2025-11-15 19:33:13 +00:00
|
|
|
# Apache ModSecurity WAF Configuration
|
2024-12-21 01:33:33 +01:00
|
|
|
|
2025-11-15 19:33:13 +00:00
|
|
|
This directory contains Apache ModSecurity WAF configuration files generated from OWASP CRS rules.
|
|
|
|
|
You can include these files in your existing Apache configuration to enhance security.
|
|
|
|
|
|
|
|
|
|
## Prerequisites
|
|
|
|
|
|
|
|
|
|
- Apache HTTP Server (2.4 or higher)
|
|
|
|
|
- ModSecurity module installed and enabled
|
|
|
|
|
- Core Rule Set (CRS) base configuration
|
|
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
|
|
### Ubuntu/Debian
|
|
|
|
|
```bash
|
|
|
|
|
sudo apt-get update
|
|
|
|
|
sudo apt-get install libapache2-mod-security2
|
|
|
|
|
sudo a2enmod security2
|
|
|
|
|
sudo systemctl restart apache2
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### CentOS/RHEL
|
|
|
|
|
```bash
|
|
|
|
|
sudo yum install mod_security
|
|
|
|
|
sudo systemctl restart httpd
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
|
|
|
|
|
1. Copy the generated configuration files to your Apache configuration directory:
|
|
|
|
|
```bash
|
|
|
|
|
sudo cp waf_patterns/apache/*.conf /etc/apache2/modsecurity.d/
|
|
|
|
|
# or for CentOS/RHEL:
|
|
|
|
|
# sudo cp waf_patterns/apache/*.conf /etc/httpd/modsecurity.d/
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
2. Include the configuration files in your Apache configuration.
|
|
|
|
|
|
|
|
|
|
Edit `/etc/apache2/mods-enabled/security2.conf` (Ubuntu/Debian) or `/etc/httpd/conf.d/mod_security.conf` (CentOS/RHEL):
|
|
|
|
|
```apache
|
|
|
|
|
<IfModule security2_module>
|
|
|
|
|
Include /etc/apache2/modsecurity.d/*.conf
|
|
|
|
|
</IfModule>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
3. Test the configuration:
|
|
|
|
|
```bash
|
|
|
|
|
# Ubuntu/Debian
|
|
|
|
|
sudo apache2ctl configtest
|
|
|
|
|
|
|
|
|
|
# CentOS/RHEL
|
|
|
|
|
sudo httpd -t
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
4. Reload Apache to apply the changes:
|
|
|
|
|
```bash
|
|
|
|
|
# Ubuntu/Debian
|
|
|
|
|
sudo systemctl reload apache2
|
|
|
|
|
|
|
|
|
|
# CentOS/RHEL
|
|
|
|
|
sudo systemctl reload httpd
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Configuration Details
|
|
|
|
|
|
|
|
|
|
The generated rules include:
|
|
|
|
|
- **SQL Injection (SQLi)** detection patterns
|
|
|
|
|
- **Cross-Site Scripting (XSS)** prevention rules
|
|
|
|
|
- **Remote Code Execution (RCE)** blocking
|
|
|
|
|
- **Local File Inclusion (LFI)** protection
|
|
|
|
|
- **Bad Bot/User-Agent** blocking
|
|
|
|
|
|
|
|
|
|
## Customization
|
|
|
|
|
|
|
|
|
|
You can adjust the severity and actions for each rule by modifying the configuration files.
|
|
|
|
|
Common actions include:
|
|
|
|
|
- `deny` - Block the request
|
|
|
|
|
- `log` - Log the event
|
|
|
|
|
- `status:403` - Return HTTP 403 Forbidden
|
|
|
|
|
|
|
|
|
|
## Troubleshooting
|
|
|
|
|
|
|
|
|
|
### Check ModSecurity is loaded
|
|
|
|
|
```bash
|
|
|
|
|
# Ubuntu/Debian
|
|
|
|
|
apache2ctl -M | grep security
|
|
|
|
|
|
|
|
|
|
# CentOS/RHEL
|
|
|
|
|
httpd -M | grep security
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### View ModSecurity logs
|
|
|
|
|
```bash
|
|
|
|
|
# Ubuntu/Debian
|
|
|
|
|
sudo tail -f /var/log/apache2/modsec_audit.log
|
|
|
|
|
|
|
|
|
|
# CentOS/RHEL
|
|
|
|
|
sudo tail -f /var/log/httpd/modsec_audit.log
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Test with a sample attack
|
|
|
|
|
```bash
|
|
|
|
|
curl "http://yourserver.com/?id=1' OR '1'='1"
|
|
|
|
|
# Should return 403 Forbidden if WAF is working
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Notes
|
|
|
|
|
|
|
|
|
|
- Rules are updated daily via GitHub Actions
|
|
|
|
|
- Blocked requests return a `403 Forbidden` response by default
|
|
|
|
|
- Review the ModSecurity documentation for advanced configuration options
|
|
|
|
|
|
|
|
|
|
## Resources
|
|
|
|
|
|
|
|
|
|
- [ModSecurity Documentation](https://github.com/SpiderLabs/ModSecurity)
|
|
|
|
|
- [OWASP CRS](https://coreruleset.org/)
|
|
|
|
|
- [Apache ModSecurity Module](https://modsecurity.org/)
|
