Use the ModSecurity Apache module on a cloud server with Ubuntu 16.04

ModSecurity is a free web application firewall (WAF) which is a simple, powerful way to protect a server against web-based malware and hacking attempts. Learn how to install ModSecurity and the officially-recommended OWASP Core Rule Set (CRS) which will protect a server against malware and hacking in the form of SQL injection, session hijacking, cross-site scripting, Trojans, and many other forms of web-based exploits.

    vServer (VPS) from IONOS

    Low-cost, powerful VPS hosting for running your custom applications, with a personal assistant and 24/7 support.

    100 % SSD storage
    Ready in 55 sec.
    SSL certificate


    • A Cloud Server running Linux (Ubuntu 16.04)
    • Apache installed and running.

    Apache is installed and running on a Standard installation by default. If your server was created with a Minimal installation, you will need to install and configure Apache before you proceed.

    Install ModSecurity

    Install the libapache2-modsecurity package:

    sudo apt-get install libapache2-modsecurity

    Use apachectl -M | grep security to verify that the package has been installed. The server will respond with:

    user@localhost:~# apachectl -M | grep security
    security2_module (shared)

    Create a directory for the ModSecurity rules:

    sudo mkdir /etc/modsecurity

    Create a file for ModSecurity rules and open the file for editing:

    sudo nano /etc/modsecurity/mod_security.conf

    Add the following to the file:

    <IfModule mod_security2.c>
        SecRuleEngine On
        SecRequestBodyAccess On
        SecResponseBodyAccess On 
        SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
        SecDataDir /tmp

    Save and exit the file. Then restart Apache for the changes to take effect:

    sudo systemctl restart apache2

    Install and configure the OWASP Core Rule Set (CRS)

    The OWASP Core Rule Set (CRS) extends the functionality of ModSecurity by providing a set of security rules to protect your server.

    First, install the git package:

    sudo apt-get install git

    Go to the /etc/apache2 directory:

    cd /etc/apache2/

    Download the OWASP installation files:

    sudo git clone

    Move to the new OWASP directory:

    cd owasp-modsecurity-crs

    Create a copy of the example setup file and rename it:

    sudo cp crs-setup.conf.example crs-setup.conf

    Open the main Apache configuration file for editing:

    sudo nano /etc/apache2/apache2.conf

    Scroll down to the section which reads:

    # Include module configuration:
    IncludeOptional mods-enabled/*.load
    IncludeOptional mods-enabled/*.conf

    Add the following two lines:

    Include /etc/apache2/owasp-modsecurity-crs/crs-setup.conf
    Include /etc/apache2/owasp-modsecurity-crs/rules/*.conf

    Save and exit the file. Then restart Apache for the changes to take effect:

    systemctl restart apache2

    Web hosting with a personal consultant!

    Fast and scalable, including a free domain and email address, trust web hosting from IONOS!

    Free domain
    24/7 support

    Verify that ModSecurity is installed and the OWASP CRS is loaded

    You can test ModSecurity's OWASP CRS by visiting the URL:"><script>alert(1);</script>

    Where is replaced with your server's domain name or IP address.

    You will be denied access with a 403: Forbidden error. Furthermore, this error will be noted in the /var/log/apache2/error.log file, with an entry similar to:

    [Tue Aug 01 21:28:41.118995 2017] [:error] [pid 59913] [client] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data ""] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname ""] [uri "/phpmanager/"] [unique_id "WYDyiX8AAAEAAOoJ5qMAAAAA"]

    Update the OWASP Core Rule Set (CRS)

    The OWASP CRS comes with a script you can run to update the rules with the latest version. To update OWASP:

    sudo python /etc/apache2/owasp-modsecurity-crs/util/ --crs

    If you run it now to test the command, it will respond with:

     * branch            HEAD       -> FETCH_HEAD
    Already up-to-date.

    We recommend that you periodically run this script to update the OWASP CRS for the latest security patches.