Skip to main content

Configuring ModSecurity Web Application Firewall

ModSec is an open-source web application firewall which was designed for the apache server initially but now can be used for other different servers as well.ModSecurity is also known as ModSec and can filter HTTP requests and responses based on defined filtering rules. We will use the OWASP ModSecurity CORE RULE SET (CRS) here. We can also define our custom rules but that is a different topic.

 Here is an illustration of how to configure a ModSec firewall using apache2.

I have just created a simple PHP page that will be used to verify credentials. Put this page in /var/www/html/login.php

Here is the page login.php:

<html>
<body>
<?php
if(isset($_POST[‘login’]))
{
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$connection = mysqli_connect(‘localhost’,’root’,’test’,’testdb’);
$result = mysqli_query($connection, “SELECT * FROM `users`
WHERE username=’$username’ AND password=’$password’”);
if(mysqli_num_rows($result) == 0)
echo ‘Wrong Credentials’;
else
echo ‘<h1>Log in Successful</h1>’;
}
else
{
?>
<form action=”” method=”post”>
Enter the Username: <input type=”text” name=”username”/><br />
Enter the Password: <input name=”password” type=”password”/><br />
<input type=”submit” value=”Login” name=”login”/>
</form>
</body>
</html>

Image for post
Image for post
Web Application

Now you need to create a database and a table for the page using MySQL.

Image for post
Image for post
MySQL configuration.

Now use the credential you just stored in the database and you will get logged in.

Image for post
Image for post
Successfully logged in using password

Now try to do SQL injection and you will be able to get through.

Image for post
Image for post
SQL injection
Image for post
Image for post
Logged in using SQL injection.

Now to prevent such attacks we need to configure the firewall

Configuring the Modsec firewall
Now to configure Modsec WAF follow the steps:

1. cd to /etc/apache2/ and create a folder named “modsecurity.d”

2. You need to clone OWASP rules or policies which contains the filters or rules or policies for the OWASP vulnerabilities using
Command: git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

3. The above command will create a folder owasp-modsecurity-crs/
(Here you can read a file named INSTALL in this directory to read instructions on how to configure Modsec on different servers.)

4. Go inside owasp-modsecurity-crs/ and rename crs-setup.conf.example file to crs-setup.conf

5. Now go further into rules folder and rename REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example to REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

6. Rename RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

7. Goto /etc/apache2.conf and add the following lines into the end of the document
<IfModule security2_module>
Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf
</IfModule>

This will instruct the apache from where to pick up the rules.

8. restart apache service to make the rules come to effect.
Command: service apache2 restart
This will configure the WAF for you and now try opening the web application.

Use the same injection command used above and you will not be able to login now and will show the page lime this:

Image for post
Image for post
WAF in action.

If you get an error restarting apache then it means your WAF is not properly configured.

Note if you get any problem using MySQL, restart the MySQL service using
service MySQL restart

Comments

Post a Comment

Popular posts from this blog

How Internet Works ?

what is a protocol? A protocol is a set of rules specifying how computers should communicate with each other over a network. For example, the Transport Control Protocol has a rule that if one computer sends data to another computer, the destination computer should let the source computer know if any data was missing so the source computer can re-send it. Or the Internet Protocol which specifies how computers should route information to other computers by attaching addresses onto the data it sends.   What’s a packet? Data sent across the Internet is called a message. Before a message is sent, it is first split in many fragments called packets. These packets are sent independently of each other. The typical maximum packet size is between 1000 and 3000 characters. The Internet Protocol specifies how messages should be packetized.   What’s a packet routing network? It is a network that routes packets from a source computer to a destination computer. The Internet is made up of a m...
Post a Comment
Read more

Basic Networking #1

A network is simply a way for machines/computers to communicate. At the physical level, it consists of all the machines you want to connect and the devices you use to connect them. Individual machines are connected either with a physical connection (a category 5 cable going into a network interface card, or NIC) or wirelessly. To connect multiple machines, each machine must connect to a hub or switch, and then those hubs/switches must connect. In larger networks, each subnetwork is connected to the others by a router. 1.1.1 Basic Network Structure Some connection point(s) must exist between your network and the outside world. A barrier is set up between that network and the Internet, usually in the form of a firewall. The real essence of networks is communication allowing one machine to communicate with another. However, every path of communication is also a possibility of an attack. The first step in understanding how to defend a network is having a detailed understanding of how comp...
Post a Comment
Read more