Checkout SlayerLabs.com!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -

ModSecurity - WAF

A free Web Application Firewall that can be ran on Apache, Nginx or IIS. It’s fairly quick and easy to install, free, has a little footprint, and provides much needed protection against application exploits.

Install

The procedure below is for Apache on CentOS.

Download modsecurity

yum install mod_security

Restart httpd

service httpd restart

Next, you’ll want to add the OWASP Core Rule Set (CRS). Which we’ll download, create a directory for, then point to this directory in httpd.conf.

Download the OWASP CRS.

yum install git
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Move this download to a new directory in /etc/httpd/. Then copy crs-setup.conf.example to crs-setup.conf

mkdir /etc/httpd/owasp/
cp -a owasp-modsecurity-crs/ /etc/httpd/owasp
cd /etc/httpd/owasp/owasp-modsecurity-crs
cp crs-setup.conf.example crs-setup.conf

Edit

Now the httpd.conf will need to be edited.

vi /etc/httpd/conf/httpd.conf

At the end of the file (:$) add the following to point to the new OWASP rules and module.

<IfModule security2_module>
    Include /etc/httpd/owasp/owasp-modsecurity-crs/crs_setup.conf
    Include /etc/httpd/owasp/owasp-modsecurity-crs/rules/*.conf
</IfModule>

Restart apache/httpd.

service httpd restart

NOTE: If you run into errors based on the .conf rules, you may need to update mod_security. If you’re unable to update due to outdated repos or other issues, you’ll have to comment out or rename the extensions on the specified rules in order to run.

Test

To quick test, run the below RCE attempt curl command…

curl localhost/index.html?exec=/bin/bash

Now check your error log (/var/log/httpd/error_log) and you should see the “Remote Commend Execution” record.