Setting up mod-security for apache.

And so we were looking into WAF for our sites....
Lets go...

apt-get install libapache2-modsecurity

Verify that all is well. If there is a shared, all is well.
apachectl -M | grep --color security

Rename the config file..
mv /etc/modsecurity/modsecurity.conf{-recommended,}

Restart apache
/etc/init.d/apache2 restart

Logs should be in /var/log/apache2/modsec_audit.log

Let's enable modsecurity
nano /etc/modsecurity/modsecurity.conf
SecRuleEngine DetectionOnly becomes SecRuleEngine On
SecResponseBodyAccess On becomes SecResponseBodyAccess Off
Restart apache

Test SQL injection
Create a php

<html> <body> <?php if(isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; $con = mysqli_connect('localhost','root','password','sample'); $result = mysqli_query($con, "SELECT * FROM `users` WHERE username='$username' AND password='$password'"); if(mysqli_num_rows($result) == 0) echo 'Invalid username or password'; else echo '<h1> Logged in</h1> <p> A Secret for you....</p> '; } else { ?> <form action="" method="post"> Username: <input type="text" name="username"/><br /> Password: <input type="password" name="password"/><br /> <input type="submit" name="login" value="Login"/> </form> <?php } ?> </body> </html>
Change password to suit your database.

Login to MYSQL.
mysql -u root -p
create database sample;
connect sample;
create table users(username VARCHAR(100),password VARCHAR(100));
insert into users values('jesin','pwd');
insert into users values('alice','secret');
quit;

Test your page to see if can login.
Then under username, use this: ' or true -- 
Note the space behind --
You should be able to login. FUCK!!!!

Lets get the ruleset.
wget "https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/v2.2.5"
tar -zxf 

Lets move the ruleset
rm -rf /usr/share/modsecurity-crs/*
mkdir /usr/share/modsecurity-crs
mv SpiderLabs-owasp-modsecurity-crs-5c28b52/* /usr/share/modsecurity-crs/
cd /usr/share/modsecurity-crs/
mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
cd /usr/share/modsecurity-crs/activated_rules/
ln -s ../modsecurity_crs_10_setup.conf .
for f in `ls /usr/share/modsecurity-crs/base_rules/` ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done
for f in `ls /usr/share/modsecurity-crs/optional_rules/` ; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done

nano /etc/apache2/mods-available/mod-security.conf
Add in the following 2 lines
        Include "/usr/share/modsecurity-crs/*.conf"

        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"

Make sure that mod-security.conf is something like that...


        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        Include "/etc/modsecurity/*.conf"
        Include "/usr/share/modsecurity-crs/*.conf"
        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"

Make sure that mod-security.load is something like that...

LoadFile libxml2.so.2

LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

Make sure that mod-security is loaded via a2enmod. It should be done by default.

Restart your apache.

You might need to a2enmod headers or apt-get install libapache2-mod-proxy-html
Remove relevant rules if needed.
Also check that the mod-security.conf does not load duplicate conf
Test your injection, it should fail.

The site: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project requires modsecurity >= 2.7.