{"id":22665268,"url":"https://github.com/volkansah/modsecurity-webserver-protection-guide","last_synced_at":"2025-04-12T08:44:05.961Z","repository":{"id":189922505,"uuid":"614821291","full_name":"VolkanSah/ModSecurity-Webserver-Protection-Guide","owner":"VolkanSah","description":"A full  Mod_Security guide to use local software like clam-av, chkrootkit, fail2ban, rkhunter for Nginx \u0026 Apache ","archived":false,"fork":false,"pushed_at":"2024-06-25T10:31:21.000Z","size":168,"stargazers_count":15,"open_issues_count":0,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-26T03:51:14.106Z","etag":null,"topics":["apache-configuration","apache2","arch-linux","bsd","chkrootkit","clamav","configuration","debian","fail2ban","modsecurity","modsecurity-nginx","nginx","nginx-configuration","rkhunter","source-code","ubuntu","use-modsecurity"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/VolkanSah.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["VolkanSah"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2023-03-16T11:47:21.000Z","updated_at":"2025-03-01T01:41:48.000Z","dependencies_parsed_at":"2024-06-24T22:57:20.480Z","dependency_job_id":"22f485b7-efd0-4b41-b6d9-78831268bbe7","html_url":"https://github.com/VolkanSah/ModSecurity-Webserver-Protection-Guide","commit_stats":null,"previous_names":["volkansah/modsecurity-webserver-protection-guide"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VolkanSah%2FModSecurity-Webserver-Protection-Guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VolkanSah%2FModSecurity-Webserver-Protection-Guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VolkanSah%2FModSecurity-Webserver-Protection-Guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VolkanSah%2FModSecurity-Webserver-Protection-Guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/VolkanSah","download_url":"https://codeload.github.com/VolkanSah/ModSecurity-Webserver-Protection-Guide/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248543825,"owners_count":21121837,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache-configuration","apache2","arch-linux","bsd","chkrootkit","clamav","configuration","debian","fail2ban","modsecurity","modsecurity-nginx","nginx","nginx-configuration","rkhunter","source-code","ubuntu","use-modsecurity"],"created_at":"2024-12-09T13:29:49.943Z","updated_at":"2025-04-12T08:44:05.941Z","avatar_url":"https://github.com/VolkanSah.png","language":null,"funding_links":["https://github.com/sponsors/VolkanSah","https://github.com/sponsors/volkansah"],"categories":[],"sub_categories":[],"readme":"# ModSecurity Webserver Protection Guide \nWelcome to the ModSecurity Webserver Protection repository! This guide provides step-by-step instructions on using ModSecurity with Apache2 or Nginx web servers to enhance security. ModSecurity is a popular open-source Web Application Firewall (WAF) that protects against various web application attacks.\n\nThis guide covers using ModSecurity to defend against SQL injection, cross-site scripting (XSS), and other common attacks. It also includes instructions for integrating additional security tools like ClamAV, Chkrootkit, Rkhunter, and Fail2ban to further secure your web server.\n\nAimed at users with basic server administration skills and familiarity with Apache2 or Nginx, this guide provides detailed installation and configuration steps for ModSecurity and other security tools, along with their integration into your server setup.\n\n\nI hope this guide helps you enhance your web server's security. If you have any questions or feedback, please contact me. Don't forget to leave a :star:\n\n## Table of content\n- [Install mod security for Apache2](#install-mod-security-for-apache2)\n  - [Download and build ModSecurity from source](#download-and-build-modsecurity-from-source)\n  - [Download and build the ModSecurity Apache Connector](#download-and-build-the-modsecurity-apache-connector)\n  - [Configure Apache to use ModSecurity](#configure-apache-to-use-modsecurity)\n  - [Enable ModSecurity in Apache](#enable-modsecurity-in-apache)\n  - [Configure and download the Core Rule Set (CRS)](#configure-and-download-the-core-rule-set-crs)\n  - [Test the Apache configuration](#test-the-apache-configuration)\n- [Install mod security for NGINX](#install-mod-security-for-nginx)\n  - [Install prerequisite packages](#install-prerequisite-packages)\n  - [Download and build ModSecurity from source](#download-and-build-modsecurity-from-source-1)\n  - [Download and build the ModSecurity Nginx Connector](#download-and-build-the-modsecurity-nginx-connector)\n  - [Download and compile Nginx with ModSecurity module](#download-and-compile-nginx-with-modsecurity-module)\n  - [Compile Nginx with the ModSecurity module](#compile-nginx-with-the-modsecurity-module)\n  - [Configure Nginx to use ModSecurity](#configure-nginx-to-use-modsecurity)\n  - [Configure and download the Core Rule Set (CRS)](#configure-and-download-the-core-rule-set-crs-1)\n  - [Test the Nginx configuration](#test-the-nginx-configuration)\n- [Configuration for using ClamAV with Apache2](#configuration-for-using-clamav-with-apache2)\n- [Configuration for using ClamAV with Nginx](#configuration-for-using-clamav-with-nginx)\n- [Use Fail2ban to work with ModSecurity on both Apache and Nginx](#use-fail2ban-to-work-with-modsecurity-on-both-apache-and-nginx)\n- [Chkrootkit with Mod_Security](#chkrootkit-with-mod_security)\n- [RkHunter with Mod_Security](#rkhunter-with-mod_security)\n- [Be carefuly](#be-carefuly)\n\n  \n\n\n# Install mod security for Apache2\nTo install ModSecurity on different Linux distributions while using Apache as your web server, follow the steps below.\n\n\nNote: The instructions provided here assume that you have already installed the Apache web server on your system.\nInstall prerequisite packages:\n\n### 1. For each distribution, you need to install some prerequisite packages\n\n### Ubuntu/Debian:\n```bash\nsudo apt-get update\nsudo apt-get install -y build-essential libtool autoconf automake pkg-config libxml2-dev libcurl4-openssl-dev libpcre3-dev libyajl-dev zlib1g-dev liblmdb-dev\n```\n\n### Fedora:\n\n```bash\nsudo dnf update\nsudo dnf install -y @development-tools libtool autoconf automake pkgconfig libxml2-devel libcurl-devel pcre-devel yajl-devel zlib-devel lmdb-devel\n```\n### BSD:\n```bash\nsudo pkg update\nsudo pkg install -y autoconf automake libtool pkgconf libxml2 libcurl pcre yajl zlib lmdb\n```\n### Arch Linux:\n```bash\nsudo pacman -Syu\nsudo pacman -S --needed base-devel libxml2 libcurl pcre yajl zlib lmdb\n```\n\n### Download and build ModSecurity from source:\n```bash\ngit clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity\ncd ModSecurity\ngit submodule init\ngit submodule update\n./build.sh\n./configure\nmake\nsudo make install\n```\n### Download and build the ModSecurity Apache Connector:\n```bash\ncd ..\ngit clone --depth 1 https://github.com/SpiderLabs/ModSecurity-apache.git\ncd ModSecurity-apache\n./autogen.sh\n./configure --with-libmodsecurity=/usr/local/modsecurity\nmake\nsudo make install\n```\n## Configure Apache to use ModSecurity:\nCreate a new configuration file for ModSecurity:\n```bash\nsudo nano /etc/apache2/mods-available/modsecurity.conf\n```\n\nAdd the following content to the file:\nLoadModule security2_module /usr/lib/apache2/modules/mod_security2.so\n```bash\n\u003cIfModule mod_security2.c\u003e\n  SecRuleEngine On\n  SecRequestBodyAccess On\n  SecResponseBodyAccess On\n  SecDataDir /var/cache/modsecurity\n  IncludeOptional /etc/apache2/modsecurity.d/*.conf\n\u003c/IfModule\u003e\n```\nCreate a directory for additional ModSecurity rules:\n```bash\nsudo mkdir /etc/apache2/modsecurity.d\n```\n## Enable ModSecurity in Apache:\n### Ubuntu/Debian:\n```bash\nsudo a2enmod modsecurity\nsudo service apache2 restart\n```\n### Fedora:\n```bash\nsudo ln -s /etc/apache2/mods-available/modsecurity.conf /etc/httpd/conf.modules.d/10-modsecurity.conf\nsudo systemctl restart httpd\n```\nBSD:\n```bash\necho 'LoadModule security2_module /usr/local/libexec/apache24/mod_security2.so' | sudo tee -a /usr/local/etc/apache24/httpd.conf\nsudo service apache24 restart\n```\n### Arch Linux:\n```bash\necho 'LoadModule security2_module /usr/lib/httpd/modules/mod_security2.so' | sudo tee -a /etc/httpd/conf/httpd.conf\nsudo systemctl restart httpd\n```\n\n## Configure and download the Core Rule Set (CRS):\n\nInstall the Core Rule Set:\n```bash\ncd /etc/apache2\nsudo git clone https://github.com/coreruleset/coreruleset.git modsecurity-crs\n```\n## Create a symbolic link to the CRS configuration file:\n```bash\n\n    sudo ln -s /etc/apache2/modsecurity-crs/crs-setup.conf /etc/apache2/modsecurity.d/crs-setup.conf\n    sudo ln -s /etc/apache2/modsecurity-crs/rules/ /etc/apache2/modsecurity.d/rules\n```\n### Test the Apache configuration:\n\n    Run the following command to test if the configuration is correct:\n```bash\nsudo apachectl configtest\n```\nIf the output shows \"Syntax OK,\" you can proceed to restart the Apache server:\n```bash\nsudo systemctl restart apache2\n```\nNow, ModSecurity should be installed and enabled on your Apache web server. To add custom rules or modify existing ones, you can edit the configuration files located in the /etc/apache2/modsecurity.d/ directory.\n\n# Install mod security for NGINX\nInstall prerequisite packages:\n\n### Ubuntu/Debian:\n```bash\nsudo apt-get update\nsudo apt-get install -y build-essential libtool autoconf automake pkg-config libxml2-dev libcurl4-openssl-dev libpcre3-dev libyajl-dev zlib1g-dev liblmdb-dev git\n```\n### Fedora:\n```bash\nsudo dnf update\nsudo dnf install -y @development-tools libtool autoconf automake pkgconfig libxml2-devel libcurl-devel pcre-devel yajl-devel zlib-devel lmdb-devel git\n```\n### BSD:\n```bash\nsudo pkg update\nsudo pkg install -y autoconf automake libtool pkgconf libxml2 libcurl pcre yajl zlib lmdb git\n```\n### Arch Linux:\n```bash\nsudo pacman -Syu\nsudo pacman -S --needed base-devel libxml2 libcurl pcre yajl zlib lmdb git\n```\n### Download and build ModSecurity from source:\n```bash\ngit clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity\ncd ModSecurity\ngit submodule init\ngit submodule update\n./build.sh\n./configure\nmake\nsudo make install\n```\n### Download and build the ModSecurity Nginx Connector:\n```bash\ncd ..\ngit clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git\n```\n- Download and compile Nginx with ModSecurity module:\n\n### Download the Nginx source code (replace 1.21.4 with the desired version number):\n```bash\nwget https://nginx.org/download/nginx-1.21.4.tar.gz\ntar -xvzf nginx-1.21.4.tar.gz\ncd nginx-1.21.4\n```\n\n### Compile Nginx with the ModSecurity module:\n```bash\n./configure --add-dynamic-module=../ModSecurity-nginx\nmake\nsudo make install\n```\n### Configure Nginx to use ModSecurity:\nCreate a ModSecurity configuration file (e.g., /etc/nginx/modsecurity.conf) and add the basic ModSecurity configuration:\n```bash\nSecRuleEngine On\nSecRequestBodyAccess On\nSecResponseBodyAccess On\nSecResponseBodyMimeType text/plain text/html text/xml application/octet-stream\nSecDataDir /var/cache/modsecurity\nSecAuditEngine RelevantOnly\nSecAuditLogRelevantStatus ^(?:5|4\\d[^4])$\nSecAuditLogParts ABIJDEFHZ\nSecAuditLogType Serial\nSecAuditLog /var/log/modsecurity_audit.log\n```\nEdit your Nginx configuration file (usually located at /usr/local/nginx/conf/nginx.conf or /etc/nginx/nginx.conf) and add the following inside the http block:\n```bash\nmodsecurity on;\nmodsecurity_rules_file /etc/nginx/modsecurity.conf;\n```\nAdditionally, add the following line inside the location block where you want to enable ModSecurity:\n```bash\nmodsecurity_rules_file /etc/nginx/modsecurity_rules.conf;\n```\n### Configure and download the Core Rule Set (CRS):\nInstall the Core Rule Set:\n```bash\ncd /etc/nginx\nsudo git clone https://github.com/coreruleset/coreruleset.git modsecurity-crs\n```\n### Create a new Nginx configuration file (e.g., /etc/nginx/modsecurity_rules.conf) and include the CRS rules:\n```bash\n    include /etc/nginx/modsecurity-crs/crs-setup.conf;\n    include /etc/nginx/modsecurity-crs/rules/*.conf;\n```\n### Test the Nginx configuration:\n\nRun the following command to test if the configuration is correct:\n```bash\nsudo nginx -t\n```\nIf the output shows \"configuration file test is successful,\" you can proceed to restart the Nginx server:\n```bash\n        sudo nginx -s reload\n```\nNow, ModSecurity should be installed and enabled on your Nginx web server. To add custom rules or modify existing ones, you can edit the configuration files located in the /etc/nginx/modsecurity.d/ directory.\n\n# Configuration for using ClamAV with Apache2:\nThese rules scan submitted files for malware by using the \"clamscan\" command from ClamAV. If a virus is found, the file is blocked and a warning message is issued.\n\nThe rules in lines 10-13 scan the uploaded file using ClamAV and block the file if a virus is found. The rules in lines 14-19 allow the upload of files that do not need to be scanned, such as PDF, DOC, and XLS files. The rule in line 20 allows the upload of files that have the \"multipart/form-data\" content type, which is commonly used for file upload forms.\n\nTo configure ModSecurity to use ClamAV as the anti-virus engine, follow these steps:\n```bash\n\nSecRule FILES_TMPNAMES \"@inspectFile /usr/bin/clamscan\" \\\n    \"id:12345,\\\n    phase:2,\\\n    t:none,\\\n    block,\\\n    msg:'Virus found in file',\\\n    severity:'CRITICAL',\\\n    chain\"\n\nSecRule FILES_TMPNAMES \"!@clamav_scan\" \\\n    \"id:12346,\\\n    phase:2,\\\n    t:none,\\\n    pass,\\\n    chain\"\n\nSecRule FILES_TMPNAMES \"!@rx \\.pdf$\" \\\n    \"id:12347,\\\n    phase:2,\\\n    t:none,\\\n    pass,\\\n    chain\"\n\nSecRule FILES_TMPNAMES \"!@rx \\.doc$\" \\\n    \"id:12348,\\\n    phase:2,\\\n    t:none,\\\n    pass,\\\n    chain\"\n\nSecRule FILES_TMPNAMES \"!@rx \\.xls$\" \\\n    \"id:12349,\\\n    phase:2,\\\n    t:none,\\\n    pass\"\n\nSecRule REQUEST_HEADERS:Content-Type \"!@rx ^multipart/form-data\" \\\n    \"id:12350,\\\n    phase:1,\\\n    t:none,\\\n    pass\"\n```\nThe comments in the code explain what each rule does. You can customize these rules based on your specific needs.\nSave the file and restart Apache:\n```bash\nsudo systemctl restart apache2\n```\nWith these steps, you have configured ModSecurity to use ClamAV as the anti-virus engine. You can now upload files to your server and ensure that they are automatically checked for malware. If you want every file uploaded to your server to be automatically checked for malware, you can make the following changes to the rules in the ModSecurity configuration file:\n\n\nChange the rule in line 14 from:\n```bash\nSecRule FILES_TMPNAMES \"!@clamav_scan\" \\\n```\nto:\n```bash\nSecRule FILES_TMPNAMES \"!@inspectFile /usr/bin/clamscan\" \\\n```\nThis will cause every uploaded file to be scanned with ClamAV, regardless of its file type. Remove the rules in lines 15-19 that allow the upload of specific file types. This will ensure that all uploaded files are scanned.\n\nSave the file and restart Apache:\n```bash\nsudo systemctl restart apache2\n```\nWith these changes, ModSecurity will be configured to scan every uploaded file with ClamAV, regardless of its file type. This will ensure that all files are checked for malware before being stored on your server.\n\n# Configuration for using ClamAV with Nginx:\n    Configure ModSecurity to use ClamAV. Here is an example configuration that you can use:\n```bash\nSecRule REQUEST_BODY \\\n  \"@clamav_scan\" \\\n  \"id:12345,\\\n  phase:2,\\\n  t:none,\\\n  block,\\\n  msg:'Virus found in file',\\\n  severity:'CRITICAL'\"\n```\nThis rule scans the request body with ClamAV and blocks the request if a virus is found. You can customize this rule based on your specific needs.\n\nConfigure Nginx to use ModSecurity. Here is an example configuration that you can use:\n\n```bash\nhttp {\n  ...\n  modsecurity on;\n  modsecurity_rules_file /path/to/modsecurity.conf;\n  ...\n}\n```\nThis configuration enables ModSecurity and specifies the location of the ModSecurity configuration file. You can customize the file path based on where you saved the configuration file.\n\nSave the configuration file and restart Nginx:\n```bash\nsudo systemctl restart nginx\n```\nWith these steps, you have configured ModSecurity to use ClamAV to scan files for malware in Nginx. You can now upload files to your server and ensure that they are automatically checked for malware.\n\n# use Fail2ban to work with ModSecurity on both Apache and Nginx.\n\nHere are the general steps you can follow:\n\n- Install Fail2ban on your system. The installation process will vary depending on your operating system.\n\n- Configure Fail2ban to read the ModSecurity audit log. You can do this by creating a new Fail2ban jail configuration file that specifies the location of the audit log file. Here is an example configuration file for \n- Apache:\n```bash\n[modsec]\nenabled  = true\nfilter   = modsec\nlogpath  = /var/log/apache2/modsec_audit.log\nmaxretry = 1\n```\nAnd here is an example configuration file for Nginx:\n```bash\n[modsec]\nenabled  = true\nfilter   = modsec\nlogpath  = /var/log/nginx/modsec_audit.log\nmaxretry = 1\n```\nThese configurations enable the modsec jail and specify the location of the ModSecurity audit log file.\n\n- Create a Fail2ban filter to parse the ModSecurity audit log. You can create a new filter file in the Fail2ban filter.d directory that contains regular expressions to match the relevant log entries. Here is an example filter file:\n```bash\n\n[Definition]\nfailregex = .*ModSecurity:.*\\[id \"(?P\u003cid\u003e\\d+)\".*\\] .*\\\n            Message: Access denied.*\\\n            Action:.*\\\n            .*\\\n            Data: .*\\\n            Status: (?P\u003cstatus\u003e\\d+)\n```\nThis filter matches ModSecurity log entries that indicate a request was denied due to a ModSecurity rule. You can customize this filter based on your specific needs.\n\n### Configure Fail2ban to use the new filter. You can do this by adding the new filter to the jail.local file. Here is an example configuration for Apache:\n```bash\n[modsec]\nenabled  = true\nfilter   = modsec\nlogpath  = /var/log/apache2/modsec_audit.log\nmaxretry = 1\n```\nAnd here is an example configuration for Nginx:\n```bash\n[modsec]\nenabled  = true\nfilter   = modsec\nlogpath  = /var/log/nginx/modsec_audit.log\nmaxretry = 1\n```\nThese configurations enable the modsec jail and specify the location of the ModSecurity audit log file. You can customize the logpath based on where your ModSecurity audit log file is stored.\n\n### Restart Fail2ban to apply the new configuration:\n```bash\nsudo systemctl restart fail2ban\n```\nWith these steps, you have configured Fail2ban to work with ModSecurity on both Apache and Nginx. When a request is blocked by ModSecurity, Fail2ban will read the audit log and ban the IP address that made the request.\n\n### Chkrootkit with Mod_Security\nChkrootkit is a tool for checking if a system has been compromised by rootkits. While it is not directly related to ModSecurity, you can use it alongside ModSecurity to enhance the security of your web server.\n\nHere are the general steps you can follow to use Chkrootkit with ModSecurity on both Apache and Nginx:\n\n- Install Chkrootkit on your system. The installation process will vary depending on your operating system.\n\n- Create a new ModSecurity rule to check for Chkrootkit warnings. You can create a new rule that checks for the presence of specific strings in the output of the Chkrootkit command. Here is an example rule:\n```bash\nSecRule ARGS \"@rx /usr/bin/chkrootkit\" \\\n  \"id:12346,\\\n  phase:2,\\\n  t:none,\\\n  pass,\\\n  chain\"\nSecRule RESPONSE_BODY \"@rx Warning: Possible \\(hacker|trojan|worm\\) rootkit activity detected\" \\\n  \"id:12347,\\\n  phase:4,\\\n  t:none,\\\n  block,\\\n  msg:'Possible rootkit activity detected',\\\n  severity:'CRITICAL'\"\n```\nThis rule checks for the presence of the Chkrootkit command in the request arguments, and then checks for the presence of specific warning strings in the response body. If a warning is detected, the rule blocks the request and generates a critical severity message.\n\n- Configure ModSecurity to use the new rule. You can add the new rule to the ModSecurity configuration file, and then reload the configuration to apply the changes.\n\n- Run Chkrootkit regularly to scan for rootkits on your system. You can set up a cron job to run Chkrootkit on a regular basis and send the output to a log file.\n- Configure ModSecurity to read the Chkrootkit log file. You can create a new Fail2ban filter that parses the Chkrootkit log file and triggers a ban if specific warning strings are detected.\n\n- Restart your web server to apply the ModSecurity configuration changes.\n\nWith these steps, you have configured ModSecurity to work with Chkrootkit on both Apache and Nginx. When a warning is detected by Chkrootkit, ModSecurity will block the request and log a critical severity message. Additionally, you can configure ModSecurity to work with a Fail2ban filter that reads the Chkrootkit log file and triggers a ban if specific warning strings are detected.\n\n## RkHunter with Mod_Security\nRKHunter (Rootkit Hunter) is a tool for checking if a system has been compromised by rootkits. Similar to Chkrootkit, you can use RKHunter alongside ModSecurity to enhance the security of your web server.\n\nHere are the general steps you can follow to use RKHunter with ModSecurity on both Apache and Nginx:\n\n- Install RKHunter on your system. The installation process will vary depending on your operating system.\n\n- Create a new ModSecurity rule to check for RKHunter warnings. You can create a new rule that checks for the presence of specific strings in the output of the RKHunter command. Here is an example rule:\n```bash\nSecRule ARGS \"@rx /usr/bin/rkhunter\" \\\n  \"id:12348,\\\n  phase:2,\\\n  t:none,\\\n  pass,\\\n  chain\"\nSecRule RESPONSE_BODY \"@rx Warning: (System\\(s\\) may have been compromised|Warning: Application\\(s\\) using \\/tmp|Warning: Hidden file found)\" \\\n  \"id:12349,\\\n  phase:4,\\\n  t:none,\\\n  block,\\\n  msg:'Possible rootkit activity detected',\\\n  severity:'CRITICAL'\"\n```\nThis rule checks for the presence of the RKHunter command in the request arguments, and then checks for the presence of specific warning strings in the response body. If a warning is detected, the rule blocks the request and generates a critical severity message.\n\n- Configure ModSecurity to use the new rule. You can add the new rule to the ModSecurity configuration file, and then reload the configuration to apply the changes.\n\n- Run RKHunter regularly to scan for rootkits on your system. You can set up a cron job to run RKHunter on a regular basis and send the output to a log file.\n\n- Configure ModSecurity to read the RKHunter log file. You can create a new Fail2ban filter that parses the RKHunter log file and triggers a ban if specific warning strings are detected.\n\n- Restart your web server to apply the ModSecurity configuration changes.\n\nWith these steps, you have configured ModSecurity to work with RKHunter on both Apache and Nginx. When a warning is detected by RKHunter, ModSecurity will block the request and log a critical severity message. Additionally, you can configure ModSecurity to work with a Fail2ban filter that reads the RKHunter log file and triggers a ban if specific warning strings are detected.\n\n## Be carefuly\n\nThere are many community-driven projects and resources available online that provide advanced and secure ModSecurity rule files that you can use as a starting point. Here are a few examples:\n\n- OWASP ModSecurity Core Rule Set (CRS): This is a set of rules that are designed to provide basic security protections for web applications. The CRS is continuously updated and maintained by the OWASP ModSecurity Core Rule Set Project, and is available on GitHub.\n\n- Comodo ModSecurity Rules: Comodo is a security company that provides a set of ModSecurity rules that are designed to provide advanced security protections for web applications. These rules are available for free on their website.\n\n- Atomicorp ModSecurity Rules: Atomicorp is a security company that provides a set of ModSecurity rules that are designed to provide advanced security protections for web applications. These rules are available for free on their website.\n\nWhen using any ModSecurity rule file, it is important to understand the rules and customize them to fit your specific use case. \n\n## Your Support\nIf you find this project useful and want to support it, there are several ways to do so:\n\n- If you find the white paper helpful, please ⭐ it on GitHub. This helps make the project more visible and reach more people.\n- Become a Follower: If you're interested in updates and future improvements, please follow my GitHub account. This way you'll always stay up-to-date.\n- Learn more about my work: I invite you to check out all of my work on GitHub and visit my developer site https://volkansah.github.io. Here you will find detailed information about me and my projects.\n- Share the project: If you know someone who could benefit from this project, please share it. The more people who can use it, the better.\n**If you appreciate my work and would like to support it, please visit my [GitHub Sponsor page](https://github.com/sponsors/volkansah). Any type of support is warmly welcomed and helps me to further improve and expand my work.**\n\nThank you for your support! ❤️\n\n##### Copyright S. Volkan Kücükbudak\n\n\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvolkansah%2Fmodsecurity-webserver-protection-guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvolkansah%2Fmodsecurity-webserver-protection-guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvolkansah%2Fmodsecurity-webserver-protection-guide/lists"}