Skip to content

Installation from Source (Ubuntu 20.04)

DrewPlots edited this page Oct 22, 2020 · 8 revisions

Warning: ModSecurity-apache is NOT stable. Development for ModSec apache connector is outdated.

Also, refer to current bug after installation:

AH00526: Syntax error on line 106 of /etc/apache2/conf-available/crs-setup.conf: Invalid command 'SecDefaultAction', perhaps misspelled or defined by a module not included in the server configuration

This is the error we get if we use apache2’s Include directive on crs-setup and the /rules directory.

TBD: How to Include crs-setup and rules directory without throwing an error.

System & Module Info

    WAF:		ModSecurity 3.0.4
    OS:		        Ubuntu Server 20.04 (4GB+ RAM for compiling)
    Server:		Apache 2.4
    Module:		ModSecurity-apache module
    Rule set:	        OWASP ModSecurity Core Rule Set

How this Guide is Written

=> Fresh server using non-root user
=> Using directory /opt/ModSecurity for application
=> Using directory /opt/ModSecurity/ModSecurity-apache for module
=> Using directory /opt/ModSecurity/coreruleset for OWASP Rule set
=> Using nano in bash: press "Ctrl + S" to save files, "Ctrl + X" to close
=> Alternatively, press "Ctrl + X", type "Y" & press enter to save & close
sudo apt-get update

Install apache2 Server

Ensure DNS setup is correct before continuing Install apache2 server and apache2-dev libraries

sudo apt install -y apache2 apache2-dev
sudo systemctl start apache2

Install Dependencies

Required packages to compile ModSecurity3 on Ubuntu Server 20.04 (Focal)

sudo apt install -y dh-autoreconf automake pkg-config doxygen valgrind bison flex libyajl-dev libgeoip-dev libmaxminddb-dev liblmdb-dev libfuzzy-dev lua5.3 libcurl4-openssl-dev libfuzzy-dev liblua5.3-dev libcurl4-openssl-dev libxml2-dev libpcre2-dev libpcre3-dev

Other Options

To enable the "Other Options"

+ afl fuzzer (install clang; beyond scope of this guide)

+ Building parser (install bison and flex)

sudo apt install -y bison flex

Compilation with the Other Options is outlined in the next section.

Get & Compile ModSecurity 3.0.4

Change --branch "v3/master" to current release if necessary

sudo git clone --single-branch --branch v3/master https://github.com/SpiderLabs/ModSecurity /opt/ModSecurity/
cd /opt/ModSecurity
sudo git submodule init && sudo git submodule update
sudo ./build.sh

Then run ./configure or view section "Other Options" below.

sudo ./configure --with-curl=/usr --with-lmdb=/usr

If this is how you want to configure, then scroll to section Make & Make Install ModSecurity.

Compiling with "Other Options"

To enable the "Other Options", read the Other Options section and add each applicable option to your sudo ./configure…​ command.

+ afl fuzzer (beyond the scope of this guide)

+ Building parser

--enable-parser-generation

+ pm operations

--enable-mutex-on-pm

Enabling both, the ./configure will be:

sudo ./configure --with-curl=/usr --with-lmdb=/usr --enable-parser-generation --enable-mutex-on-pm

Compilation debug logs

SecDebugLog appears to be enabled by default (SecDebugLog…​.enabled), but this is the argument for ./configure:

sudo ./configure --with-curl=/usr --with-lmdb=/usr --enable-debug-logs

Configuration Output

Ensure "Configuration Output" has found LibCURL, YAJL, LMDB, LibXML2, SSDEEP, LUA, and your included other options (as an example, all options are included except afl fuzzer)

ModSecurity - v3.0.4-87-g8da787a3 for Linux

 Mandatory dependencies
   + libInjection                                  ....v3.9.2-30-gbf234eb
   + SecLang tests                                 ....d03f4c1

 Optional dependencies
   + GeoIP/MaxMind                                 ....found
      * (MaxMind) v1.4.2
         -lmaxminddb, -DWITH_MAXMIND -I/usr/include/x86_64-linux-gnu
      * (GeoIP) v1.6.12
         -lGeoIP, -I/usr/include/
   + LibCURL                                       ....found v7.68.0
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.1.0
      -lyajl, -DWITH_YAJL -I/usr/include/yajl
   + LMDB                                          ....found
      -llmdb, -DWITH_LMDB -I/usr/include
   + LibXML2                                       ....found v2.9.10
      -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....found
      -lfuzzy -L/usr/lib/x86_64-linux-gnu/, -DWITH_SSDEEP -I/usr/include
   + LUA                                           ....found v503
      -llua5.3 -L/usr/lib/x86_64-linux-gnu/, -DWITH_LUA -DWITH_LUA_5_3 -I/usr/include/lua5.3

 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....enabled
   + Treating pm operations as critical section    ....enabled

Make & Make Install ModSecurity

Make & install

sudo make
sudo make install

ModSec Config to mods-available

Copy modsecurity.conf to apache2 mods-available

sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/apache2/mods-available/modsecurity.conf

LoadModule Directive in apache2.conf

sudo nano /etc/apache2/apache2.conf

Paste the following:

# Load .so, Include .conf, and enable ModSec
LoadModule security3_module /usr/lib/apache2/modules/mod_security3.so

Ensure "security3_module (shared)" module presence

sudo apache2ctl -M | grep sec

Output should be: security3_module (shared)

Restart apache2 to ensure stability

sudo systemctl restart apache2.service

Get & Compile ModSecurity-apache Module

Change --branch if necessary

sudo git clone --single-branch --branch master https://github.com/SpiderLabs/ModSecurity-apache /opt/ModSecurity/ModSecurity-apache
cd /opt/ModSecurity/ModSecurity-apache
sudo ./autogen.sh
sudo ./configure --with-libmodsecurity
sudo make
sudo make install

Get & Configure OWASP Rule Set

Change --branch if necessary

sudo git clone --single-branch --branch v3.3/master https://github.com/coreruleset/coreruleset /opt/ModSecurity/coreruleset/
sudo git submodule init && sudo git submodule update

Depending on your system design, you may rename .example configs & remove examples.

cd /opt/ModSecurity/coreruleset/rules

sudo cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf && sudo rm RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example && sudo cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf && sudo rm REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

Copy OWASP CRS rules to apache2

sudo cp -r /opt/ModSecurity/coreruleset/rules /etc/apache2/

Copy crs-setup

Copy & rename crs-setup.conf

sudo cp /opt/ModSecurity/coreruleset/crs-setup.conf.example /etc/apache2/conf-available/crs-setup.conf

Disbale SecUnicodeMapFile (due to unicode.mapping error)

Until the bug is fixed, this will be required to prevent the unicode.mapping error

sudo nano /etc/apache2/mods-available/modsecurity.conf

Comment out the line:

SecUnicodeMapFile unicode.mapping 20127

Enable modsecurity, include conf, crs-setup, and rules

sudo nano /etc/apache2/apache2.conf
# Load mod_security3.so
LoadModule security3_module /usr/lib/apache2/modules/mod_security3.so

# Enable ModSecurity & link config
modsecurity on
modsecurity_rules_file /etc/apache2/mods-available/modsecurity.conf

# Include coreruleset & rules
#Include /etc/apache2/conf-available/crs-setup.conf
#Include /etc/apache2/rules/*.conf

We leave the last two Includes commented and then

sudo nano apache2ctl restart

Server should restart with no errors.