Securing your web applications against common threats is critical in today’s digital landscape. One of the most effective ways to do that is by deploying ModSecurity, an open-source Web Application Firewall (WAF), along with the OWASP Core Rule Set (CRS). This powerful combination can protect your server against attacks like SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and more.
This guide walks you through the process of setting up ModSecurity and OWASP CRS on a Linux server using either Apache or Nginx.
Overview
ModSecurity acts as a gatekeeper for your web server, analyzing incoming HTTP requests in real-time. When paired with the OWASP Core Rule Set, it becomes a strong defense layer against a wide range of known web application vulnerabilities.
Prerequisites
Before you begin, ensure you have the following:
- A Linux server (Ubuntu, Debian, CentOS, or RedHat)
- Root or sudo access
- Apache or Nginx installed and running
Step 1: Install ModSecurity
For Apache on Ubuntu or Debian
sudo apt update
sudo apt install libapache2-mod-security2
sudo a2enmod security2
For Apache on CentOS or RedHat
sudo yum install mod_security
For Nginx (ModSecurity v3 Required)
Nginx does not natively support ModSecurity, so you need to build ModSecurity v3 as an external module.
Install Required Dependencies
sudo apt install git gcc g++ make libtool libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev
Clone and Build ModSecurity v3
cd /usr/local/src
sudo git clone –depth 1 -b v3/master https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
sudo git submodule init
sudo git submodule update
sudo ./build.sh
sudo ./configure
sudo make
sudo make install
You will then need to build Nginx from source or use a precompiled package that supports ModSecurity v3.
Step 2: Download and Configure OWASP Core Rule Set (CRS)
cd /etc/modsecurity
sudo git clone https://github.com/coreruleset/coreruleset.git
sudo mv coreruleset crs
sudo cp crs/crs-setup.conf.example crs/crs-setup.conf
Step 3: Configure ModSecurity
Edit Main Configuration File
sudo nano /etc/modsecurity/modsecurity.conf
Find the following line:
nginx
SecRuleEngine DetectionOnly
Change it to:
graphql
SecRuleEngine On
This activates rule enforcement instead of just logging.
Step 4: Include CRS Rules in Apache
sudo nano /etc/apache2/mods-enabled/security2.conf
Add these lines at the end of the file:
swift
IncludeOptional /etc/modsecurity/crs/crs-setup.conf
IncludeOptional /etc/modsecurity/crs/rules/*.conf
Save and close the file.
Step 5: Restart Apache
sudo systemctl restart apache2
Step 6: Verify the WAF is Working
Open your browser and try accessing a test URL that simulates a SQL injection:
http://yourdomain.com/?id=1′ OR ‘1’=’1
Then check the ModSecurity logs:
sudo tail -f /var/log/apache2/modsec_audit.log
If everything is configured correctly, the request will be logged and flagged.
Best Practices for Production Environments
- Start with SecRuleEngine DetectionOnly mode to monitor and fine-tune before enforcing.
- Review logs frequently for false positives.
- Regularly update the OWASP CRS rule set from the official repository.
- Combine ModSecurity with other server hardening measures like fail2ban, iptables, or Cloudflare.
- Monitor performance impact and adjust configurations as needed.
Conclusion
Deploying ModSecurity with the OWASP Core Rule Set significantly enhances your Linux server’s security posture. While Apache integration is relatively straightforward, Nginx requires more effort, particularly in building and linking ModSecurity v3. Regardless of your server stack, this setup is a smart investment in web application security.
If you are managing critical applications or high-traffic environments, consider partnering with experts like ServerAdminz to ensure optimal performance and protection.
