Installing apache2+modsecurity and customizing WAF rules in ubuntu16.04

Source: Internet
Author: User
Tags modsecurity

Example of modsecurity rule syntax

Secrule is a modsecurity the primary directive, which is used to create security rules. The basic syntax is as follows:



    Representative HTTP The identity item in the package that specifies the object that the security rule targets. Common variables include:ARGS(all request parameters),files(all file names), and so on.


    represents an operator that is typically used to define the matching criteria for a security rule. Common operators include:@rx ( Regular expression),@streq ( the same string),@ipmatch (IP Same) and so on.


    represents a response action, which is typically used to define the response action of a packet after it has been hit by a rule. Common actions include:deny(packet denied),Pass ( allow packet pass),ID(number of the defined rule) , Severity ( define the severity of the event).

It is worth noting that for more in-depth syntax, please refer to the official manual. Since this experiment involves a custom security rule, the three rules that are involved in it are described in detail, as follows:

rules 1 : Anti- XSS Attack

Secrule args| Request_headers "@rx <script>" "id:001,msg: ' XSS Attack ', severity:error,deny,status:404"


    ARGS : All request parameters; request_headers : Request data header.


    @rx <script> : If the regular match string "<script>" succeeds, the rule executes.


    id:001 001 msg: ' XSS Attack ' XSS Attack severity:error error deny status:404 indicates that the server response status number is 404

    Description: Severity is divided into 8 level:  emergency (0) , alert (1) , critical (2) , error (3) , warning (4) , notice (5) , info (6) , debug (7)

This rule indicates that all request parameters contain a string "<script>" of the HTTP packets are intercepted and logged by the server.

rules 2 : Set White list

Secrule remote_addr "@ipmatch" "Id:002,phase:1,t:none,

Nolog,pass,ctl:ruleengine=off "


    REMOTE_ADDR : Remote host IP


    @ipmatch : If the request host IP address is , the rule executes.


    id:002specify that the rule number is002;phase:1indicates the scope of the rule execution is the request header;T:nonerepresentsVARIABLESthe value does not need to be converted (TRepresentativeTransform);NologThe representative does not record the log;PassThe representative continues the next rule;Ctl:ruleengine=offrepresents off blocking mode and all rules are invalidated.

    Description: Phase The numbering provisions are as follows: request Headers (1), Request body (2), Response Headers (3), Response Body (4) and Logging (5).

This rule indicates that: for host sent by HTTP package, the server shuts down interception mode, allowing all packets to pass.

rules 3 : chain rules

secrule args:username "@streq admin" Chain,deny , id:003

Secrule remote_addr "!streq"


    Args:username all the user name information that represents the request parameter.

  • operator

    @streq admin indicates user name equals string " admin " actions

  • actions

    id:003 003 Chain admin IP not Span style= "font-family: Song Body") to perform the next action; deny

This rule indicates that all host names are Admin , but the corresponding host IP address is not request packets are rejected by the server. It means that only one host can log in with the admin User (typically the system administrator's host), greatly improving the security of the system.

two or one-button installation LAMP Environment

  1. Execute Command apt-get Update .
  2. Execute Command apt-get Install lamp-server^ .
    1. During the installation process, you will jump Mysql Database root user Password Setup window, enter the password as required:123, press tab to select "OK", press ENTER to enter the next step, as shown in:

  3. repeat Password:123, press the tab key to select "OK" and press ENTER to continue the installation as shown:

  4. Open the browser, enter in the Address bar:http://localhost, you can verify that the Apache2 installation was successful, as:

5. Enter the command mysql-u root-p, successfully enter the MySQL window,mysql installation is successful.

Third, installation modsecurity

  1. installation libapache2-modsecurity module and its dependent packages, enter:

    $ apt-get Install libxml2 libxml2-dev libxml2-utils libapache2-modsecurity

  2. Enquiry modsecurity version number, verify that the installation was successful, enter:

    $ dpkg-s libapache2-modsecurity | grep Version

    Note: See Version is case-sensitive.

  3. Restart Apache Service, enter:

    $ service Apache2 Reload

  4. config modsecurity , enable interception mode, enter:

    Span style= "Font-family:times New Roman" >$ cd/etc/modsecurity

    $ mv modsecurity.conf-recommended modsecurity.conf

    $ vim modsecurity.conf

    This action renames the recommended profile in the installation package to the standard profile name and enables the vim Edit the configuration file.

  5. Edit modsecurity.conf and Will "Secruleengine detectiononly" instead "Secruleengine on" , save and exit. As shown in the following:

    the above operation will turn on the security rule engine, that is, enable blocking mode, filter HTTP traffic.

Iv. Configuring Custom Rules

  1. go to folder Activated_rules , Associate the startup file to this folder, using a soft link, type:

    $ cd/usr/share/modsecurity-crs/ Activated_rules

    $ ln-s. /modsecurity_crs_10_setup.conf./modsecurity_crs_10_setup.conf

    < Span style= "Font-family:times New Roman" > $ tree

  2. Execute command Vim my.conf XSS rules (numbering 001 ) as follows:

    secrule args| Request_headers "@rx <script>" "id:003,msg: ' XSS Attack ', severity:error,deny,status:404"

    P style= "margin-left:2pt" >

  3. setting up the configuration file security2.conf , enter:

    $ vim/etc/apache2/mods-available/security2.conf

  4. in the file, add the following: includeoptional/usr/share/modsecurity-crs/activated_rules/*.conf as shown in the following:

  5. Restart Apache Service, enter:

    $ Service Apache2 Reload

Five, verify the protection effect

    1. Log in to the host "hacker" to enter the attacker mode. In the browser address bar, enter: http://localhost/?q=<script> alert (1) </script>. The experimental results are as follows:

    2. To execute the command vim/var/log/apache2/modsec_audit.log, view the WAF interception log as shown in:

      from the local host. GET request to be a rule file my.conf in the 001 the malicious code contained in the message is intercepted.

Installing apache2+modsecurity and customizing WAF rules in ubuntu16.04

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.