How to Install OWASP Core Rule Set on Modsecurity with Nginx on Ubuntu 20.04

ModSecurity, also known as ModSec, is a free, open-source web application firewall (WAF). It is placed in front of the web application you want to protect.

ModSecurity alone is not enough to protect your server. You need to incorporate rules to maximize the WAF’s performance. One very famous, widely used, and respected rule set is the OWASP CRS rule set. We will use it in Modsecurity to enhance the web application server’s protection against emerging threats on the internet.

In today’s guide, I will show you how to install OWASP core rule set (CSR) 3.3.2 in ModSecurity. To be able to do that, we need a Linux server that has Nginx and ModSecurity pre-installed on it.

Pre-Requisites:

• Ubuntu 20.04 server
• sudo privileges
• Modsecurity deployed with Nginx on Ubuntu server

If you don’t have Nginx installed, you can use the following guide to fulfill the installation requirement:

https://linuxways.net/ubuntu/how-to-install-nginx-on-ubuntu-20-04-lts-using-source-code/

If you have Nginx installed on Ubuntu, but you have not deployed ModSecurity on it, use the following guide to install it:

https://linuxways.net/ubuntu/how-to-deploy-modsecurity-with-nginx-on-ubuntu-20-04-lts/

Once you are done with the pre-requisites, you can move on to the OWASP core rule set installation part. Let’s go!

Installation Guide

Following are the steps involved in installing OWASP core ruleset 3.3.2 for Modsecurity:

Step 1: Download Owasp CRS 3.3.2 archive

First of all, we will use the wget command to download the OWASP CRS 3.3.2 archive. Run the following command to do so:

wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.2.zip

Step 2: Install the unzip package

Now, install the unzip package. We need it to unzip the zipped packages. Skip this step if you already have it installed on your system.

sudo dnf install unzip -y

Step 3: Unzip the master.zip archive

In this step, we will unzip the master.zip archive. To do that, run the following command:

sudo unzip v3.3.2.zip -d /etc/nginx/modsec

Step 4: Create a backup for CRS configuration file

OWASP core rule set comes with a sample configuration file. In this step, we will rename the file and create a backup of it in case it is needed in the future to restart again.

sudo cp /etc/nginx/modsec/coreruleset-3.3.2/crs-setup.conf.example /etc/nginx/modsec/coreruleset-3.3.2/crs-setup.conf

Step 5: Enable rules in ModSecurity

Now, in this step, we will enable the OWASP rules in ModSecurity. To do that, open the modsecurity configuration file in your favorite editor. We have used nano editor.

sudo nano /etc/nginx/modsec/modsec-config.conf

Once the file is open, add the following two lines in it to include the rules in ModSecurity:

Include /etc/nginx/modsec/coreruleset-3.3.2/crs-setup.conf

Include /etc/nginx/modsec/coreruleset-3.3.2/rules/*.conf

Now save the file and close it with (CTRL+O) and (CTRL+T).

Step 6: Check Nginx configuration

Before restarting Nginx, we need to check if the new configuration that we have added in the configuration file is fine. To check, run this command:

sudo nginx -t

You will get the following output which tells that the configuration is okay and we can move on to the next step.

Step 7: Reload Nginx

We have reached the final step in which we will restart Nginx to update the new changes that we did.

sudo systemctl restart nginx

Once Nginx is reloaded, the OWASP core rule set will become functional in Modsecurity.

In this guide, we saw in detail how to install OWASP core rule set for ModSecurity with the help of a few easy-to-follow commands. We also learned how to configure the rule set in ModSecurity to enable protection. The whole process will take around 5 to 10 minutes, depending on your system speed. Once the configuration is successful, your WAF will start protecting the web application server using OWASP core rule set.