Configure ModSecurity

45 minutes
  • 4 Learning Objectives

About this Hands-on Lab

The goal for this lab is to configure ModSecurity for the Apache web server. There are a few things you need to keep in mind before you start the lab. Take into consideration that firewalld is up and running and that ports 61613, 80, and 65535 are open. Port 61613 is your SSH port where you will connect. Apache is running on port 80, and the back end is functioning on port 65535. SELinux is in enforcing mode. The objective of the lab is to install ModSecurity from the repositories, load it, and instruct Apache to use it. Lastly, install ModSecurity to use OWASP rules in order to apply them against traffic.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Install `mod_security`
  1. Install mod_security from the repositories:
    sudo yum install mod_security
Configure OWASP Core Rule Set (CRS)
  1. Make a crs directory:

    sudo mkdir /etc/httpd/crs
  2. Navigate to the new directory:

    cd /etc/httpd/crs
  3. Install Git:

    sudo yum install git
  4. Clone a Git repository for OWASP CRS:

    sudo git clone
  5. Configure the new repository:

    sudo cd /etc/httpd/crs/owasp-modsecurity-crs/ 
  6. Make a copy of crs-setup.conf.example and rename it to crs-setup.conf:

    sudo cp crs-setup.conf.example crs-setup.conf
Inform Apache of the Changes
  1. Open the configuration file:

    sudo vim /etc/httpd/conf/httpd.conf
  2. Insert at the bottom of the file:

    <IfModule security2_module>
       Include /etc/httpd/crs/owasp-modsecurity-crs/crs-setup.conf
       Include /etc/httpd/crs/owasp-modsecurity-crs/rules/*.conf
  3. Save and close:

Restart Apache and Run a Few Tests to Confirm `mod_security` Is Working Properly
  1. Restart the Apache service:

    sudo systemctl restart httpd
  2. Run a test:

    curl -i http://<SERVER_IP_ADDRESS>/index.html -A Nessus 

Additional Resources

Note: For this lab, the use of a standalone terminal app with ssh support is best as the Instant Terminal does not permit port 61613. The instance does take a minute or so to be ready to be connected to via ssh.

The initial SSH port is 61613, which is the port you will use to initially connect to the server via SSH.

Since our servers suffer from continuous automated scans and a large amount of automated attacks on a daily basis, we need to implement some safeguards capable of stopping 80–90% of all malicious automated traffic.

For this purpose, we will use a mod_security module that will filter out a large number of malicious requests and prevent them from being fully processed by the web server.

However, ModSecurity does not do much in and of itself — rather, it interprets predefined rules that govern what requests are allowed and what requests are not allowed. With that said, we will install ModSecurity and configure it to work in conjunction with OWASP ModSecurity Core Rule Set.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?