patterns/waf_patterns/apache

Apache ModSecurity WAF Configuration

This directory contains Apache ModSecurity WAF configuration files generated from OWASP CRS rules. You can include these files in your existing Apache configuration to enhance security.

Prerequisites

• Apache HTTP Server (2.4 or higher)
• ModSecurity module installed and enabled
• Core Rule Set (CRS) base configuration

Installation

Ubuntu/Debian

sudo apt-get update
sudo apt-get install libapache2-mod-security2
sudo a2enmod security2
sudo systemctl restart apache2

CentOS/RHEL

sudo yum install mod_security
sudo systemctl restart httpd

Usage

1. Copy the generated configuration files to your Apache configuration directory:

   sudo cp waf_patterns/apache/*.conf /etc/apache2/modsecurity.d/
   # or for CentOS/RHEL:
   # sudo cp waf_patterns/apache/*.conf /etc/httpd/modsecurity.d/
   

2. Include the configuration files in your Apache configuration.

   Edit /etc/apache2/mods-enabled/security2.conf (Ubuntu/Debian) or /etc/httpd/conf.d/mod_security.conf (CentOS/RHEL):

   <IfModule security2_module>
       Include /etc/apache2/modsecurity.d/*.conf
   </IfModule>
   

3. Test the configuration:

   # Ubuntu/Debian
   sudo apache2ctl configtest
   
   # CentOS/RHEL
   sudo httpd -t
   

4. Reload Apache to apply the changes:

   # Ubuntu/Debian
   sudo systemctl reload apache2
   
   # CentOS/RHEL
   sudo systemctl reload httpd
   

Configuration Details

The generated rules include:

• SQL Injection (SQLi) detection patterns
• Cross-Site Scripting (XSS) prevention rules
• Remote Code Execution (RCE) blocking
• Local File Inclusion (LFI) protection
• Bad Bot/User-Agent blocking

Customization

You can adjust the severity and actions for each rule by modifying the configuration files. Common actions include:

• deny - Block the request
• log - Log the event
• status:403 - Return HTTP 403 Forbidden

Troubleshooting

Check ModSecurity is loaded

# Ubuntu/Debian
apache2ctl -M | grep security

# CentOS/RHEL
httpd -M | grep security

View ModSecurity logs

# Ubuntu/Debian
sudo tail -f /var/log/apache2/modsec_audit.log

# CentOS/RHEL
sudo tail -f /var/log/httpd/modsec_audit.log

Test with a sample attack

curl "http://yourserver.com/?id=1' OR '1'='1"
# Should return 403 Forbidden if WAF is working

Notes

• Rules are updated daily via GitHub Actions
• Blocked requests return a 403 Forbidden response by default
• Review the ModSecurity documentation for advanced configuration options

Resources

• ModSecurity Documentation
• OWASP CRS
• Apache ModSecurity Module