Implement Free WAF With ModSecurity and Owasp Core rule set (CRS) v3

Today, Installing web application firewall (WAF) is a mandatory when you publish your web application on Internet. Yes this is a must to protect your production server against cyber attack, but in fact, some of the mid to low range companies have a budget constraint to implement WAF products, so I will share to you how to implement WAF freely with Mod Security and OWASP CRS and we are gonna use Centos as Operationg System.

ENABLE EPEL RPM

First you must enable EPEL repository.

For centOS 7 Run this command:

For centOS 6:

INSTALLING MOD SECURITY

Then you must install mod_security apache module with predefined rules.

Run this command :

Then You should edit the mod_Security configuration file at /etc/httpd/conf.d/mod_security.conf , look for the SecRuleEngine :

  1. On — Rules are activated
  2. Off — Rules are Deactivated
  3. DetectionOnly — Only Intercepts and logs Transactions

Since we want to Intercept and Block Attacks we configure it with On.

After this, restart Apache service :

To ensure that our web application firewall is working you should see something like this in Apache error logs.

Sometimes you found that secstatusengine disabled by default.

To solve this issue add this line on your /etc/httpd/conf.d/mod_security.conf

Then restart your apache service

Run this command again to ensure all the configuration are working :

They are some important files to remember in mod security

  • Mod Security Config File/etc/httpd/conf.d/mod_security.conf
  • Debug Log/var/log/httpd/modsec_debug.log
  • Audit log/var/log/httpd/modsec_audit.log
  • Rules — /etc/httpd/modsecurity.d/activated_rules

In this step you already successfully install WAF using Mod Security, next step we also need to install Owasp Core rule set (CRS)

Installing Owasp Core rule set (CRS) v3

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity. We can say this is the core engine of WAF, because it provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, Locale File Inclusion, etc

In this scenario we use Owasp Core rules set (CRS) v3. First download CRS v3 on SpiderLabs git

The command above will create new owasp-modsecurity-crs directory, then you should move owasp-modsecurity-crs folder to modsecurity.d folder :

De-activate the default CRS by giving the # on the lines, then add new line of crs v3 configuration:

Ensure your configuration should be like this:

Next, you must rename crs-setup.conf.example to crs-setup.conf on owasp-modsecurity-crs folder :

Then if you can see all rules of CRS v3 in /etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/ directory.

If you want to disable the rules just rename it. For example :

The command above will disable rule REQUEST-920-PROTOCOL-ENFORCEMENT. To make a change you must restart the httpd service

This is final step, now you can test your Modsecurity with the CRS by input some simple attack like sql injection to your web page.

And if everything fine, you will see the something like this on the response page.

Congratulations you already installing WAF on your web application server with free. This is important for you to modify the rules so it can be suitable with your web application need, because some rule maybe have a conflict with your web application, WAF may able to block your web application request / response.

OK that’s all, hope this useful for you, any questions feel free to mail me.

or contact me on my linkedin page

Normative citizen, A Husband & Father, IT Manager, Hacker, DOTA Gamer, Science-Tech & Business enthusiast, Story teller