Monday, June 10, 2013

Configuring ModSecurity with OWASP CRS – Part 1

In this series, I’m gonna write about the installation and configuration of ModSecurity with OWASP CRS on Ubuntu 10.0.4 and Apache2.

I was motivated to write about it when few of my clients just instantly asked me about blocking all known malicious web attacks at web server level itself. I quickly suggested them an open source, reliable WAF solution that suffice to their requirement. Obviously, just installing WAF does not mean that you do not need application security controls.

ModSecurity (developed by TrustWave) is a reliable open source WAF (Web Application Firewall) that sits between end user and your application server i.e. at web server level. ModSecurity has preconfigured basic security rules that are enabled on installation and configuration.

It is important to note that ModSecurity, in itself, provides very limited protection on its own. In order to make ModSecurity useful, it must be configured with rules. OWASP Defender Community has developed and maintains a free set of application protection rules called the OWASP ModSecurity Core Rule Set (CRS). These rules need to be integrated with ModSecurity to enable it to perform its fully functional tasks.

Refer here to read more about ModSecurity.

I searched a lot over internet for similar articles but most of them have incomplete or incorrect information which is a bit disappointing. I have tried to make this article most accurate, simple and to the point.

Background

I have a fresh installation of Ubuntu-desktop-10.0.04.iso (downloaded from here) and a VirtualBox installation (downloaded from here). First, we need to install LAMP (Linux, Apache, MySQL and PHP) on our new box to setup the test environment and run a sample PHP application to test our malicious payloads.

Below are the steps to follow:

Step 1: Download and install LAMP:

sudo apt-get update
sudo apt-get install php5 mysql-server apache2

Installation would prompt you to input MySQL password. Input MySQL password of your choice.

Step 2: Install PHP and MySQL

sudo apt-get install php5-mysql

Post successful installation, you will have LAMP installed on the box. To test setup, open a browser and type http://127.0.0.1. Below page should pop up that indicate successful installation of LAMP:



Step 3: Folder permission and test page setup

Issue below command to change permission of /var/www/ folder to create test.php file under /www/ folder:

sudo chmod 777 /var/www/

Create a test.php file and paste below code:

<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>

Step 4: Test setup and perform basic attack

Open a web browser and access below URL. You should get passwd file on your browser.



Step 5: ModSecurity installation

sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
sudo apt-get install libapache-mod-security

Step 6: Modify folder permission for apache2 and conf.d file to create ModSecurity rules directory:

sudo chmod 777 /etc/apache2/
sudo chmod 777 /etc/apache2/conf.d/security

Issue below commands to copy contents from download directory to /rules directory created under /apache2.

cp -R /usr/share/doc/mod-security-common/examples/rules /etc/apache2/

Note: All ModSecurity rules are now placed under /apache2 directory.

Step 7: Logs collection and configuring ModSecurity rules

Issue below command to create /logs directory under /apache2:

mkdir /etc/apache2/logs/

Modify /etc/apache2/conf.d/security file with below code:

<IfModule mod_security2.c>
        Include /etc/apache2/rules/*.conf
        Include /etc/apache2/rules/base_rules/*.conf
</IfModule>



Step 8: Completing setup

Restart apache:
sudo /etc/init.d/apache2 restart

Try attack payload http://127.0.0.1/test.php?secret_file=/etc/passwd . You should get 403 Forbidden. This indicates successful installation and configuration of ModSecurity Rules.



Below are the reference commands to enable and disable ModSecurity:

To enable ModSecurity:

a2enmod mod-security

Disable ModSecurity:

a2dismod mod-security

Above steps work for me like a charm on Ubuntu 10.0.4. Hope this helps.

In next part, we will have OWASP CRS installed and configured with ModSecurity.

Happy Reading!!!

5 comments:

  1. Won't configuring Mod_security block more legitimate traffic and annoy the user?

    ReplyDelete
  2. Thanks Ashutosh for your comment. Modsecurity blocks only traffic/web URL with attack payloads configured in base rules. Some of the common attack payloads are /, ', <, >, ;. I hope this clarifies.

    ReplyDelete
  3. Thanks Nilesh for prompt response. That makes sense (just apart from '/' payload as its going to be there in most of the URLs) :)

    ReplyDelete
  4. Just in case, if anyone using Ubantu 12.04, the rules will be placed under /usr/share/modsecurity-crs/ directory. You can copy the rules from that directory to apache2 directory and later include all the conf files :)

    ReplyDelete
  5. One more thing is, in Ubantu 12.04, you need to copy the modesecurity core rule set (not OWASP CRS) from /usr/share/modsecurity-crs location.

    in 12.04, location /usr/share/doc/mod-security-common/examples/rules does not exist. Took me a little time to figure out the former location where modsecurity-crs were. Cheers!!

    ReplyDelete