{"id":2590,"date":"2015-05-04T22:13:49","date_gmt":"2015-05-04T16:43:49","guid":{"rendered":"http:\/\/websistent.com\/?p=2590"},"modified":"2018-05-08T01:08:56","modified_gmt":"2018-05-07T19:38:56","slug":"setup-mod_security-serverpilot","status":"publish","type":"post","link":"https:\/\/websistent.com\/setup-mod_security-serverpilot\/","title":{"rendered":"How to setup mod_security with ServerPilot"},"content":{"rendered":"

Serverpilot<\/a> is a hosted control panel for setting up and managing LAMP\/LEMP stacks on Ubuntu servers. Just like any other control panel it can be installed with a single command. ServerPilot is simple to use and does not install unnecessary packages like other commercial control panels.<\/p>\n

I had written an article<\/a> for DigitalOcean<\/a> on setting up mod_security on Apache. Since I found several DO users using ServerPilot to manage their Droplets I wanted to do a small piece on configuring mod_security on ServerPilot managed Ubuntu servers. ServerPilot supports custom .conf files for Apache making it easier load additional modules. This tutorial with be brief, for a detailed explanation please read the guide<\/a> I wrote for DigitalOcean.<\/p>\n

Update:<\/strong> As of 15th April installing mod_security from the Ubuntu repository no longer works (on Ubuntu 16.04 and 18.04) and outputs the following Apache error:<\/p>\n

httpd: Syntax error on line 160 of \/etc\/apache-sp\/httpd.conf: Syntax error on line 3  of \/etc\/apache-sp\/conf.d\/security2.conf: Cannot load \/usr\/lib\/apache2\/modules\/mod_security2.so into server: \/usr\/lib\/apache2\/\/modules\/mod_security2.so: undefined symbol: apr_crypto_block_cleanup<\/pre>\n
So on Ubuntu 16.04 and 18.04 mod_security has to be installed from source. Users of Ubuntu 14.04 can follow the previous method<\/a>.<\/p>\n
Installing mod_security on Ubuntu 16.04 and 18.04<\/h2>\n
Install dependencies<\/h3>\n
Update the apt repository and install packages necessary for compiling and building from source.<\/p>\n
apt-get update\r\napt-get install build-essential libpcre3-dev libxml2-dev libexpat1-dev<\/pre>\n
Visit APR’s (Apache Portable Runtime) website, download the latest version of APR and APR-util, compile and install them.<\/p>\n
cd \/tmp\r\nwget http:\/\/www-eu.apache.org\/dist\/\/apr\/apr-1.6.3.tar.gz\r\ntar -xzf apr-1.6.3.tar.gz\r\ncd apr-1.6.3\r\n.\/configure\r\nmake\r\nsudo make install\r\ncd \/tmp\r\nwget http:\/\/www-eu.apache.org\/dist\/\/apr\/apr-util-1.6.1.tar.gz\r\ntar -xzf apr-util-1.6.1.tar.gz\r\ncd apr-util-1.6.1\/\r\n.\/configure --with-apr=\/usr\/local\/apr\r\nmake\r\nsudo make install<\/pre>\n
Install mod_security from source<\/h3>\n
Download, compile and install mod_security from source.<\/p>\n
cd \/tmp\r\nwget https:\/\/www.modsecurity.org\/tarball\/2.9.2\/modsecurity-2.9.2.tar.gz\r\ntar -xzf modsecurity-2.9.2.tar.gz\r\ncd modsecurity-2.9.2\/\r\n.\/configure --enable-htaccess-config --with-apxs=\/opt\/sp\/apache\/bin\/apxs\r\nmake\r\nsudo make install<\/pre>\n
Create mod_security config files<\/h3>\n
Since we install mod_security from source the configuration directories and files have to be created manually.<\/p>\n
sudo mkdir \/etc\/modsecurity\r\nsudo wget -O \/etc\/modsecurity\/unicode.mapping https:\/\/github.com\/SpiderLabs\/ModSecurity\/raw\/v2\/master\/unicode.mapping\r\nsudo wget -O \/etc\/modsecurity\/modsecurity.conf https:\/\/github.com\/SpiderLabs\/ModSecurity\/raw\/v2\/master\/modsecurity.conf-recommended<\/pre>\n
Create a file at \/etc\/apache-sp\/conf.d\/security2.conf<\/code> and place the following config:<\/p>\n
LoadModule unique_id_module lib\/sp-apache\/mod_unique_id.so\r\nLoadModule security2_module \/usr\/local\/modsecurity\/lib\/mod_security2.so\r\n<IfModule security2_module>\r\n        IncludeOptional \/etc\/modsecurity\/*.conf\r\n        IncludeOptional "\/usr\/share\/modsecurity-crs\/*.conf"\r\n        IncludeOptional "\/usr\/share\/modsecurity-crs\/activated_rules\/*.conf"\r\n<\/IfModule><\/pre>\n
Next use sed<\/code> to edit modsecurity.conf<\/code> and configure mod_security to block attacks and disable buffering of HTTP response bodies:<\/p>\n
sudo sed -i "s\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/" \/etc\/modsecurity\/modsecurity.conf\r\nsudo sed -i "s\/SecResponseBodyAccess On\/SecResponseBodyAccess Off\/" \/etc\/modsecurity\/modsecurity.conf<\/pre>\n
Setup mod_security Core Rule Set (CRS)<\/h3>\n
Download mod_security rule set, extract and copy them to their own directory.<\/p>\n
cd \/tmp\r\nwget https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs\/archive\/2.2.9.tar.gz\r\ntar -xzf 2.2.9.tar.gz\r\nsudo mkdir \/usr\/share\/modsecurity-crs\r\nsudo mv owasp-modsecurity-crs-2.2.9\/ \/usr\/share\/modsecurity-crs\r\nsudo mv \/usr\/share\/modsecurity-crs\/modsecurity_crs_10_setup.conf{.example,}<\/pre>\n
Do a config test for Apache:<\/p>\n
sudo \/opt\/sp\/apache\/bin\/apachectl -t<\/pre>\n
This should return \u201cSyntax OK\u201d.<\/p>\n
Restart Apache:<\/p>\n
service apache-sp restart<\/pre>\n
Confirm if the module was loaded:<\/p>\n
sudo \/opt\/sp\/apache\/bin\/apachectl -M | grep security2<\/pre>\n
You should see a module named security2_module (shared)<\/strong> which indicates that the module was loaded.<\/p>\n
That’s it, now scroll down to the SQL injection test<\/a> section and test the rules.<\/p>\n
Installing mod_security on Ubuntu 14.04<\/h2>\n
Install mod_security<\/h3>\n
Update the apt repository and install the mod_security package:<\/p>\n
apt-get update\r\napt-get install libapache2-mod-security2 modsecurity-crs<\/pre>\n
Enable mod_unique_id<\/h3>\n
Modsecurity depends on a module named mod_unique_id. This module will prevent Apache from starting if the server’s hostname doesn’t resolve. So ensure the hostname resolves.<\/p>\n
ping -c 4 `hostname`\r\nping -c 4 `hostname -f`<\/pre>\n
Both of these should resolve to your loopback IP address, if not edit the \/etc\/hosts<\/code> file and add your server’s hostname.<\/p>\n
Execute the following command to add unique_id to the list of load modules to be loaded:<\/p>\n
bash -c "echo 'LoadModule unique_id_module lib\/sp-apache\/mod_unique_id.so' > \/etc\/apache-sp\/conf.d\/unique_id.conf"<\/pre>\n
Create mod_security config files<\/h3>\n
Create a .conf file to load the mod_security module file.<\/p>\n
bash -c "cat \/etc\/apache2\/mods-available\/security2.{load,conf} > \/etc\/apache-sp\/conf.d\/security2.conf"<\/pre>\n
Edit the newly created file and add the following before the <\/ifModule><\/code> line:<\/p>\n
IncludeOptional "\/usr\/share\/modsecurity-crs\/*.conf"\r\nIncludeOptional "\/usr\/share\/modsecurity-crs\/activated_rules\/*.conf"<\/pre>\n
Once added the file should look like this:<\/p>\n
# Depends: unique_id\r\nLoadModule security2_module \/usr\/lib\/apache2\/modules\/mod_security2.so\r\n<IfModule security2_module>\r\n        # Default Debian dir for modsecurity's persistent data\r\n        SecDataDir \/var\/cache\/modsecurity\r\n\r\n        # Include all the *.conf files in \/etc\/modsecurity.\r\n        # Keeping your local configuration in that directory\r\n        # will allow for an easy upgrade of THIS file and\r\n        # make your life easier\r\n        IncludeOptional \/etc\/modsecurity\/*.conf\r\n        IncludeOptional "\/usr\/share\/modsecurity-crs\/*.conf"\r\n        IncludeOptional "\/usr\/share\/modsecurity-crs\/activated_rules\/*.conf"\r\n<\/IfModule><\/pre>\n
Rename the modsecurity.conf-recommended<\/code> file:<\/p>\n
mv \/etc\/modsecurity\/modsecurity.conf{-recommended,}<\/pre>\n
Edit the renamed file and configure mod_security to block attacks:<\/p>\n
sed -i "s\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/" \/etc\/modsecurity\/modsecurity.conf<\/pre>\n
Disable buffering of HTTP response bodies:<\/p>\n
sed -i "s\/SecResponseBodyAccess On\/SecResponseBodyAccess Off\/" \/etc\/modsecurity\/modsecurity.conf<\/pre>\n
Important: This is SecResponse<\/strong>BodyAccess and NOT SecRequest<\/strong>BodyAccess.<\/p><\/blockquote>\n
The directives SecRequestBodyLimit<\/code>, SecRequestBodyNoFilesLimit<\/code> and SecRequestBodyInMemoryLimit<\/code> have been discussed in the DigitalOcean article<\/a>.<\/p>\n
Create a directory named “apache2” inside “\/var\/log”, this is where mod_security will store its audit log file.<\/p>\n
mkdir \/var\/log\/apache2<\/pre>\n
Do a config test for Apache:<\/p>\n
\/opt\/sp\/apache\/bin\/apachectl -t<\/pre>\n
This should return “Syntax OK”<\/p>\n
Restart Apache:<\/p>\n
service apache-sp restart<\/pre>\n
Confirm if the module was loaded:<\/p>\n
\/opt\/sp\/apache\/bin\/apachectl -M | grep security2<\/pre>\n
You should see a module named security2_module (shared)<\/strong> which indicates that the module was loaded.<\/p>\n
SQL injection test<\/h3>\n
Enable the SQL injection rule:<\/p>\n
cd \/usr\/share\/modsecurity-crs\/activated_rules\r\nln -s ..\/base_rules\/modsecurity_crs_41_sql_injection_attacks.conf .<\/pre>\n
Restart Apache for the rules to take effect:<\/p>\n
service apache-sp restart<\/pre>\n
Test SQL injection using the following cURL request:<\/p>\n
curl -o \/dev\/null -s -v -d "' or true -- " http:\/\/example.com<\/pre>\n
This should return a 403 Forbidden error as follows:<\/p>\n
* Hostname was found in DNS cache\r\n*   Trying 1.1.1.1...\r\n* Connected to example.com (1.1.1.1) port 80 (#0)\r\n> POST \/ HTTP\/1.1\r\n> User-Agent: curl\/7.35.0\r\n> Host: example.com\r\n> Accept: *\/*\r\n> Content-Length: 13\r\n> Content-Type: application\/x-www-form-urlencoded\r\n>\r\n} [data not shown]\r\n* upload completely sent off: 13 out of 13 bytes\r\n< HTTP\/1.1 403 Forbidden\r\n* Server nginx is not blacklisted\r\n< Server: nginx\r\n< Date: Mon, 04 May 2015 19:42:12 GMT\r\n< Content-Type: text\/html; charset=iso-8859-1\r\n< Content-Length: 209\r\n< Connection: keep-alive\r\n< Vary: Accept-Encoding\r\n<\r\n{ [data not shown]\r\n* Connection #0 to host example.com left intact<\/pre>\n
That’s it, we now have mod_security running on a server managed by ServerPilot<\/a>. If you use the ServerPilot links in this article to signup, you’ll get a $10<\/strong> account credit. \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"
Serverpilot is a hosted control panel for setting up and managing LAMP\/LEMP stacks on Ubuntu servers. Just like any other control panel it can be installed with a single command. ServerPilot is simple to use and does not install unnecessary packages like other commercial control panels. I had written an article for DigitalOcean on setting […]<\/p>\n","protected":false},"author":1,"featured_media":2607,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[58],"tags":[22,59,126],"yoast_head":"\nHow to setup mod_security with ServerPilot - Jesin's Blog<\/title>\n<meta name=\"description\" content=\"An article showing how to install and configure mod_security for Apache on a server managed by ServerPilot.io\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/websistent.com\/setup-mod_security-serverpilot\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to setup mod_security with ServerPilot - Jesin's Blog\" \/>\n<meta property=\"og:description\" content=\"An article showing how to install and configure mod_security for Apache on a server managed by ServerPilot.io\" \/>\n<meta property=\"og:url\" content=\"https:\/\/websistent.com\/setup-mod_security-serverpilot\/\" \/>\n<meta property=\"og:site_name\" content=\"Jesin's Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/JesinsBlog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/a.jesin\" \/>\n<meta property=\"article:published_time\" content=\"2015-05-04T16:43:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-05-07T19:38:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/websistent.com\/wp-content\/uploads\/2015\/05\/security-265130_640.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"426\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jesin A\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@jesin_a\" \/>\n<meta name=\"twitter:site\" content=\"@jesin_a\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jesin A\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/websistent.com\/setup-mod_security-serverpilot\/\",\"url\":\"https:\/\/websistent.com\/setup-mod_security-serverpilot\/\",\"name\":\"How to setup mod_security with ServerPilot - Jesin's Blog\",\"isPartOf\":{\"@id\":\"https:\/\/websistent.com\/#website\"},\"datePublished\":\"2015-05-04T16:43:49+00:00\",\"dateModified\":\"2018-05-07T19:38:56+00:00\",\"author\":{\"@id\":\"https:\/\/websistent.com\/#\/schema\/person\/357101749ddf15997318112dc2560fc0\"},\"description\":\"An article showing how to install and configure mod_security for Apache on a server managed by ServerPilot.io\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/websistent.com\/setup-mod_security-serverpilot\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/websistent.com\/#website\",\"url\":\"https:\/\/websistent.com\/\",\"name\":\"Jesin's Blog\",\"description\":\"Welcome to the Portal of Technology\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/websistent.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/websistent.com\/#\/schema\/person\/357101749ddf15997318112dc2560fc0\",\"name\":\"Jesin A\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/websistent.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/048e2c3bc97fe47194f9b43595fec029?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/048e2c3bc97fe47194f9b43595fec029?s=96&d=mm&r=g\",\"caption\":\"Jesin A\"},\"sameAs\":[\"https:\/\/websistent.com\/\",\"https:\/\/www.facebook.com\/a.jesin\",\"https:\/\/twitter.com\/jesin_a\"],\"url\":\"https:\/\/websistent.com\/author\/a-jesin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to setup mod_security with ServerPilot - Jesin's Blog","description":"An article showing how to install and configure mod_security for Apache on a server managed by ServerPilot.io","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/websistent.com\/setup-mod_security-serverpilot\/","og_locale":"en_US","og_type":"article","og_title":"How to setup mod_security with ServerPilot - Jesin's Blog","og_description":"An article showing how to install and configure mod_security for Apache on a server managed by ServerPilot.io","og_url":"https:\/\/websistent.com\/setup-mod_security-serverpilot\/","og_site_name":"Jesin's Blog","article_publisher":"https:\/\/www.facebook.com\/JesinsBlog","article_author":"https:\/\/www.facebook.com\/a.jesin","article_published_time":"2015-05-04T16:43:49+00:00","article_modified_time":"2018-05-07T19:38:56+00:00","og_image":[{"width":640,"height":426,"url":"https:\/\/websistent.com\/wp-content\/uploads\/2015\/05\/security-265130_640.jpg","type":"image\/jpeg"}],"author":"Jesin A","twitter_card":"summary_large_image","twitter_creator":"@jesin_a","twitter_site":"@jesin_a","twitter_misc":{"Written by":"Jesin A","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/websistent.com\/setup-mod_security-serverpilot\/","url":"https:\/\/websistent.com\/setup-mod_security-serverpilot\/","name":"How to setup mod_security with ServerPilot - Jesin's Blog","isPartOf":{"@id":"https:\/\/websistent.com\/#website"},"datePublished":"2015-05-04T16:43:49+00:00","dateModified":"2018-05-07T19:38:56+00:00","author":{"@id":"https:\/\/websistent.com\/#\/schema\/person\/357101749ddf15997318112dc2560fc0"},"description":"An article showing how to install and configure mod_security for Apache on a server managed by ServerPilot.io","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/websistent.com\/setup-mod_security-serverpilot\/"]}]},{"@type":"WebSite","@id":"https:\/\/websistent.com\/#website","url":"https:\/\/websistent.com\/","name":"Jesin's Blog","description":"Welcome to the Portal of Technology","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/websistent.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/websistent.com\/#\/schema\/person\/357101749ddf15997318112dc2560fc0","name":"Jesin A","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/websistent.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/048e2c3bc97fe47194f9b43595fec029?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/048e2c3bc97fe47194f9b43595fec029?s=96&d=mm&r=g","caption":"Jesin A"},"sameAs":["https:\/\/websistent.com\/","https:\/\/www.facebook.com\/a.jesin","https:\/\/twitter.com\/jesin_a"],"url":"https:\/\/websistent.com\/author\/a-jesin\/"}]}},"_links":{"self":[{"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/posts\/2590"}],"collection":[{"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/comments?post=2590"}],"version-history":[{"count":5,"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/posts\/2590\/revisions"}],"predecessor-version":[{"id":2796,"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/posts\/2590\/revisions\/2796"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/media\/2607"}],"wp:attachment":[{"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/media?parent=2590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/categories?post=2590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/websistent.com\/wp-json\/wp\/v2\/tags?post=2590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}