How to install mod-security which is WAF to Lightsail?

Amazon Linux
Reading Time: 2 minutes



I installed mod-security which is one of most famous WAF(Web Application Firewall) to Lightsail.
I unexpectedly struggled to install, so I noted here.

Security enhancement is not only antivirus, isn’t it?

WordPress is web application, is there any other security tools?

 

You will be able to do it after reading this article!



If you are not familiar with WAF, this article will be your textbook.

Installing mod-security

Let’s do it.
– I assume you already have instance of “WordPress Multisite”.



You can see apache2/WordPress which are included in bitnami.
mod-security is also installed.

But rule files are not installed, so this should be installed.

And then httpd.conf should be configured to use proper rule files.



This is to install rule files.

sudo apt install modsecurity-crs



Next is configuring mod-security.
log file can be anywhere even if under /tmp if you don’t want to save.

sudo vim /opt/bitnami/apache2/conf/modsecurity.conf

# Add these contents to modsecurity.conf
SecAuditLog /opt/bitnami/apache2/logs/modsec_audit.log
IncludeOptional /usr/share/modsecurity-crs/*.load

# mkdir file for mod-security
sudo touch /opt/bitnami/apache2/logs/modsec_audit.log
sudo chown bitnami:bitnami /opt/bitnami/apache2/logs/modsec_audit.log



Initially SecRuleEngine is DetectionOnly.
If you set as “On”, your service may be affected and doesn’t work.
So I recommend to keep as “DetectionOnly” to recognize how big impact is.

ConfigurationReaction when detectingSaving Log
SecRuleEngine OnHTTP 403 ForbiddenYes
SecRuleEngine DetectionOnly(no effect)Yes



mod-security saves attacks to log file.
In case of Lightsail you can find log file here.

/opt/bitnami/apache2/logs/error_log



Then I setup apache2 to load mod-security.
mod-security uses mod_unique_id, so it should be loaded.

sudo vim /opt/bitnami/apache2/conf/httpd.conf

# Add these 2 lines to the bottom of httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so



Lastly you restart apache2, then mod-security should be loaded.

sudo /opt/bitnami/ctrscript.sh restart apache
apachectl -M
(snip)
 security2_module (shared)



Let’s check behavior by accessing http://<domain name or IP address>/?union+select.

I could see attack in error_log.
Detects MSSQL code execution means SQL injection.

[Wed Mar 03 00:41:00.861258 2021] [:error] [pid 20781:tid 140209710642944] [client 124.219.163.155:44334] [client 124.219.163.155]    
   [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] 
 [line "193"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union select found within ARGS_NAMES:union select: union select"]     [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"]   [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "linuxfun.org"] [uri "/"] [unique_id "YD7bHLlvQ8mBaJ1EzMQ7RwAAAJo"]

Conclusion

How was it?

I introduced mod-security in this blog, after a few weeks I will review whether I need to exclude some rules to make this blog page working fine! 

Comments

タイトルとURLをコピーしました