Web Application Firewall
Install ModSecurity
ModSecurity is a module for the Apache webserver, it can be installed as:
on the webserver terminal:
# Install ModSecurity module for Apache
sudo apt install libapache2-mod-security2
# Enable the module
sudo a2enmod headers
# Restart Apache
sudo systemctl restart apache2
Configure ModSecurity
ModSecurity is a firewall and therefore requires rules to function. First, you must prepare the ModSecurity configuration file.
on the webserver terminal:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo nano /etc/modsecurity/modsecurity.conf
/etc/modsecurity/modsecurity.conf
#(...)
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine On
#(...)
on the webserver terminal:
sudo systemctl restart apache2
Install AtomicCorp rules
Setup and Configure Directories (Non-standard Apache only)
on the webserver terminal:
mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
Set Permissions for Directories (Non-stanard Apache only)
on the webserver terminal:
chown www-data:www-data /var/asl/data/msa
chown www-data:www-data /var/asl/data/audit
chown www-data:www-data /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
Create Rule Updater Directories
on the webserver terminal:
mkdir /var/asl/updates
mkdir /var/asl/rules/
mkdir /var/asl/rules/clamav
Create the Whitelist File
on the webserver terminal:
touch /etc/asl/whitelist
Recommended ModSecurity configuration
on the webserver terminal:
nano /etc/modsecurity/modsecurity.conf
/etc/modsecurity/modsecurity.conf
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecComponentSignature 200911012341
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Concurrent
SecAuditLog logs/audit_log
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
SecAuditLogDirMode 0770
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
Download and extract ruleset
on the webserver terminal:
wget --user user --ask-password -O /var/asl/rules/atomic-modsec.tar.bz2 https://updates.atomicorp.com/channels/rules/free-waf/modsec-202505200003.tar.bz2
tar -xvjf /var/asl/rules/atomic-modsec.tar.bz2 -C /var/asl/rules
chown -R root:root /var/asl/rules/
mkdir /usr/share/modsecurity-atomic
cp /var/asl/rules/modsec/50_plesk_basic_asl_rules.conf /usr/share/modsecurity-atomic
cp /var/asl/rules/modsec/sql.txt /usr/share/modsecurity-atomic
nano /etc/apache2/mods-available/security2.conf
/etc/apache2/mods-available/security2.conf
<IfModule security2_module>
# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
IncludeOptional /etc/modsecurity/*.conf
# Include OWASP ModSecurity CRS rules if installed
IncludeOptional /usr/share/modsecurity-crs/*.load
# Include Atomic ModSecurity rules if installed
IncludeOptional /usr/share/modsecurity-atomic/*.conf
</IfModule>
on the webserver terminal:
# Restart Apache
systemctl restart apache2
# Test the Atomic Ruleset
wget http://localhost/foo.php?foo=http://www.example.com
Output
--2025-05-20 21:20:26-- http://localhost/foo.php?foo=http://www.example.com
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2025-05-20 21:20:26 ERROR 403: Forbidden.
Logs
on the webserver terminal:
tail /var/log/apache2/modsec_audit.log
For high traffic websites
on the webserver terminal:
sudo nano /etc/logrotate.d/modsecurity
/etc/logrotate.d/modsecurity
/var/log/apache2/modsec_audit.log
{
rotate 14
daily
missingok
compress
delaycompress
notifempty
}
Edit the exclusions (e.g. for Wordpress)
on the webserver terminal:
sudo nano /etc/apache2/modsecurity-crs/coreruleset-3.3.0/crs-setup.conf
/etc/apache2/modsecurity-crs/coreruleset-3.3.0/crs-setup.conf
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1"
# setvar:tx.crs_exclusions_cpanel=1,\
# setvar:tx.crs_exclusions_drupal=1,\
# setvar:tx.crs_exclusions_dokuwiki=1,\
# setvar:tx.crs_exclusions_nextcloud=1,\
# setvar:tx.crs_exclusions_xenforo=1"
or for individual websites
on the webserver terminal:
sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
sudo nano REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# Example for blog.yourdomain.com using wordpress
SecRule REQUEST_HEADERS:Host "@streq blog.yourdomain.com" "id:1000,phase:1,nolog,pass,t:none,setvar:tx.crs_exclusions_wordpress=1"
# Example for nextcloud.yourdomain.com using NextCLoud
SecRule REQUEST_HEADERS:Host "@streq nextcloud.yourdomain.com" "id:1001,phase:1,setvar:tx.crs_exclusions_nextcloud=1"
then test and restart apache if successful
on the webserver terminal:
sudo apache2ctl -t
sudo systemctl restart apache2
Install Comodo Rules
+------------------------------------------------------
| Installation complete!
| Please add the line:
| Include "/usr/local/cwaf/etc/modsec2_standalone.conf"
| to Apache config file.
| To update ModSecurity ruleset run
| /usr/local/cwaf/scripts/updater.pl
| Restart Apache after that.
| You may find useful utility /usr/local/cwaf/scripts/cwaf-cli.pl
| Also you may examine file
| /usr/local/cwaf/INFO.TXT
| for some useful software information.
+------------------------------------------------------