Blog Posts

Getting Started With Mod_Security


Mod_Security is the most widely known and used server based Web Application Firewall but I had not had a chance to play with it so I decided to take sometime this weekend to build a website ( to test it.   Here is a small walk through on how I did it.

Base Server Install:

I used AWS Lightsail to build a webserver using Ubuntu 16.04,  Apache2,  LetsEncrypt , and this HTML5 Template.

Install and configure the website with these commands:

sudo apt update && sudo apt upgrade -y
sudo apt install apache2 git -y
sudo rm /var/www/html/index.html
sudo git clone /var/www/html/
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot

Mod_Security Install

Install Mod_Security with these commands:

sudo apt-get install libapache2-modsecurity
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Move from logging to blocking move with these commands:

sudo nano /etc/modsecurity/modsecurity.conf
# Change SecRuleEngine DetectionOnly
SecRuleEngine On

It should look like this:Install the updated OWASP ModSecurity Core Rule Set:

sudo rm -rf /usr/share/modsecurity-crs
sudo git clone /usr/share/modsecurity-crs

Enable them in the apache config file:

sudo nano /etc/apache2/mods-enabled/security2.conf
     IncludeOptional /usr/share/modsecurity-crs/*.conf
     IncludeOptional /usr/share/modsecurity-crs/rules/*.conf

It should look like this:

Move the OWASP rules from logging to blocking:

cd /usr/share/modsecurity-crs
sudo cp crs-setup.conf.example crs-setup.conf
sudo nano crs-setup.conf

Comment Out: 
#SecDefaultAction "phase:1,log,auditlog,pass"
#SecDefaultAction "phase:2,log,auditlog,pass"

SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

It should look like this:

Next restart apache to enable mod_security:

sudo systemctl restart apache2


To test I used burp suite to scan to generate plenty of “bad traffic”.

Run this to see what is being blocked in real time:

sudo tail -f /var/log/apache2/modsec_audit.log

Next Steps

Now that I have mod_security running I need to find a better logging solution.   So far I have quickly looked at waf-fle and auditconsole but they both look to be abandoned.  It looks like there are people who are doing a lot with ELK but I have not found anything solid yet.  I am really surprised there isn’t a ready made Dashboard but I will keep looking.


I have spent all of four hours playing with this on non-production traffic.  Please do not just install this in front of your website and then blame me when things break.


Overall with the help of @infosecdad  and @lojikil guiding me through some of the places where documentation is lacking it was fairly easy to get this setup and going.   If you have any questions please reach out to me on twitter at @JGamblin. 

MAC Address Randomization for MacOS

One of the things that even the new MacOS beta is missing is MAC Address Randomization on boot.  After spending a few hours working on it I put together this completely hack-y solution that uses Spoof and an automator Script saved as an application.

Here is how I configured it:

on run {input, parameters}
	delay 4
	tell application "Terminal"	
	end tell
	tell application "System Events"
		delay 0.3
		keystroke "sudo spoof randomize en0"
		keystroke return
		delay 0.5
		keystroke return
		delay 5
	end tell
	tell application "Terminal" to quit
	return input
end run
  • Change “#SADLYYOURPASSWORDHERE” to your local password.
  • Test & Save:

  • Add to System Preferences -> Users & Groups -> Login items

Overall this is a pretty simple solution.  I dont love it because you have to save your local password in the script and I am looking for a way to change that but it looks like to change the MAC address you have to be root.  I will update this post if I figure out a way to remove the password.

My Security Summer Camp Talk List

Security summer camp is about a week away so I spent some time this afternoon trying to figure out what talks and events I want to make sure I attend.

BSides Las Vegas:

A Day in the Life of a Product Security Incident Response Manager
Hadoop Safari : Hunting For Vulnerabilities
Introduction to Reversing and Pwning
YARA-as-a-Service (YaaS): Real-Time Serverless Malware Detection
Abusing Webhooks for Command and Control
BSides Las Vegas Full Schedule


Breaking Electronic Door Locks Like You’re On CSI: Cyber
Free-Fall: Hacking Tesla From Wireless To Can Bus
Blackhat Full Sechedule

Defcon 25:

Meet the Feds (who care about security research)
There’s no place like – Achieving reliable DNS rebinding in modern browsers
Wiping Out CSRF
Real-time RFID Cloning in the Field
Exploiting 0ld Mag-stripe information with New technology
Secret Tools: Learning About Government Surveillance Software You Can’t Ever See
Next-Generation Tor Onion Services
Using GPS Spoofing to Control Time
Cisco Catalyst Exploitation
Defcon Full Schedule

Other Events:

Defcon Parties List


Run SSH and HTTPS On The Same Port

I recently saw this SSH/HTTP(S) multiplexer on Github and tweeted that it looked amazing:

A couple of people responded that you should be able to do the samething with HAProxy or something similar but my experience with HAProxy has been that is temperamental so I didn’t want to mess with it.  After some more research I found a tool called SSLH that did what I wanted so I built a demo site at that is running SSH and HTTPS on port 443.

How To Build It Yourself:

To demo this I used a $5 Ubuntu AWS lightsail instance with a valid DNS record (

Base Out The System:

These commands will update the system, install SSLH and Apache, and install a valid TLS certificate from LetsEncrypt:

sudo apt update && sudo apt upgrade
sudo apt install sslh build-essential apache2
chmod a+x ./certbot-auto

Configure SSHL:

You need to edit the config so that <ETH0 IP> is the local (not public) IP:

sudo nano /etc/default/sslh
DAEMON_OPTS="--user sslh --listen <ETH0 IP>:443 --ssh --ssl --pidfile /var/run/sslh/"

Configure Apache:

You just need to change Listen *:443 to Listen

sudo nano /etc/apache2/ports.conf   
<IfModule ssl_module>

<IfModule mod_gnutls.c>

Reboot and Enjoy:

You can probably restart services but a  sudo reboot works here and you are good to go.  If you visit with a web browser you get the page:

…*but* you can now ssh into the box on port 443 using ssh -p 443

Closing Thoughts:

NMap only knows it is SSH if you use -sV:
I am looking forward to using this method in the future to stack services.  Let me know on twitter @jgamblin if you have any thoughts.

Quickly Building A Cloud Virtual Lab

Often while doing research I need temporary access to a bunch of different virtual machines. While it is possible to do this on my Macbook using VMWare Fusion or Virtualbox the overhead seems unnecessary for something I will delete in under a week.

My goto solution is a virtualization stack of:
16GB DigitalOcean Droplet + Wok + Kimchi

Here is the shell script I use to build it:

apt-get update &&  apt-get upgrade -y
apt-get -y install qemu qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils nginx python-cherrypy3 python-jsonschema python-m2crypto nginx python-ldap python-psutil fonts-font-awesome texlive-fonts-extra python-configobj python-parted sosreport python-imaging websockify novnc nfs-common python-ethtool open-iscsi python-guestfs libguestfs-tools spice-html5 python-paramiko 
dpkg -i wok.noarch.deb
apt-get install -f -y
dpkg -i ginger-base.noarch.deb
apt-get install -f -y
dpkg -i kimchi.noarch.deb
apt-get install -f -y
#You will need to know the root password for the web interface (passwd lets you reset it).

After the server is rebooted you can access the web interface at https://ip:8001:

The next step is to add the templates you want to build VMs for:

You can use these commands to grab newer isos (there is a feature request to automate this):

cd /var/lib/kimchi/isos
wget -c
wget -c
wget -c
wget -c
wget -c
wget -c
wget -c
wget -c
wget -c
wget -c

Once you are done with that is is amazingly easy to spin up VMs and manage them in the browser:

I use this virtualization stack a lot in my research and it is amazing.  If you have any questions feel free to reach out to me on twitter.

Site Footer