Back to Posts

ModSecurity

Posted in Defense

Advance your Pentesting Skills at Slayer Labs! Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Access/Post/Lateral - Low Cost VPN Ranges -


ModSecurity - WAF

A free Web Application Firewall that can be ran on Apache, Nginx or IIS. It’s fairly quick and easy to install, free, has a little footprint, and provides much needed protection against application exploits.

Install

The procedure below is for Apache on CentOS.

Download modsecurity

yum install mod_security


Restart httpd

service httpd restart


Next, you’ll want to add the OWASP Core Rule Set (CRS). Which we’ll download, create a directory for, then point to this directory in httpd.conf.

Download the OWASP CRS.

yum install git
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git


Move this download to a new directory in /etc/httpd/. Then copy crs-setup.conf.example to crs-setup.conf

mkdir /etc/httpd/owasp/
cp -a owasp-modsecurity-crs/ /etc/httpd/owasp
cd /etc/httpd/owasp/owasp-modsecurity-crs
cp crs-setup.conf.example crs-setup.conf


Edit

Now the httpd.conf will need to be edited.

vi /etc/httpd/conf/httpd.conf


At the end of the file (:$) add the following to point to the new OWASP rules and module.

<IfModule security2_module>
    Include /etc/httpd/owasp/owasp-modsecurity-crs/crs_setup.conf
    Include /etc/httpd/owasp/owasp-modsecurity-crs/rules/*.conf
</IfModule>


Restart apache/httpd.

service httpd restart


NOTE: If you run into errors based on the .conf rules, you may need to update mod_security. If you’re unable to update due to outdated repos or other issues, you’ll have to comment out or rename the extensions on the specified rules in order to run.

Test

To quick test, run the below RCE attempt curl command…

curl localhost/index.html?exec=/bin/bash


Now check your error log (/var/log/httpd/error_log) and you should see the “Remote Commend Execution” record.

Custom Cyber Ranges >>

https://slayerlabs.com

Read Next

Harden WordPress