In this series, we gonna write about the installation and configuration of ModSecurity with OWASP CRS on Ubuntu 10.0.4 and Apache2.
We were motivated to write about it when few of our clients just instantly asked us about blocking all known malicious web attacks at web server level itself. We quickly suggested them an open source, reliable WAF solution that suffice to their requirement. Obviously, just installing WAF does not mean that you do not need application security controls.
ModSecurity (developed by TrustWave) is a reliable open source WAF (Web Application Firewall) that sits between end user and your application server i.e. at web server level. ModSecurity has preconfigured basic security rules that are enabled on installation and configuration.
It is important to note that ModSecurity, in itself, provides very limited protection on its own. In order to make ModSecurity useful, it must be configured with rules.OWASP Defender Communityhas developed and maintains a free set of application protection rules called theOWASP ModSecurity Core Rule Set (CRS). These rules need to be integrated with ModSecurity to enable it to perform its fully functional tasks.
Refer here to read more about ModSecurity.
We searched a lot over internet for similar articles but most of them have incomplete or incorrect information which is a bit disappointing. We have tried to make this article most accurate, simple and to the point.
Background
We have a fresh installation of Ubuntu-desktop-10.0.04.iso (downloaded from here) and a VirtualBox installation (downloaded from here). First, we need to install LAMP (Linux, Apache, MySQL and PHP) on our new box to setup the test environment and run a sample PHP application to test our malicious payloads.
Below are the steps to follow:
Step 1: Download and install LAMP:
sudo apt-get update
sudo apt-get install php5 mysql-server apache2
Installation would prompt you to input MySQL password. Input MySQL password of your choice.
Step 2: Install PHP and MySQL
sudo apt-get install php5-mysql
Post successful installation, you will have LAMP installed on the box. To test setup, open a browser and type http://127.0.0.1. Below page should pop up that indicate successful installation of LAMP:
Step 3: Folder permission and test page setup
Issue below command to change permission of /var/www/ folder to create test.php file under /www/ folder:
sudo chmod 777 /var/www/
Create a test.php file and paste below code:
<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>
Step 4: Test setup and perform basic attack
Open a web browser and access below URL. You should get passwd file on your browser.
http://localhost/test.php?secret_file=/etc/passwd
Step 5: ModSecurity installation
sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
sudo apt-get install libapache-mod-security
Step 6: Modify folder permission for apache2 and conf.d file to create ModSecurity rules directory:
sudo chmod 777 /etc/apache2/
sudo chmod 777 /etc/apache2/conf.d/security
Issue below commands to copy contents from download directory to /rules directory created under /apache2.
cp -R /usr/share/doc/mod-security-common/examples/rules /etc/apache2/
Note: All ModSecurity rules are now placed under /apache2 directory.
Step 7: Logs collection and configuring ModSecurity rules
Issue below command to create /logs directory under /apache2:
mkdir /etc/apache2/logs/
Modify /etc/apache2/conf.d/security file with below code:
<IfModule mod_security2.c>
Include /etc/apache2/rules/*.conf
Include /etc/apache2/rules/base_rules/*.conf
</IfModule>
Step 8: Completing setup
Restart apache:
sudo /etc/init.d/apache2 restart
Try attack payload http://127.0.0.1/test.php?secret_file=/etc/passwd. You should get403 Forbidden. This indicates successful installation and configuration of ModSecurity Rules.
Below are the reference commands to enable and disable ModSecurity:
To enable ModSecurity:
a2enmod mod-security
Disable ModSecurity:
a2dismod mod-security
Above steps work for us like a charm on Ubuntu 10.0.4. Hope this helps.
In next part, we will have OWASP CRS installed and configured with ModSecurity.
Happy Reading!!!
Join our newsletter today and enhance your knowledge with valuable insights. It's quick, easy, and free!