Last active
June 6, 2025 03:33
-
-
Save adamz01h/37a2476581bb8fab1e86f3255397931a to your computer and use it in GitHub Desktop.
Installs apache ModSecurity dowloads the coreruleset and fixes configs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ##Ubuntu 24.04.2 LTS | |
| ##Install | |
| apt update | |
| apt install apache2 libapache2-mod-security2 curl unzip -y | |
| security2="/etc/apache2/mods-enabled/security2.conf" | |
| BACKUP_FILE="${security2}.bak" | |
| CRS_LINE1="IncludeOptional /etc/modsecurity/coreruleset/crs-setup.conf" | |
| CRS_LINE2="IncludeOptional /etc/modsecurity/coreruleset/rules/*.conf" | |
| apache_conf="/etc/apache2/conf-enabled/security.conf" | |
| ## https://github.com/owasp-modsecurity/ModSecurity | |
| ### https://github.com/coreruleset/coreruleset | |
| cd /etc/modsecurity | |
| wget https://github.com/coreruleset/coreruleset/releases/download/v4.14.0/coreruleset-4.14.0-minimal.zip | |
| unzip coreruleset-4.14.0-minimal.zip | |
| mv coreruleset-4.14.0 coreruleset | |
| rm coreruleset-4.14.0-minimal.zip | |
| cp modsecurity.conf-recommended modsecurity.conf | |
| sed -i 's/^SecRuleEngine DetectionOnly/SecRuleEngine On/' modsecurity.conf | |
| sed -i 's/^SecStatusEngine Off/SecStatusEngine On/' modsecurity.conf | |
| cd coreruleset | |
| cp crs-setup.conf.example crs-setup.conf | |
| mv /etc/modsecurity/crs/crs-setup.conf /etc/modsecurity/crs/crs-setup.conf.old | |
| # Make a backup | |
| echo "Backing up original config to $BACKUP_FILE" | |
| cp "$security2" "$BACKUP_FILE" | |
| # Replace the line using sed | |
| echo "Updating $security2..." | |
| awk -v line1="$CRS_LINE1" -v line2="$CRS_LINE2" ' | |
| { | |
| if ($0 ~ /IncludeOptional \/etc\/modsecurity\/\*\.conf/) { | |
| print line1 | |
| print line2 | |
| } else { | |
| } | |
| } | |
| ' "$BACKUP_FILE" | tee "$security2" > /dev/null | |
| sed -i 's|^\s*\(IncludeOptional /usr/share/modsecurity-crs/\*\.load\)|#\1|' "$security2" | |
| #IncludeOptional /etc/modsecurity/modsecurity.conf | |
| echo 'Include /etc/modsecurity/modsecurity.conf' | tee -a "$security2" > /dev/null | |
| ##nano /etc/apache2/conf-enabled/security.conf | |
| sed -i -E 's/^#(RedirectMatch 404 \/\\\.(git|svn))$/\1/' "$apache_conf" | |
| service apache2 restart | |
| SERVER_IP=$(hostname -I | awk '{print $1}') # prints something like 192.168.1.42 | |
| curl -i "http://$SERVER_IP/aphpfilethatdonotexist.php?something=../../etc" | |
| curl -i "http://$SERVER_IP/" | |
| #tail /var/log/apache2/error.log | grep 9301 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment