Introduction

Web applications are constantly exposed to attacks such as SQL injection, cross-site scripting (XSS), command injection, and malicious bots. A Web Application Firewall (WAF) helps protect applications by inspecting HTTP traffic and blocking suspicious requests before they reach your application.
ModSecurity is a widely used open-source WAF, and when combined with the OWASP Core Rule Set (CRS), it provides strong, community-maintained protection against common web attacks.

Prerequisites
1. Ubuntu 20.04 / 22.04 / 24.04 server
2. Apache Web Server installed
3. Root or sudo access
4. Basic knowledge of Linux command line
5. An active website or virtual host (optional but recommended for testing)

Implementation

Step 1: Install Apache and ModSecurity
Update the system packages:
$ sudo apt update && sudo apt upgrade -y

Install Apache and the ModSecurity Apache module
$ sudo apt install apache2 libapache2-mod-security2 -y

Enable the ModSecurity module and restart Apache
$ sudo a2enmod security2
$ sudo systemctl restart apache2

Step 2: Enable ModSecurity Configuration
By default, ModSecurity runs in detection mode. Enable the recommended configuration
$ sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Edit the configuration file
$ sudo nano /etc/modsecurity/modsecurity.conf
Find the following line and change it to:
“SecRuleEngine DetectionOnly”
“SecRuleEngine On”

Save the file and restart Apache
$ sudo systemctl restart apache2

Step 3: Download and Install OWASP Core Rule Set (CRS)
Create a directory for ModSecurity rules
$ sudo mkdir /etc/apache2/modsec
$ cd /etc/apache2/modsec

Download the latest OWASP CRS release
$ sudo wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.tar.gz
$ sudo tar xvf v3.3.4.tar.gz
Copy the CRS setup file
$ sudo cp coreruleset-3.3.4/crs-setup.conf.example coreruleset-3.3.4/crs-setup.conf

Step 4: Enable CRS Rules in Apache
Edit the ModSecurity Apache configuration
$ sudo nano /etc/apache2/mods-enabled/security2.conf


Inside the <IfModule security2_module> block, add
Include /etc/apache2/modsec/coreruleset-3.3.4/crs-setup.conf
Include /etc/apache2/modsec/coreruleset-3.3.4/rules/*.conf


If you see any default CRS includes, comment them out to avoid conflicts
# IncludeOptional /usr/share/modsecurity-crs/*.load

Restart Apache
$ sudo systemctl restart apache2

Step 5: Verify ModSecurity and CRS
Test by sending a malicious-looking request in the browser
https://yourdomain.com/?cmd=/bin/bash
If ModSecurity and CRS are working correctly, Apache should return a 403 Forbidden response.

Conclusion

ModSecurity with the OWASP Core Rule Set provides an effective and easy-to-deploy security layer for Apache web servers. By enabling CRS rules, your server can automatically detect and block common web attacks such as SQL injection, XSS, and malicious requests. With proper monitoring and gradual tuning, this setup helps improve overall web application security while minimizing false positives, making it a reliable first line of defense for production environments.

Post Views: 0

Leave a Reply