Aller au contenu

Web-based Application Firewall (WAF)

Not yet tested

This procedure may work as is. Testing on 10 is incomplete as of September 22, 2025. If you use it and find problems, please let us know.

Prerequisites

  • A Rocky Linux Web Server running Apache
  • Proficiency with a command-line editor (using vi in this example)
  • A heavy comfort level with issuing commands from the command-line, viewing logs, and other general systems administrator duties
  • An understanding that installing this tool also requires monitoring of actions and tuning to your environment
  • The root user runs all commands or a regular user with sudo

Introduction

mod_security is an open source web-based application firewall (WAF). It is just one possible piece of a hardened Apache web server setup. Use it with, or without, other tools.

If you want to use this and other hardening tools, refer back to the Apache Hardened Web Server guide. This document also uses all of the assumptions and conventions outlined in that original document. It is a good idea to review it before continuing.

One thing missing with mod_security when installed from the Atomicorp repository, is that the rules installed are minimal. To get a more extensive package of no cost mod_security rules, this procedure uses OWASP mod_security rules found here. OWASP stands for the Open Web Application Security Project. You can find out more about OWASP here.

Tip

As stated, this procedure uses the OWASP mod_security rules. What is not used is the configuration provided by that site. That site also provides great tutorials on using mod_security and other security-related tools. The document you are working through mow does nothing but help you install the tools and rules needed for hardening with mod_security on a Rocky Linux web server. Netnea is a team of technical professionals that provides security courses on their website. Much of this content is available at no cost, but they do have options for in-house or group training.

Additional repository

To install mod_security you will need the Atomicorp repository (atomic.repo). Do that with this line and answer yes to all the defaults:

wget -q -O - https://www.atomicorp.com/installers/atomic | sh

Run dnf upgrade to read in all the changes.

Installing mod_security

To install the base package, use this command. It will install any missing dependencies. You also need wget if you do not have it installed:

dnf install mod_security wget

Installing the mod_security rules

Note

It is important to follow this procedure carefully. The configuration from Netnea has been changed to fit Rocky Linux.

  1. Access the current OWASP rules by going to their GitHub site.

  2. On the right hand side of the page, search for the releases and click on the tag for the latest release.

  3. Under "Assets" on the next page, right-click on the "Source Code (tar.gz)" link and copy the link.

  4. On your server, go to the Apache configuration directory:

    cd /etc/httpd/conf

  5. Enter wget and paste your link. Example:

    wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.5.tar.gz

  6. Decompress the file:

    tar xzvf v3.3.5.tar.gz

    This creates a directory with the release information in the name. Example: "coreruleset-3.3.5"

  7. Create a symbolic link called "crs" linking to the directory of the release. Example:

    ln -s coreruleset-3.3.5/ /etc/httpd/conf/crs

  8. Remove the tar.gz file. Example:

    rm -f v3.3.5.tar.gz

  9. Copy the temporary configuration so that it will load when started:

    cp crs/crs-setup.conf.example crs/crs-setup.conf

    This file is editable, but you probably will not need to make any changes.

The mod_security rules are now in place.

Configuration

With the rules in place, the next step is configuring these rules to load and run when httpd and mod_security run.

mod_security already has a configuration file located in /etc/httpd/conf.d/mod_security.conf. You will need to modify this file to include the OWASP rules. To do this, edit that configuration file:

vi /etc/httpd/conf.d/mod_security.conf

Add the following content just before the end tag (`

Author: Steven Spencer

Contributors: Ezequiel Bruni, Ganna Zhyrnova