I installed mod-security which is one of most famous WAF(Web Application Firewall) to Lightsail.
I unexpectedly struggled to install, so I noted here.
Security enhancement is not only antivirus, isn’t it?
WordPress is web application, is there any other security tools?
You will be able to do it after reading this article!
If you are not familiar with WAF, this article will be your textbook.
Let’s do it.
– I assume you already have instance of “WordPress Multisite”.
You can see apache2/WordPress which are included in bitnami.
mod-security is also installed.
But rule files are not installed, so this should be installed.
And then httpd.conf should be configured to use proper rule files.
This is to install rule files.
sudo apt install modsecurity-crs
Next is configuring mod-security.
log file can be anywhere even if under /tmp if you don’t want to save.
sudo vim /opt/bitnami/apache2/conf/modsecurity.conf # Add these contents to modsecurity.conf SecAuditLog /opt/bitnami/apache2/logs/modsec_audit.log IncludeOptional /usr/share/modsecurity-crs/*.load # mkdir file for mod-security sudo touch /opt/bitnami/apache2/logs/modsec_audit.log sudo chown bitnami:bitnami /opt/bitnami/apache2/logs/modsec_audit.log
Initially SecRuleEngine is DetectionOnly.
If you set as “On”, your service may be affected and doesn’t work.
So I recommend to keep as “DetectionOnly” to recognize how big impact is.
|Configuration||Reaction when detecting||Saving Log|
|SecRuleEngine On||HTTP 403 Forbidden||Yes|
|SecRuleEngine DetectionOnly||(no effect)||Yes|
mod-security saves attacks to log file.
In case of Lightsail you can find log file here.
Then I setup apache2 to load mod-security.
mod-security uses mod_unique_id, so it should be loaded.
sudo vim /opt/bitnami/apache2/conf/httpd.conf # Add these 2 lines to the bottom of httpd.conf LoadModule unique_id_module modules/mod_unique_id.so LoadModule security2_module modules/mod_security2.so
Lastly you restart apache2, then mod-security should be loaded.
sudo /opt/bitnami/ctrscript.sh restart apache apachectl -M (snip) security2_module (shared)
Let’s check behavior by accessing http://<domain name or IP address>/?union+select.
I could see attack in error_log.
Detects MSSQL code execution means SQL injection.
[Wed Mar 03 00:41:00.861258 2021] [:error] [pid 20781:tid 140209710642944] [client 188.8.131.52:44334] [client 184.108.40.206] [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "193"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union select found within ARGS_NAMES:union select: union select"] [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "linuxfun.org"] [uri "/"] [unique_id "YD7bHLlvQ8mBaJ1EzMQ7RwAAAJo"]
How was it?
I introduced mod-security in this blog, after a few weeks I will review whether I need to exclude some rules to make this blog page working fine!
hello there and thank you for your info – I have definitely picked up something new
from right here. I did however expertise several technical points using
this website, since I experienced to reload the website many times
previous to I could get it to load correctly. I had been wondering if your
hosting is OK? Not that I am complaining, but sluggish loading instances times will often affect your placement in google and can damage your high-quality score if ads and marketing
with Adwords. Well I’m adding this RSS to my email and could look
out for much more of your respective intriguing content.
Make sure you update this again very soon.
Thanks for your feedback!
Unfortunately I don’t have exact idea, but this article may have hints because I also faced to restart instance of LightSail due to unstability derived by lack of RAM.
Thank you again.
Wow, marvelous blog structure! How long have you been running a blog for? you make blogging look easy. The total glance of your website is excellent, as smartly as the content material!
Thank you for saying so!