Web-based application firewall (WAF)¶
mod_security is an open source web-based application firewall (WAF). It is just one possible piece of a hardened Apache web server setup. Use it with, or without, other tools.
If you want to use this along with other tools for hardening, refer back to the Apache Hardened Web Server guide. This document also uses all of the assumptions and conventions outlined in that original document. It is a good idea to review it before continuing.
One thing that is missing with mod_security when installed from the generic Rocky Linux repositories, is that the rules installed are minimal at best. To get a more extensive package of no cost mod_security rules, this procedure uses no cost OWASP mod_security rules found here. OWASP stands for the Open Web Application Security Project. You can find out more about OWASP here.
As stated, this procedure uses the OWASP mod_security rules. What is not used is the configuration provided by that site. That site also provides great tutorials on using mod_security and other security-related tools. The document you are working through mow does nothing but help you install the tools and rules needed for hardening with mod_security on a Rocky Linux web server. Netnea is a team of technical professionals that provides security courses on their website. Much of this content is available at no cost, but they do have options for in-house or group training.
Installing mod_security ¶
To install the base package, use this command. It will install any missing dependencies. You also need wget if you do not have it installed:
dnf install mod_security wget
Installing the mod_security rules¶
It is important to follow this procedure carefully. The configuration from Netnea has been changed to fit Rocky Linux.
- Access the current OWASP rules by going to their GitHub site.
- On the right hand side of the page, search for the releases and click on the tag for the latest release.
- Under «Assets» on the next page, right-click on the «Source Code (tar.gz)» link and copy the link.
- On your server, go to the Apache configuration directory:
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.tar.gz
ln -s coreruleset-3.3.4/ /etc/httpd/conf/crs
cp crs/crs-setup.conf.example crs/crs-setup.conf
The mod_security rules are now in place.
Configuration¶
With the rules in place, the next step is configuring these rules to load and run when httpd and mod_security run.
mod_security already has a configuration file located in /etc/httpd/conf.d/mod_security.conf . You will need to modify this file to include the OWASP rules. To do this, edit that configuration file:
vi /etc/httpd/conf.d/mod_security.conf
Include /etc/httpd/conf/crs/crs-setup.conf SecAction "id:900110,phase:1,pass,nolog,\ setvar:tx.inbound_anomaly_score_threshold=10000,\ setvar:tx.outbound_anomaly_score_threshold=10000" SecAction "id:900000,phase:1,pass,nolog,\ setvar:tx.paranoia_level=1" # === ModSec Core Rule Set: Runtime Exclusion Rules (ids: 10000-49999) # . # === ModSecurity Core Rule Set Inclusion Include /etc/httpd/conf/crs/rules/*.conf # === ModSec Core Rule Set: Startup Time Rules Exclusions # .
Use ESC to get out of insert mode, and SHIFT + : + wq to save your changes, and quit.
Restart httpd and verify mod_security ¶
All you need to do at this point is to restart httpd :
Verify that the service started as expected:
Entries like this in /var/log/httpd/error_log will show that mod_security is loading correctly:
[Thu Jun 08 20:31:50.259935 2023] [:notice] [pid 1971:tid 1971] ModSecurity: PCRE compiled version="8.44 "; loaded version="8.44 2020-02-12" [Thu Jun 08 20:31:50.259936 2023] [:notice] [pid 1971:tid 1971] ModSecurity: LUA compiled version="Lua 5.4" [Thu Jun 08 20:31:50.259937 2023] [:notice] [pid 1971:tid 1971] ModSecurity: YAJL compiled version="2.1.0" [Thu Jun 08 20:31:50.259939 2023] [:notice] [pid 1971:tid 1971] ModSecurity: LIBXML compiled version="2.9.13"
If you access the web site on the server, you should receive an entry in the /var/log/httpd/modsec_audit.log that shows the loading of OWASP rules:
Apache-Handler: proxy:unix:/run/php-fpm/www.sock|fcgi://localhost Stopwatch: 1686249687051191 2023 (- - -) Stopwatch2: 1686249687051191 2023; combined=697, p1=145, p2=458, p3=14, p4=45, p5=35, sr=22, sw=0, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/); OWASP_CRS/3.3.4. Server: Apache/2.4.53 (Rocky Linux) Engine-Mode: "ENABLED"
Conclusion¶
mod_security with OWASP rules is another tool to help in hardening an Apache web server. Periodic checking of the GitHub site for newer rules and the latest official release is an ongoing maintenance step you need to make.
mod_security , as with other hardening tools, has the potential of false-positive responses, so you must prepare to tune this tool to your installation.
Like other solutions mentioned in the Apache Hardened Web Server guide, there are other no cost and fee-based solutions for mod_security rules, and for that matter, other WAF applications available. You can review one of these at Atomicorp’s mod_security site.
Contributors: Ezequiel Bruni
4 Open Source Web Application Firewall for Better Security
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.
Protect your web applications with the firewall
Thousands of websites get hacked every day due to misconfiguration or vulnerable code. Web Application Firewall (WAF) is one of the best ways to protect your website from online threats.
If your website is available on the Internet, then you can use online tools to scan a website for vulnerability to get an idea of how secure your website is. Don’t worry if it’s an intranet website; you can use Nikto web scanner open source.
Commercial WAF can be expensive, and if you are looking for a free solution to protect your website using WAF, then the following open-source Web Application Firewall can be helpful.
ModSecurity
ModSecurity by TrustWave is one of the most popular web application firewalls, and it supports Apache HTTP, Microsoft IIS & Nginx.
ModSecurity free rules will be helpful if you are looking for the following protection.
- Cross-site scripting
- Trojan
- Information leakage
- SQL injection
- Common web attacks
- Malicious activity
ModSecurity doesn’t have a graphical interface, and if you are looking for the one, then you may consider using WAF-FLE. It let you store, search, and view the event in a console.
NAXSI
NAXSI is Nginx Anti-XSS & SQL Injection. So as you can guess, this is only for the Nginx web server and mainly target to protect from cross-site scripting & SQL injection attacks.
NAXSI filter only GET and PUT request, and default configuration will act as a DROP-by-default firewall, so you got to add the ACCEPT rule to work correctly.
WebKnight
WebKnight WAF is for Microsoft IIS. It’s an ISAPI filter that secures your web server by blocking bad requests. WebKnight is useful for securing the following.
- Buffer overflow
- Directory transversal
- Character encoding
- SQL injection
- Blocking bad robots
- Hotlinking
- Brute force
- And much more…
In a default configuration, all blocked requests are logged, and you can customize based on your needs. WebKnight 3.0 got an admin web interface where you can customize the rules and perform administration tasks, including statistics.
Shadow Daemon
Shadow Daemon detect, record, and prevent web attacks by filtering request from malicious parameters. It comes with an own interface where you can perform administration and manage this WAF. It supports PHP, Perl & Python language framework.
It can detect the following attacks.
- SQL injection
- XML injection
- Code injection
- Command injection
- XSS
- Backdoor access
- Local/remote file inclusion
Open source is free, but you don’t get support means you need to rely on your expertise and community support. So if you are looking for the commercial WAF, then you may refer the following one.
- Cloudflare (cloud-based)
- Incapsula (cloud-based)
- F5 ASM
- TrustWave ModSecurity commercial rules
- StackPath
- SUCURI (cloud-based)
I hope this helps you with an idea about open source web application firewalls for the various platform.