Mod_Security is the most widely known and used server based Web Application Firewall but I had not had a chance to play with it so I decided to take sometime this weekend to build a website (modsec.handsonhacking.org) to test it. Here is a small walk through on how I did it.
Base Server Install:
Install and configure the website with these commands:
sudo apt update && sudo apt upgrade -y sudo apt install apache2 git -y sudo rm /var/www/html/index.html sudo git clone https://github.com/themefisher/Blue-Onepage-HTML5-Business-Template.git /var/www/html/ sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache sudo certbot
Install Mod_Security with these commands:
sudo apt-get install libapache2-modsecurity sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Move from logging to blocking move with these commands:
sudo nano /etc/modsecurity/modsecurity.conf # Change SecRuleEngine DetectionOnly SecRuleEngine On
It should look like this:Install the updated OWASP ModSecurity Core Rule Set:
sudo rm -rf /usr/share/modsecurity-crs sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
Enable them in the apache config file:
sudo nano /etc/apache2/mods-enabled/security2.conf Add: IncludeOptional /usr/share/modsecurity-crs/*.conf IncludeOptional /usr/share/modsecurity-crs/rules/*.conf
Move the OWASP rules from logging to blocking:
cd /usr/share/modsecurity-crs sudo cp crs-setup.conf.example crs-setup.conf sudo nano crs-setup.conf Comment Out: #SecDefaultAction "phase:1,log,auditlog,pass" #SecDefaultAction "phase:2,log,auditlog,pass" Uncomment: SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403"
It should look like this:
Next restart apache to enable mod_security:
sudo systemctl restart apache2
Run this to see what is being blocked in real time:
sudo tail -f /var/log/apache2/modsec_audit.log
Now that I have mod_security running I need to find a better logging solution. So far I have quickly looked at waf-fle and auditconsole but they both look to be abandoned. It looks like there are people who are doing a lot with ELK but I have not found anything solid yet. I am really surprised there isn’t a ready made Dashboard but I will keep looking.
I have spent all of four hours playing with this on non-production traffic. Please do not just install this in front of your website and then blame me when things break.
Overall with the help of @infosecdad and @lojikil guiding me through some of the places where documentation is lacking it was fairly easy to get this setup and going. If you have any questions please reach out to me on twitter at @JGamblin.