The guide explains how to add a robust web‑application firewall to Ubuntu 22.04 by installing Apache, the ModSecurity engine (libmodsecurity3), and the OWASP Core Rule Set from the official repositories, then enabling the security2 module and restarting the service. It walks through configuring ModSecurity to load the CRS, switching the rule engine from “DetectionOnly” to active blocking, and testing the setup with a simple PHP script that should trigger a 403 response for malicious input. Finally, it advises fine‑tuning or disabling noisy rules by editing the CRS configuration and reminds you to keep the rule set updated and monitor logs for new threats.

How to Install Apache with ModSecurity on Ubuntu 22.04 LTS

If you need a solid WAF without buying an appliance, this guide shows exactly how to install Apache with ModSecurity on Ubuntu 22.04. You’ll get a working setup, a basic rule set, and the confidence that your site isn’t wide open after a rogue plugin update.

Why bother with ModSecurity at all?

I’ve seen a fresh WordPress install go from “everything works” to “500 internal error” the moment a malicious script slipped past an outdated plugin. The default Apache config doesn’t inspect request bodies, so anything that looks like SQL or XSS flies straight through. ModSecurity sits in front of Apache and blocks those patterns before they reach your code.

Install Apache first

sudo apt update && sudo apt install -y apache2

Updating the package index guarantees you pull the latest security patches. Installing apache2 pulls in all required modules; you won’t have to chase down missing dependencies later.

Add the ModSecurity package

Ubuntu 22.04 ships a reasonably recent libmodsecurity3, so you can install it from the official repos:

sudo apt install -y libmodsecurity3 modsecurity-crs

• libmodsecurity3 provides the core engine.
• modsecurity-crs drops in the OWASP Core Rule Set (CRS), a decent baseline that catches most common attacks.

Enable the Apache module

sudo a2enmod security2
sudo systemctl restart apache2

The a2enmod helper writes the appropriate LoadModule line into /etc/apache2/mods-enabled. Restarting Apache loads the new module; if you skip the restart, Apache will keep serving traffic without any filtering.

Hook up the CRS configuration

Edit the ModSecurity include file so Apache knows where to find the rule set:

sudo nano /etc/modsecurity/modsecurity.conf

Find the line that reads #IncludeOptional modsecurity-crs/*.conf and uncomment it (remove the leading #). Save and exit.

Why this matters: without loading the CRS, ModSecurity runs in “DetectionOnly” mode with virtually no rules, which is about as useful as a broken fence.

Put ModSecurity into “On” mode

By default Ubuntu ships the engine in DetectionOnly to avoid breaking sites out of the box. Change it:

sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf

Now suspicious requests will be blocked, not just logged.

Test the installation

Create a simple PHP file that echoes a GET parameter:

<?php echo $_GET['test']; ?>

Save it as /var/www/html/test.php and request something obvious like http://your-server/test.php?test=<script>alert(1)</script>. You should see a 403 Forbidden response, and Apache’s error log will contain a line from ModSecurity indicating the rule that fired.

If you still get the raw script back, double‑check that the module is loaded (apache2ctl -M | grep security2) and that the CRS files are included.

Fine‑tune or disable noisy rules

The CRS can be chatty on legitimate traffic. To silence a specific rule (say, Rule 941100 for SQL injection false positives), add this to /etc/modsecurity/crs-setup.conf:

SecRuleRemoveById 941100

Then reload Apache. Tweak only what you need; over‑blocking will drive users away faster than an unsecured site.

That’s it—Apache is now fortified with ModSecurity on Ubuntu 22.04. Keep the rule set updated (apt upgrade modsecurity-crs) and occasionally scan your logs for new attack patterns.