Modsecurity Lab with Apache Web server ======================================= In these exercises, we will install and configure modsecurity which is a web application firewall(WAF), the aim is to mitigate: -SQL injection -cross site scripting -Trojans -Bad user agents -session hijacking etc ## Notes * Commands preceded with "#" imply that you should be working as root. * Commands with more specific command lines (e.g. "rtrX>" or "mysql>") imply that you are executing commands on remote equipment, or within another program. * Any line starting with "-" contain an explanation or directives Testing an SQL Injection ========================= -update index files # apt-get update && apt-get dist-upgrade -Install Apache web server # apt-get install apache2 -Installing MySQL server by running the below commands; # apt-get install mysql-server php5-mysql php5 libapache2-mod-php5 Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libaio1 libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18 libterm-readkey-perl mysql-client-5.5 mysql-client-core-5.5 mysql-common mysql-server-5.5 mysql-server-core-5.5 php5-common php5-fpm Suggested packages: libclone-perl libmldbm-perl libnet-daemon-perl libplrpc-perl libsql-statement-perl libipc-sharedcache-perl tinyca mailx php5-user-cache php-pear The following NEW packages will be installed: libaio1 libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18 libterm-readkey-perl mysql-client-5.5 mysql-client-core-5.5 mysql-common mysql-server mysql-server-5.5 mysql-server-core-5.5 php5-mysql The following packages will be upgraded: php5-common php5-fpm 2 upgraded, 13 newly installed, 0 to remove and 44 not upgraded. Need to get 12.2 MB of archives. After this operation, 96.9 MB of additional disk space will be used. Do you want to continue? [Y/n] y -Next you’ll be asked: -New password for the MySQL “root” user: Enter kenet@lab as the password -Then you’ll be asked to verify the root MySQL password: -Repeat password for the MySQL “root” user Enter the same password -Access the MySQL prompt. # mysql -u root -p Enter password: -Here, create a MySQL database called sample and connect to it. mysql> create database sample; Query OK, 1 row affected (0.00 sec) mysql> connect sample; Connection id: 43 Current database: sample -Then create a table containing some credentials — the username sammy and the password password. mysql> create table users(username VARCHAR(100),password VARCHAR(100)); mysql> insert into users values('test','password'); mysql> quit; -Next, create the login script in Apache's document root As below, copy the content then close the file: # vi /var/www/html/login.php Logged in

This is text that should only be displayed when logged in with valid credentials.

'; } else { ?>
Username:
Password:
-This script will display a login form. Open your browser and navigate to: http://hostX.ws.nsrc.org/login.php - first test if you can login using the account created in the database: username: test Password: password -It should be successful. - Now try run a sql injection command: login as: username: ' or true -. passwod: (leave the password blank) -it should also be successful ####NOW LET US MITIGATE SUCH KIND OF ATTACKS USING MOD SECURITY####### -Install Mod_security # sudo apt-get install libapache2-mod-security2 -y To enable the mod_security rules, copy the recommended mod_security configuration file, then edit it and set # sudo cp -prv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf ‘/etc/modsecurity/modsecurity.conf-recommended’ -> ‘/etc/modsecurity/modsecurity.conf’ Basic Directives to Enable Edit the modsecurity.conf file # sudo vi /etc/modsecurity/modsecurity.conf -The default ModSecurity configuration file is set to (DetectionOnly), which logs requests according to rule matches and does not block anything. SecRuleEngine DetectionOnly -Edit to SecRuleEngine On or use below command to effect the changes #sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /etc/modsecurity/modsecurity.conf -Optional Directives to Modify -Below are some directives that specifies the maximum POST data size. If anything larger is sent by a client the server will respond with a 413 Request Entity Too Large error. SecRequestBodyLimit SecRequestBodyNoFilesLimit -For this Lab we will note set this parameters. -The mod_security rules are available in following directories: /usr/share/modsecurity-crs/base_rules /usr/share/modsecurity-crs/optional_rules /usr/share/modsecurity-crs/experimental_rules # ls -lah /usr/share/modsecurity-crs/base_rules total 344K drwxr-xr-x 2 root root 4.0K Oct 21 11:05 . drwxr-xr-x 9 root root 4.0K Oct 21 11:05 .. -rw-r--r-- 1 root root 2.0K Jul 12 2013 modsecurity_35_bad_robots.data -rw-r--r-- 1 root root 386 Jul 12 2013 modsecurity_35_scanners.data -rw-r--r-- 1 root root 3.9K Jul 12 2013 modsecurity_40_generic_attacks.data -rw-r--r-- 1 root root 2.2K Jul 12 2013 modsecurity_50_outbound.data -rw-r--r-- 1 root root 56K Jul 12 2013 modsecurity_50_outbound_malware.data -rw-r--r-- 1 root root 23K Jul 12 2013 modsecurity_crs_20_protocol_violations.conf -rw-r--r-- 1 root root 6.8K Jul 12 2013 modsecurity_crs_21_protocol_anomalies.conf -rw-r--r-- 1 root root 3.8K Jul 12 2013 modsecurity_crs_23_request_limits.conf -rw-r--r-- 1 root root 6.8K Jul 12 2013 modsecurity_crs_30_http_policy.conf -rw-r--r-- 1 root root 5.3K Jul 12 2013 modsecurity_crs_35_bad_robots.conf -rw-r--r-- 1 root root 20K Jul 12 2013 modsecurity_crs_40_generic_attacks.conf -rw-r--r-- 1 root root 43K Jul 12 2013 modsecurity_crs_41_sql_injection_attacks.conf -rw-r--r-- 1 root root 95K Jul 12 2013 modsecurity_crs_41_xss_attacks.conf -rw-r--r-- 1 root root 1.8K Jul 12 2013 modsecurity_crs_42_tight_security.conf -rw-r--r-- 1 root root 3.6K Jul 12 2013 modsecurity_crs_45_trojans.conf -rw-r--r-- 1 root root 2.2K Jul 12 2013 modsecurity_crs_47_common_exceptions.conf -rw-r--r-- 1 root root 2.8K Jul 12 2013 modsecurity_crs_48_local_exceptions.conf.example -rw-r--r-- 1 root root 1.8K Jul 12 2013 modsecurity_crs_49_inbound_blocking.conf -rw-r--r-- 1 root root 22K Jul 12 2013 modsecurity_crs_50_outbound.conf -rw-r--r-- 1 root root 1.5K Jul 12 2013 modsecurity_crs_59_outbound_blocking.conf -rw-r--r-- 1 root root 2.7K Jul 12 2013 modsecurity_crs_60_correlation.conf # ls -lah /usr/share/modsecurity-crs/optional_rules total 92K drwxr-xr-x 2 root root 4.0K Oct 21 11:05 . drwxr-xr-x 9 root root 4.0K Oct 21 11:05 .. -rw-r--r-- 1 root root 488 Jul 12 2013 modsecurity_42_comment_spam.data -rw-r--r-- 1 root root 2.3K Jul 12 2013 modsecurity_crs_10_ignore_static.conf -rw-r--r-- 1 root root 1.5K Jul 12 2013 modsecurity_crs_11_avs_traffic.conf -rw-r--r-- 1 root root 651 Jul 12 2013 modsecurity_crs_13_xml_enabler.conf -rw-r--r-- 1 root root 2.1K Jul 12 2013 modsecurity_crs_16_authentication_tracking.conf -rw-r--r-- 1 root root 3.8K Jul 12 2013 modsecurity_crs_16_session_hijacking.conf -rw-r--r-- 1 root root 1.6K Jul 12 2013 modsecurity_crs_16_username_tracking.conf -rw-r--r-- 1 root root 9.0K Jul 12 2013 modsecurity_crs_25_cc_known.conf -rw-r--r-- 1 root root 4.3K Jul 12 2013 modsecurity_crs_42_comment_spam.conf -rw-r--r-- 1 root root 3.5K Jul 12 2013 modsecurity_crs_43_csrf_protection.conf -rw-r--r-- 1 root root 811 Jul 12 2013 modsecurity_crs_46_av_scanning.conf -rw-r--r-- 1 root root 855 Jul 12 2013 modsecurity_crs_47_skip_outbound_checks.conf -rw-r--r-- 1 root root 3.2K Jul 12 2013 modsecurity_crs_49_header_tagging.conf -rw-r--r-- 1 root root 14K Jul 12 2013 modsecurity_crs_55_application_defects.conf -rw-r--r-- 1 root root 1.2K Jul 12 2013 modsecurity_crs_55_marketing.conf # ls -lah /usr/share/modsecurity-crs/experimental_rules total 84K drwxr-xr-x 2 root root 4.0K Oct 21 11:05 . drwxr-xr-x 9 root root 4.0K Oct 21 11:05 .. -rw-r--r-- 1 root root 3.4K Jul 12 2013 modsecurity_crs_11_brute_force.conf -rw-r--r-- 1 root root 2.2K Jul 12 2013 modsecurity_crs_11_dos_protection.conf -rw-r--r-- 1 root root 1.6K Jul 12 2013 modsecurity_crs_11_proxy_abuse.conf -rw-r--r-- 1 root root 1.2K Jul 12 2013 modsecurity_crs_11_slow_dos_protection.conf -rw-r--r-- 1 root root 1.3K Jul 12 2013 modsecurity_crs_16_scanner_integration.conf -rw-r--r-- 1 root root 1.6K Jul 12 2013 modsecurity_crs_25_cc_track_pan.conf -rw-r--r-- 1 root root 2.5K Jul 12 2013 modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf -rw-r--r-- 1 root root 8.5K Jul 12 2013 modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf -rw-r--r-- 1 root root 1.4K Jul 12 2013 modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf -rw-r--r-- 1 root root 419 Jul 12 2013 modsecurity_crs_40_appsensor_detection_point_3.0_end.conf -rw-r--r-- 1 root root 2.2K Jul 12 2013 modsecurity_crs_40_http_parameter_pollution.conf -rw-r--r-- 1 root root 2.2K Jul 12 2013 modsecurity_crs_42_csp_enforcement.conf -rw-r--r-- 1 root root 1.2K Jul 12 2013 modsecurity_crs_46_scanner_integration.conf -rw-r--r-- 1 root root 1.2K Jul 12 2013 modsecurity_crs_48_bayes_analysis.conf -rw-r--r-- 1 root root 3.1K Jul 12 2013 modsecurity_crs_55_response_profiling.conf -rw-r--r-- 1 root root 711 Jul 12 2013 modsecurity_crs_56_pvi_checks.conf -rw-r--r-- 1 root root 2.0K Jul 12 2013 modsecurity_crs_61_ip_forensics.conf # -It is recommended to download and configure OWASP (Open Web Application Security Project) core rule set: -use git to download the rules # sudo apt-get install git # cd /etc/modsecurity/ etc/modsecurity# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git Cloning into 'owasp-modsecurity-crs'... remote: Counting objects: 1440, done. remote: Compressing objects: 100% (12/12), done. remote: Total 1440 (delta 2), reused 0 (delta 0), pack-reused 1428 Receiving objects: 100% (1440/1440), 11.39 MiB | 1.66 MiB/s, done. Resolving deltas: 100% (915/915), done. Checking connectivity... done. opt# etc/modsecurity# ls -lah drwxr-xr-x 10 root root 4.0K Oct 21 12:04 owasp-modsecurity-crs It is recommended to download and configure OWASP (Open Web Application Security Project) core rule set: etc/modsecurity# ls -lah owasp-modsecurity-crs/ total 124K drwxr-xr-x 10 root root 4.0K Oct 21 12:04 . drwxr-xr-x 7 root root 4.0K Oct 21 12:03 .. drwxr-xr-x 2 root root 4.0K Oct 21 12:04 activated_rules drwxr-xr-x 2 root root 4.0K Oct 21 12:04 base_rules -rw-r--r-- 1 root root 39K Oct 21 12:04 CHANGES drwxr-xr-x 2 root root 4.0K Oct 21 12:04 experimental_rules drwxr-xr-x 8 root root 4.0K Oct 21 12:04 .git -rw-r--r-- 1 root root 12 Oct 21 12:04 .gitignore -rw-r--r-- 1 root root 7.4K Oct 21 12:04 INSTALL -rw-r--r-- 1 root root 12K Oct 21 12:04 LICENSE drwxr-xr-x 2 root root 4.0K Oct 21 12:04 lua -rw-r--r-- 1 root root 14K Oct 21 12:04 modsecurity_crs_10_setup.conf.example drwxr-xr-x 2 root root 4.0K Oct 21 12:04 optional_rules -rw-r--r-- 1 root root 1.5K Oct 21 12:04 README.md drwxr-xr-x 2 root root 4.0K Oct 21 12:04 slr_rules drwxr-xr-x 8 root root 4.0K Oct 21 12:04 util etc/modsecurity# - Activate the default CRS config file modsecurity_crs_10_setup.conf.example etc/modsecurity# sudo mv -vf owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf etc/modsecurity# etc/modsecurity# ls -lah total 100K drwxr-xr-x 3 root root 4.0K Oct 21 12:53 . drwxr-xr-x 96 root root 4.0K Oct 21 11:13 .. -rw-r--r-- 1 root root 7.6K Oct 21 12:41 modsecurity.conf -rw-r--r-- 1 root root 7.7K Jan 16 2014 modsecurity.conf-recommended -rw-r--r-- 1 root root 14K Oct 21 12:52 modsecurity_crs_10_setup.conf drwxr-xr-x 10 root root 4.0K Oct 21 12:53 owasp-modsecurity-crs -rw-r--r-- 1 root root 53K Nov 21 2013 unicode.mapping etc/modsecurity# -Ensure that all modsecurity rules are loaded by IncludeOptional /etc/modsecurity/*.conf and IncludeOptional "/usr/share/modsecurity-crs/base_rules/*.conf" directive: -This will load all .conf files in the modsecurity directory. # less /etc/apache2/mods-available/security2.conf # Default Debian dir for modsecurity's persistent data SecDataDir /var/cache/modsecurity # Include all the *.conf files in /etc/modsecurity. # Keeping your local configuration in that directory # will allow for an easy upgrade of THIS file and # make your life easier IncludeOptional /etc/modsecurity/*.conf IncludeOptional "/usr/share/modsecurity-crs/base_rules/*.conf" -Enable ModSecurity module and restart Apache. # a2enmod security2 Considering dependency unique_id for security2: Enabling module unique_id. Enabling module security2. To activate the new configuration, you need to run: service apache2 restart # -Enable the header module # sudo a2enmod headers Enabling module headers. To activate the new configuration, you need to run: service apache2 restart # sudo service apache2 restart * Restarting web server apache2 [ OK ] # -Verify if module is on. # sudo apachectl -M | grep security2 security2_module (shared) -restart Apache # sudo service apache2 restart * Restarting web server apache2 -A new log file for ModSecurity will be created in the Apache logs directory at: /var/log/apache2/modsec_audit.log ###Final testing### - Now try run a sql injection command: login as: username: ' or true -. passwod: (leave the password blank) -you should now be unable to login - see the mod security logs for matching events by running the below command: # sudo tail -f /var/log/apache2/modsec_audit.log -Vist http://www.securityidiots.com/Web-Pentest/SQL-Injection/bypass-login-using-sql-injection.html for more sql injection command examples: