Configuring ModSecurity with OWASP CRS – Part 1

October 6, 2013
Pentests

In this series, we gonna write about the installation and configuration of ModSecurity with OWASP CRS on Ubuntu 10.0.4 and Apache2.

We were motivated to write about it when few of our clients just instantly asked us about blocking all known malicious web attacks at web server level itself. We quickly suggested them an open source, reliable WAF solution that suffice to their requirement. Obviously, just installing WAF does not mean that you do not need application security controls.

ModSecurity (developed by TrustWave) is a reliable open source WAF (Web Application Firewall) that sits between end user and your application server i.e. at web server level. ModSecurity has preconfigured basic security rules that are enabled on installation and configuration.

It is important to note that ModSecurity, in itself, provides very limited protection on its own. In order to make ModSecurity useful, it must be configured with rules.OWASP Defender Communityhas developed and maintains a free set of application protection rules called theOWASP ModSecurity Core Rule Set (CRS). These rules need to be integrated with ModSecurity to enable it to perform its fully functional tasks.

Refer here to read more about ModSecurity.

We searched a lot over internet for similar articles but most of them have incomplete or incorrect information which is a bit disappointing. We have tried to make this article most accurate, simple and to the point.

Background

We have a fresh installation of Ubuntu-desktop-10.0.04.iso (downloaded from here) and a VirtualBox installation (downloaded from here). First, we need to install LAMP (Linux, Apache, MySQL and PHP) on our new box to setup the test environment and run a sample PHP application to test our malicious payloads.

Below are the steps to follow:

Step 1: Download and install LAMP:

sudo apt-get update

sudo apt-get install php5 mysql-server apache2

Installation would prompt you to input MySQL password. Input MySQL password of your choice.

Step 2: Install PHP and MySQL

sudo apt-get install php5-mysql

Post successful installation, you will have LAMP installed on the box. To test setup, open a browser and type http://127.0.0.1. Below page should pop up that indicate successful installation of LAMP:

Step 3: Folder permission and test page setup

Issue below command to change permission of /var/www/ folder to create test.php file under /www/ folder:

sudo chmod 777 /var/www/

Create a test.php file and paste below code:

<?php

$secret_file = $_GET['secret_file'];

include ( $secret_file);

?>

Step 4: Test setup and perform basic attack

Open a web browser and access below URL. You should get passwd file on your browser.

http://localhost/test.php?secret_file=/etc/passwd

Step 5: ModSecurity installation

sudo apt-get install libxml2 libxml2-dev libxml2-utils

sudo apt-get install libaprutil1 libaprutil1-dev

sudo apt-get install libapache-mod-security

Step 6: Modify folder permission for apache2 and conf.d file to create ModSecurity rules directory:

sudo chmod 777 /etc/apache2/

sudo chmod 777 /etc/apache2/conf.d/security

Issue below commands to copy contents from download directory to /rules directory created under /apache2.

cp -R /usr/share/doc/mod-security-common/examples/rules /etc/apache2/

Note: All ModSecurity rules are now placed under /apache2 directory.

Step 7: Logs collection and configuring ModSecurity rules

Issue below command to create /logs directory under /apache2:

mkdir /etc/apache2/logs/

Modify /etc/apache2/conf.d/security file with below code:

<IfModule mod_security2.c>

       Include /etc/apache2/rules/*.conf

       Include /etc/apache2/rules/base_rules/*.conf

</IfModule>

Step 8: Completing setup

Restart apache:

sudo /etc/init.d/apache2 restart

Try attack payload http://127.0.0.1/test.php?secret_file=/etc/passwd. You should get403 Forbidden. This indicates successful installation and configuration of ModSecurity Rules.

Below are the reference commands to enable and disable ModSecurity:

To enable ModSecurity:

a2enmod mod-security

Disable ModSecurity:

a2dismod mod-security

Above steps work for us like a charm on Ubuntu 10.0.4. Hope this helps.

In next part, we will have OWASP CRS installed and configured with ModSecurity.


Happy Reading!!!

Share this post
Wordpress Security
Malware Analysis
Tools & Techniques
Pentests
PTaaS
Cyber Security
Technology
Subscribe to our newsletter

Join our newsletter today and enhance your knowledge with valuable insights. It's quick, easy, and free!

Be a Team Player
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Latest blogs

Latest updates in cybersecurity services

View All
Blacklock Blog Image
Wordpress CMS Security
June 9, 2016
Wordpress CMS Security
Tools & Techniques
August 8, 2014
Tools & Techniques