Skip to main content

Configuring ModSecurity Web Application Firewall

ModSec is an open-source web application firewall which was designed for the apache server initially but now can be used for other different servers as well.ModSecurity is also known as ModSec and can filter HTTP requests and responses based on defined filtering rules. We will use the OWASP ModSecurity CORE RULE SET (CRS) here. We can also define our custom rules but that is a different topic.

 Here is an illustration of how to configure a ModSec firewall using apache2.

I have just created a simple PHP page that will be used to verify credentials. Put this page in /var/www/html/login.php

Here is the page login.php:

<html>
<body>
<?php
if(isset($_POST[‘login’]))
{
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$connection = mysqli_connect(‘localhost’,’root’,’test’,’testdb’);
$result = mysqli_query($connection, “SELECT * FROM `users`
WHERE username=’$username’ AND password=’$password’”);
if(mysqli_num_rows($result) == 0)
echo ‘Wrong Credentials’;
else
echo ‘<h1>Log in Successful</h1>’;
}
else
{
?>
<form action=”” method=”post”>
Enter the Username: <input type=”text” name=”username”/><br />
Enter the Password: <input name=”password” type=”password”/><br />
<input type=”submit” value=”Login” name=”login”/>
</form>
</body>
</html>

Image for post
Image for post
Web Application

Now you need to create a database and a table for the page using MySQL.

Image for post
Image for post
MySQL configuration.

Now use the credential you just stored in the database and you will get logged in.

Image for post
Image for post
Successfully logged in using password

Now try to do SQL injection and you will be able to get through.

Image for post
Image for post
SQL injection
Image for post
Image for post
Logged in using SQL injection.

Now to prevent such attacks we need to configure the firewall

Configuring the Modsec firewall
Now to configure Modsec WAF follow the steps:

1. cd to /etc/apache2/ and create a folder named “modsecurity.d”

2. You need to clone OWASP rules or policies which contains the filters or rules or policies for the OWASP vulnerabilities using
Command: git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

3. The above command will create a folder owasp-modsecurity-crs/
(Here you can read a file named INSTALL in this directory to read instructions on how to configure Modsec on different servers.)

4. Go inside owasp-modsecurity-crs/ and rename crs-setup.conf.example file to crs-setup.conf

5. Now go further into rules folder and rename REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example to REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

6. Rename RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

7. Goto /etc/apache2.conf and add the following lines into the end of the document
<IfModule security2_module>
Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf
</IfModule>

This will instruct the apache from where to pick up the rules.

8. restart apache service to make the rules come to effect.
Command: service apache2 restart
This will configure the WAF for you and now try opening the web application.

Use the same injection command used above and you will not be able to login now and will show the page lime this:

Image for post
Image for post
WAF in action.

If you get an error restarting apache then it means your WAF is not properly configured.

Note if you get any problem using MySQL, restart the MySQL service using
service MySQL restart

Comments

Popular posts from this blog

How Internet Works ?

what is a protocol? A protocol is a set of rules specifying how computers should communicate with each other over a network. For example, the Transport Control Protocol has a rule that if one computer sends data to another computer, the destination computer should let the source computer know if any data was missing so the source computer can re-send it. Or the Internet Protocol which specifies how computers should route information to other computers by attaching addresses onto the data it sends.   What’s a packet? Data sent across the Internet is called a message. Before a message is sent, it is first split in many fragments called packets. These packets are sent independently of each other. The typical maximum packet size is between 1000 and 3000 characters. The Internet Protocol specifies how messages should be packetized.   What’s a packet routing network? It is a network that routes packets from a source computer to a destination computer. The Internet is made up of a m...

What Is Cryptography ?

  Cryptography is a method of protecting information and communications through the use of codes, so that only those for whom the information is intended can read and process it. The prefix "crypt-" means "hidden" or "vault" -- and the suffix "-graphy" stands for "writing."   Cryptography is associated with the process of converting ordinary plain text into unintelligible text and vice-versa. It is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. Cryptography not only protects data from theft or alteration, but can also be used for user authentication. Modern cryptography concerns itself with the following four objectives:   •  Confidentiality : the information cannot be understood by anyone for whom it was unintended •  Integrity : the information cannot be altered in storage or transit between sender and intended receiver without the alterati...