In this series, I’m gonna write about the installation and
configuration of ModSecurity with OWASP CRS on Ubuntu 10.0.4 and Apache2.
I was motivated to write about it when few of my clients
just instantly asked me about blocking all known malicious web attacks at web server
level itself. I quickly suggested them an open source, reliable WAF solution that
suffice to their requirement. Obviously, just installing WAF does not mean that you do not need application security controls.
ModSecurity (developed by TrustWave) is a reliable open
source WAF (Web Application Firewall) that sits between end user and your
application server i.e. at web server level. ModSecurity has preconfigured
basic security rules that are enabled on installation and configuration.
It is important to note that ModSecurity, in itself,
provides very limited protection on its own. In order to make ModSecurity
useful, it must be configured with rules. OWASP Defender Community
has developed and maintains a free set of application protection rules called
the OWASP ModSecurity Core Rule Set (CRS).
These rules need to be integrated with ModSecurity to enable it to perform its
fully functional tasks.
Refer here to read
more about ModSecurity.
I searched a lot over internet for similar articles but most of them have incomplete or incorrect information which is a bit disappointing. I have tried to make this
article most accurate, simple and to the point.
Background
I have a fresh installation of Ubuntu-desktop-10.0.04.iso (downloaded
from here)
and a VirtualBox installation (downloaded from here). First, we need to install LAMP (Linux, Apache, MySQL and PHP) on our new box to setup
the test environment and run a sample PHP application to test our malicious
payloads.
Below are the steps to follow:
Step 1: Download and install LAMP:
sudo apt-get update
sudo apt-get install
php5 mysql-server apache2
Installation would prompt you to input MySQL password. Input
MySQL password of your choice.
Step 2: Install PHP and MySQL
sudo apt-get install
php5-mysql
Post successful installation, you will have LAMP installed
on the box. To test setup, open a browser and type http://127.0.0.1.
Below page should pop up that indicate successful installation of LAMP:
Step 3: Folder permission and test page setup
Issue below command to change permission of /var/www/ folder
to create test.php file under /www/ folder:
sudo chmod 777
/var/www/
Create a test.php file and paste below code:
<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>
Step 4: Test setup and perform basic attack
Open a web browser and access below URL. You should get
passwd file on your browser.
Step 5: ModSecurity installation
sudo apt-get install
libxml2 libxml2-dev libxml2-utils
sudo apt-get install
libaprutil1 libaprutil1-dev
sudo apt-get install
libapache-mod-security
Step 6: Modify folder permission for apache2 and
conf.d file to create ModSecurity rules directory:
sudo chmod 777
/etc/apache2/
sudo chmod 777
/etc/apache2/conf.d/security
Issue below commands to copy contents from download
directory to /rules directory created under /apache2.
cp -R
/usr/share/doc/mod-security-common/examples/rules /etc/apache2/
Note: All ModSecurity rules are now placed under /apache2
directory.
Step 7: Logs collection and configuring ModSecurity
rules
Issue below command to create /logs directory under /apache2:
mkdir
/etc/apache2/logs/
Modify /etc/apache2/conf.d/security file with below code:
<IfModule mod_security2.c>
Include /etc/apache2/rules/*.conf
Include /etc/apache2/rules/base_rules/*.conf
</IfModule>
Step 8: Completing setup
Restart apache:
sudo
/etc/init.d/apache2 restart
Try attack payload http://127.0.0.1/test.php?secret_file=/etc/passwd
. You should get 403
Forbidden. This indicates successful installation and configuration of
ModSecurity Rules.
Below are the reference commands to enable and disable ModSecurity:
To enable ModSecurity:
a2enmod
mod-security
Disable ModSecurity:
a2dismod
mod-security
Above steps work for me like a charm on Ubuntu 10.0.4. Hope
this helps.
In next part, we will have OWASP CRS installed and
configured with ModSecurity.
Happy Reading!!!
Won't configuring Mod_security block more legitimate traffic and annoy the user?
ReplyDeleteThanks Ashutosh for your comment. Modsecurity blocks only traffic/web URL with attack payloads configured in base rules. Some of the common attack payloads are /, ', <, >, ;. I hope this clarifies.
ReplyDeleteThanks Nilesh for prompt response. That makes sense (just apart from '/' payload as its going to be there in most of the URLs) :)
ReplyDeleteJust in case, if anyone using Ubantu 12.04, the rules will be placed under /usr/share/modsecurity-crs/ directory. You can copy the rules from that directory to apache2 directory and later include all the conf files :)
ReplyDeleteOne more thing is, in Ubantu 12.04, you need to copy the modesecurity core rule set (not OWASP CRS) from /usr/share/modsecurity-crs location.
ReplyDeletein 12.04, location /usr/share/doc/mod-security-common/examples/rules does not exist. Took me a little time to figure out the former location where modsecurity-crs were. Cheers!!