root@cybersec:/# apt-get update root@cybersec:/# apt-get install apache2 root@cybersec:/# /etc/init.d/apache2 status Apache2 is running (pid 2281). root@cybersec:/# apt-get install libapache2-modsecurity root@cybersec:/# cp -prv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf `/etc/modsecurity/modsecurity.conf-recommended' -> `/etc/modsecurity/modsecurity.conf' root@cybersec:/# cd root@cybersec:~# pwd /root root@cybersec:~# wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v2.2.5.tar.gz --2014-03-11 23:13:48-- https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v2.2.5.tar.gz Resolving github.com (github.com)... 192.30.252.128 Connecting to github.com (github.com)|192.30.252.128|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://codeload.github.com/SpiderLabs/owasp-modsecurity-crs/tar.gz/v2.2.5 [following] --2014-03-11 23:13:50-- https://codeload.github.com/SpiderLabs/owasp-modsecurity-crs/tar.gz/v2.2.5 Resolving codeload.github.com (codeload.github.com)... 192.30.252.145 Connecting to codeload.github.com (codeload.github.com)|192.30.252.145|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/x-gzip] Saving to: `v2.2.5.tar.gz' [ <=> ] 289,201 133K/s in 2.1s 2014-03-11 23:13:54 (133 KB/s) - `v2.2.5.tar.gz' saved [289201] root@cybersec:~# mv -vf /root/owasp-modsecurity-crs-2.2.5 /etc/apache2/. `/root/owasp-modsecurity-crs-2.2.5' -> `/etc/apache2/./owasp-modsecurity-crs-2.2.5' Core Rule Set Quick Setup ========================= To activate the rules for your web server installation: 1) Copy the modsecurity_crs_10_config.conf.example file to modsecurity_crs_10_config.conf and customize the settings for your local environment. root@cybersec:~# cp -prv /etc/apache2/owasp-modsecurity-crs-2.2.5/modsecurity_crs_10_setup.conf.example /etc/apache2/owasp-modsecurity-crs-2.2.5/modsecurity_crs_10_setup.conf `/etc/apache2/owasp-modsecurity-crs-2.2.5/modsecurity_crs_10_setup.conf.example' -> `/etc/apache2/owasp-modsecurity-crs-2.2.5/modsecurity_crs_10_setup.conf' root@cybersec:~# vi /etc/apache2/owasp-modsecurity-crs-2.2.5/modsecurity_crs_10_setup.conf 2) Enable the CRS rules files you want to use by creating symlinks under the "activated_rules" directory location. You will want to create symlinks for the following: 1) The main modsecurity_crs_10_config.conf file 2) Any rules from the base_rules directory 3) Any remaining rules from the optional_rules, slr_rules or experimental_rules directories. root@cybersec:~# ln -s /etc/apache2/owasp-modsecurity-crs-2.2.5/modsecurity_crs_10_setup.conf /etc/apache2/owasp-modsecurity-crs-2.2.5/activated_rules/modsecurity_crs_10_setup.conf root@cybersec:~# for f in `ls /etc/apache2/owasp-modsecurity-crs-2.2.5/base_rules/` ; do ln -s /etc/apache2/owasp-modsecurity-crs-2.2.5/base_rules/$f /etc/apache2/owasp-modsecurity-crs-2.2.5/activated_rules/$f ; done root@cybersec:~# for f in `ls /etc/apache2/owasp-modsecurity-crs-2.2.5/optional_rules/ | grep comment_spam` ; do ln -s /etc/apache2/owasp-modsecurity-crs-2.2.5/optional_rules/$f /etc/apache2/owasp-modsecurity-crs-2.2.5/activated_rules/$f ; done root@cybersec:~# ls -lh /etc/apache2/owasp-modsecurity-crs-2.2.5/activated_rules/ 3) Add the following line to your httpd.conf: root@cybersec:~# vi /etc/apache2/apache2.conf # Mod-Security Configuration Include /etc/apache2/owasp-modsecurity-crs-2.2.5/activated_rules/modsecurity_crs_10_setup.conf Include /etc/apache2/owasp-modsecurity-crs-2.2.5/activated_rules/*.conf root@cybersec:~# 4) Restart web server. root@cybersec:~# /etc/init.d/apache2 restart * Restarting web server apache2 ... waiting [ OK ] root@cybersec:~# 5) Make sure your web sites are still running fine. 6) Simulate an attack against the web server. Then check the attack was correctly logged in the Apache error log, ModSecurity debug log (if you enabled it) and ModSecurity audit log (if you enabled it).