Use the ModSecurity Apache Module on a Cloud Server with Ubuntu 16.04

Leave your reply


ModSecurity is a free web application firewall (WAF) which is a simple, powerful way to protect a server against web-based malware and hacking attempts. Learn how to install ModSecurity and the officially-recommended OWASP Core Rule Set (CRS) which will protect a server against malware and hacking in the form of SQL injection, session hijacking, cross-site scripting, Trojans, and many other forms of web-based exploits.

Note: For any Servidor Cloud with Plesk, Apache modules should always be added and managed through the Plesk interface. See our article Use the ModSecurity Apache Module on a Servidor Cloud with Plesk for step-by-step instructions.


  • A Servidor Cloud running Linux (Ubuntu 16.04)
  • Apache installed and running.

Note: Apache is installed and running on a Standard installation by default. If your server was created with a Minimal installation, you will need to install and configure Apache before you proceed.

Install ModSecurity

Install the libapache2-modsecurity package:

sudo apt-get install libapache2-modsecurity

Use apachectl -M | grep security to verify that the package has been installed. The server will respond with:

user@localhost:~# apachectl -M | grep security
security2_module (shared)

Create a directory for the ModSecurity rules:

sudo mkdir /etc/modsecurity

Create a file for ModSecurity rules and open the file for editing:

sudo nano /etc/modsecurity/mod_security.conf

Add the following to the file:

<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess On 
    SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
    SecDataDir /tmp

Save and exit the file. Then restart Apache for the changes to take effect:

sudo systemctl restart apache2

Install and Configure the OWASP Core Rule Set (CRS)

The OWASP Core Rule Set (CRS) extends the functionality of ModSecurity by providing a set of security rules to protect your server.

First, install the git package:

sudo apt-get install git

Go to the /etc/apache2 directory:

cd /etc/apache2/

Download the OWASP installation files:

 sudo git clone

Move to the new OWASP directory:

cd owasp-modsecurity-crs

Create a copy of the example setup file and rename it:

sudo cp crs-setup.conf.example crs-setup.conf

Open the main Apache configuration file for editing:

sudo nano /etc/apache2/apache2.conf

Scroll down to the section which reads:

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Add the following two lines:

Include /etc/apache2/owasp-modsecurity-crs/crs-setup.conf
Include /etc/apache2/owasp-modsecurity-crs/rules/*.conf

Save and exit the file. Then restart Apache for the changes to take effect:

systemctl restart apache2

Verify that ModSecurity is Installed and the OWASP CRS is Loaded

You can test ModSecurity's OWASP CRS by visiting the URL:"><script>alert(1);</script>

Where is replaced with your server's domain name or IP address.

You will be denied access with a 403: Forbidden error. Furthermore, this error will be noted in the /var/log/apache2/error.log file, with an entry similar to:

[Tue Aug 01 21:28:41.118995 2017] [:error] [pid 59913] [client] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data ""] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname ""] [uri "/phpmanager/"] [unique_id "WYDyiX8AAAEAAOoJ5qMAAAAA"]

Update the OWASP Core Rule Set (CRS)

The OWASP CRS comes with a script you can run to update the rules with the latest version. To update OWASP:

sudo python /etc/apache2/owasp-modsecurity-crs/util/ --crs

If you run it now to test the command, it will respond with:

 * branch            HEAD       -> FETCH_HEAD
Already up-to-date.

We recommend that you periodically run this script to update the OWASP CRS for the latest security patches.