I installed mod-security which is one of most famous WAF(Web Application Firewall) to Lightsail.
I unexpectedly struggled to install, so I noted here.
Security enhancement is not only antivirus, isn’t it?
WordPress is web application, is there any other security tools?
You will be able to do it after reading this article!
If you are not familiar with WAF, this article will be your textbook.
Let’s do it.
– I assume you already have instance of “WordPress Multisite”.
You can see apache2/WordPress which are included in bitnami.
mod-security is also installed.
But rule files are not installed, so this should be installed.
And then httpd.conf should be configured to use proper rule files.
This is to install rule files.
sudo apt install modsecurity-crs
Next is configuring mod-security.
log file can be anywhere even if under /tmp if you don’t want to save.
sudo vim /opt/bitnami/apache2/conf/modsecurity.conf # Add these contents to modsecurity.conf SecAuditLog /opt/bitnami/apache2/logs/modsec_audit.log IncludeOptional /usr/share/modsecurity-crs/*.load # mkdir file for mod-security sudo touch /opt/bitnami/apache2/logs/modsec_audit.log sudo chown bitnami:bitnami /opt/bitnami/apache2/logs/modsec_audit.log
Initially SecRuleEngine is DetectionOnly.
If you set as “On”, your service may be affected and doesn’t work.
So I recommend to keep as “DetectionOnly” to recognize how big impact is.
|Configuration||Reaction when detecting||Saving Log|
|SecRuleEngine On||HTTP 403 Forbidden||Yes|
|SecRuleEngine DetectionOnly||(no effect)||Yes|
mod-security saves attacks to log file.
In case of Lightsail you can find log file here.
Then I setup apache2 to load mod-security.
mod-security uses mod_unique_id, so it should be loaded.
sudo vim /opt/bitnami/apache2/conf/httpd.conf # Add these 2 lines to the bottom of httpd.conf LoadModule unique_id_module modules/mod_unique_id.so LoadModule security2_module modules/mod_security2.so
Lastly you restart apache2, then mod-security should be loaded.
sudo /opt/bitnami/ctrscript.sh restart apache apachectl -M (snip) security2_module (shared)
Let’s check behavior by accessing http://<domain name or IP address>/?union+select.
I could see attack in error_log.
Detects MSSQL code execution means SQL injection.
[Wed Mar 03 00:41:00.861258 2021] [:error] [pid 20781:tid 140209710642944] [client 220.127.116.11:44334] [client 18.104.22.168] [file "/usr/share/modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "193"] [id "942190"] [msg "Detects MSSQL code execution and information gathering attempts"] [data "Matched Data: union select found within ARGS_NAMES:union select: union select"] [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "linuxfun.org"] [uri "/"] [unique_id "YD7bHLlvQ8mBaJ1EzMQ7RwAAAJo"]
How was it?
I introduced mod-security in this blog, after a few weeks I will review whether I need to exclude some rules to make this blog page working fine!