Skip to content
July 12, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • Technique
  • APACHE PROTECTION WITH MODSECURITY
  • Technique

APACHE PROTECTION WITH MODSECURITY

Do Son July 8, 2017 4 minutes read
apache

There are so many ways to protect Web-server. On this post, I’m going to guide how to use ModSecurity WAF to protect Apache webserver. 

ModSecurity is an open source, cross-platform web application firewall (WAF) developed by Trustwave’s SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging, and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence. ModSecurity – this firewall is designed as a module for the Apache, which allows it easily install and use. Protection using ModSecurity can prevent:

  • SQL-injection;
  • XSS;
  • Trojans;
  • bots;
  • capture session;
  • and many other attacks and break-ins.

Install ModSecurity

apt-get install libapache2-mod-security2

and turn it on:

a2enmod security2

By default filtering rules are not included, and the rules themselves have the extension .conf and loaded from the directory /etc/ModSecurity/ (rules specified location in the /etc/apache2/mods-available/security2.conf  file) and is as follows:

IncludeOptional /etc/modsecurity/*.conf

The list can be several directories from which the rules are loaded.

Add a new directory, which will be based on our rules.

crs – for a basic set of rules;
custom – to its rules.

Add a directory for further expansion of the list of rules:

IncludeOptional /etc/modsecurity/rules/crs/*.conf
IncludeOptional /etc/modsecurity/rules/custom/*.conf

and create the required directories:

mkdir /etc/modsecurity/rules/crs
mkdir /etc/modsecurity/rules/custom

Thereafter including basic configuration. To do this, copy or rename the default configuration file (located in the directory /etc/ModSecurity/) modsecurity.conf-recommended file modsecurity.conf

cp /etc/modsecurity/modsecurity.conf{-recommended,}

little change it:

replace the first Directive SecRuleEngine DetectionOnly on

SecRuleEngine On

including blocking, available options:  On, Off, DetectionOnly.

Allowed to scan the contents of the request body:

SecRequestBodyAccess On

Limit the size of POST query parameter SecRequestBodyLimit. If there is no file download mechanism on the server, you can severely limit the transmitted data. We are limited to 15MB. The number of bytes it will be 1024 * 1024 * 15 = 15728640

SecRequestBodyLimit 15728640

Restrict stored in memory POST request when sending the file (except the file size), the surplus will swap to disk, which slows things down a little but does not overwhelm the memory under any circumstances. This is done in parameter SecRequestBodyInMemoryLimit . Restrict 128Kb.

SecRequestBodyInMemoryLimit 131072

The basic rules are set, and an advanced set can be downloaded from the official page of OWASP ModSecurity Core Rule Set and put *.conf files in the previously specified directory /etc/ModSecurity/rules/crs , where our additional rules.

In Debian additional rules are already included in the package and is located at /usr /share/ModSecurity-crs/ .
Turn them into a folder by creating symlinks crs :

ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/rules/crs/modsecurity_crs_10_setup.conf

It is also required for some sets of rules *.data files. Therefore, they also need to make symlinks.
I’ve included a basic setting modsecurity_crs_10_setup.conf and some of the rules in the folder base_rules.
It is not necessary to include all the rules at once. With great probability, it will block the Web server.

It now remains only to exclude directories that ModSecurity well or need to interfere.
This is done by exclusion from the list of monitored hosts to configure Apache Web-server . To exclude the entire virtual host use the following code:

<ifmodule security2_module>
SecRuleEngine Off
</ifmodule>

this code can be used to exclude specific directories:

<directory “/var/www/noModSecurity”>
<ifmodule security2_module>
SecRuleEngine Off
</ifmodule>
</directory>

Now a few words about the proper implementation. Many of the rules can cause a denial of work Web applications. Due to the fact that ModSecurity deemed malicious requests. Therefore it is better to include only first detection mode ( SecRuleEngine DetectionOnly ) and see which rules apply and when.
See what rules can be practiced in the log file. By default it is at /var/log/apache2/modsec_audit.log . This file is written all information about the work of ModSecurity.

 

Share this article:

Facebook Post LinkedIn Telegram
Tags: apache modsecurity

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-61447CVSS 10.0
    PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that...
  • CVE-2026-61445CVSS 9.9
    PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in...
  • CVE-2026-60090CVSS 9.8
    PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the...
  • CVE-2026-57827CVSS 10.0
    The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload...
  • CVE-2026-57828CVSS 9.0
    The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file...
  • CVE-2026-14480CVSS 9.9
    OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the...
  • CVE-2026-20744CVSS 9.8
    The charging station websocket endpoint accepts connections without proper authentication, which could...
  • CVE-2026-57807CVSS 9.8
    Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security...
  • CVE-2026-55879CVSS 9.3
    OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the...
  • CVE-2026-12761CVSS 9.8
    The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.