apache connector:

# cd ~
# sudo git clone https://github.com/SpiderLabs/ModSecurity-apache

Switch to the ModSecurity-apache directory and compile and install it:

# cd ModSecurity-apache
# sudo ./autogen.sh
# sudo ./configure --with-libmodsecurity=/usr/local/modsecurity/
# sudo make
# sudo make install

5. Configure Apache with ModSecurity

Configure Apache to load the ModSecurity Apache connector module by adding the following line to the main Apache configuration file:

echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.conf

Create a ModSecurity configuration directory:

mkdir /etc/httpd/conf.d/modsecurity.d

Copy the sample ModSecurity configuration file:

sudo cp ~/modsec/modsecurity-v3.0.7/modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Copy the unicode.mapping file:

sudo cp ~/modsec/modsecurity-v3.0.7/unicode.mapping /etc/httpd/conf.d/modsecurity.d/

Activate ModSecurity by changing SecRuleEngine to On:

sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Change the default log directory for ModSecurity:

sudo sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Configure ModSecurity rules:

sudo tee /etc/httpd/conf.d/modsecurity.d/rules.conf > /dev/null << 'EOL'
Include "/etc/httpd/conf.d/modsecurity.d/modsecurity.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/*.conf"
EOL

6. Install OWASP ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set (CRS) provides generic attack detection rules.

Clone the CRS from the GitHub repository:

sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/httpd/conf.d/modsecurity.d/owasp-crs

Rename the crs-setup.conf.example file:

sudo cp /etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf{.example,}

7. Activate ModSecurity on AlmaLinux 8

Activate ModSecurity on the default site configuration file or any virtual host configuration file.

Enable ModSecurity per-directory context:

sudo vi /etc/httpd/conf/httpd.conf

Add the following lines under the <Directory "/var/www/html">:

 <strong>modsecurity on
 modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf</strong>

Save and close the file.

Check Apache for configuration errors and restart it:

httpd -t

**Output**
Syntax OK

sudo systemctl restart httpd

8. Test ModSecurity Configuration

Test the effectiveness of ModSecurity with OWASP rules:

sudo curl localhost/index.html?exec=/bin/bash

If you see 403 Forbidden, ModSecurity is working correctly. Check ModSecurity logs:

tail /var/log/httpd/modsec_audit.log

tail /var/log/httpd/error_log

That’s it, you are done.

Conclusion

You have successfully completed the steps How To Install ModSecurity with Apache on AlmaLinux 8, activate it, and protect your site from web attacks. Installing ModSecurity with Apache on AlmaLinux 8 adds an essential security layer to your web server, proactively safeguarding against common attacks.

Alternative Solutions to Installing ModSecurity with Apache on AlmaLinux 8

While compiling from source provides the most control, alternative methods can simplify the installation process. Here are two different approaches:

1. Using the COPR Repository

COPR (Cool Other Package Repositories) is a build system that provides software not yet available in standard repositories. A COPR repository exists that contains pre-built packages for ModSecurity and its Apache connector. This simplifies installation by skipping the compilation steps.

Explanation:

Using a COPR repository streamlines the installation by providing pre-built RPM packages. This eliminates the need for compiling from source, reducing the complexity and time required for setup. However, it’s crucial to understand that COPR repositories are community-maintained and may not be as thoroughly tested or secure as official repositories. Always exercise caution when using COPR packages.

Steps:

1. Enable the COPR repository:

sudo dnf copr enable vbernat/modsecurity-3.0

2. Install ModSecurity and the Apache connector:

sudo dnf install modsecurity mod_security3_apache

3. Configure Apache: Follow steps 5-7 from the original guide, starting with creating the ModSecurity configuration directory and configuring the rules. The module should already be loaded. You can check with httpd -M | grep security3.

4. Test ModSecurity: Follow step 8 to ensure everything is working correctly.

2. Using a Docker Container

Deploying ModSecurity and Apache within a Docker container offers a highly isolated and reproducible environment. Several pre-built Docker images are available that include ModSecurity, Apache, and often the OWASP CRS.

Explanation:

Docker containers encapsulate all the necessary dependencies and configurations within a single image. This approach offers several advantages: it simplifies deployment, ensures consistency across different environments, and provides isolation, enhancing security. However, it requires familiarity with Docker and containerization concepts.

Steps:

1. Install Docker:

sudo dnf install docker -y
sudo systemctl start docker
sudo systemctl enable docker

2. Pull a pre-built ModSecurity/Apache Docker image:

docker pull owasp/modsecurity-crs:apache

(This is just an example, research and choose an image that fits your needs.)

3. Configure the Container: This will vary depending on the specific image you choose. Most images allow you to mount configuration files (like modsecurity.conf, rules.conf, and CRS files) from your host machine into the container. This allows you to customize ModSecurity’s behavior.

   For example, you might create a directory on your host machine:

   mkdir -p /opt/modsecurity/config

   And then copy the necessary configuration files into that directory. You’ll then need to consult the documentation for the specific Docker image you’re using to determine how to mount this directory into the container.

4. Run the Docker container:

   This is a sample command; adjust it based on the image’s documentation and your desired configuration.

   docker run -d -p 80:80 -v /opt/modsecurity/config:/usr/local/apache2/conf/modsecurity owasp/modsecurity-crs:apache

   This command runs the container in detached mode (-d), maps port 80 on the host to port 80 in the container (-p 80:80), and mounts the configuration directory (-v /opt/modsecurity/config:/usr/local/apache2/conf/modsecurity). The path after the colon (:) will depend on how the container is set up.

5. Test ModSecurity: Follow step 8 to ensure everything is working correctly, accessing the application through the host’s IP address.

Both of these alternative solutions offer simpler installation methods compared to compiling from source. However, it’s important to carefully consider the security implications and maintenance overhead associated with each approach.