Configure your first WAF with modsecurity


A Web Application Firewall (WAF) is useful to block request trying to exploit vulnerabilities on your website. This is not 100% safe but it is a good start to improve the security of your web-server.

We will see how to install and configure modsecurity on your web-server with apache. Modsecurity is WAF module on apache that allows you to add rules on every request send to your website. Therefore, you can block request that try to access forbidden resources or inject malicious data in your website.


First, you need to install the module and activate it by copying the conf file. This is where you are going to tweak your module. If you don’t do anything after this, it will only detect bad request but not block them. To do this you have to activate the WAF by modifying the SecRuleEngine line.

sudo apt install libapache2-modsecurity
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

in modsecurity.conf, change this line

SecRuleEngine = DetectionOnly
SecRuleEngine = ON

Now reload your apache :

sudo service apache2 reload

Adding rules

You can add your own rules to filter bad request, but a good way to start is to install the OWASP Core Security Rules (CRS). This set contains lots of pre-configure rules :
It is easy to install (change *latest* by the latest version of owasp modsecurity crs):

cd /usr/share
unzip v*latest*
cd owasp-modsecurity-crs-*latest*
cp crs-setup.conf.example crs-setup.conf

Now, you have to tell modsecurity to use these rules. In /etc/apache2/mods-enabled/security2.conf add these lines :

IncludeOptional /usr/share/owasp-modsecurity-crs-*latest*/crs-setup.conf
IncludeOptional /usr/share/owasp-modsecurity-crs-*latest*/rules/*.conf

That’s it, you now have a working Web Application Firewall. You can try it by visiting, you should get a 403 forbidden error.

Leave A Comment

Configure your first WAF with modsecurity

2019-05-19T21:31:45+01:00 May 15th, 2019|Categories: Tutorials|Tags: , |0 Comments