A Web Application Firewall (WAF) is useful to block request trying to exploit vulnerabilities on your website. This is not 100% safe but it is a good start to improve the security of your web-server.
We will see how to install and configure modsecurity on your web-server with apache. Modsecurity is WAF module on apache that allows you to add rules on every request send to your website. Therefore, you can block request that try to access forbidden resources or inject malicious data in your website.
First, you need to install the module and activate it by copying the conf file. This is where you are going to tweak your module. If you don’t do anything after this, it will only detect bad request but not block them. To do this you have to activate the WAF by modifying the SecRuleEngine line.
sudo apt install libapache2-modsecurity sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
in modsecurity.conf, change this line
SecRuleEngine = DetectionOnly to SecRuleEngine = ON
Now reload your apache :
sudo service apache2 reload
You can add your own rules to filter bad request, but a good way to start is to install the OWASP Core Security Rules (CRS). This set contains lots of pre-configure rules : https://github.com/SpiderLabs/owasp-modsecurity-crs
It is easy to install (change *latest* by the latest version of owasp modsecurity crs):
cd /usr/share wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v*latest*.zip unzip v*latest* cd owasp-modsecurity-crs-*latest* cp crs-setup.conf.example crs-setup.conf
Now, you have to tell modsecurity to use these rules. In /etc/apache2/mods-enabled/security2.conf add these lines :
IncludeOptional /usr/share/owasp-modsecurity-crs-*latest*/crs-setup.conf IncludeOptional /usr/share/owasp-modsecurity-crs-*latest*/rules/*.conf
That’s it, you now have a working Web Application Firewall. You can try it by visiting https://yourwebsite.com?exec=/bin/bash, you should get a 403 forbidden error.