Apache mod_security can be configured to block OWASP top 10 attacks. Scan me and see.
Single server (Debian 8):
Install Packages.
apt-get install libapache2-mod-security2 service apache2 restart cd /etc/modsecurity/ mv modsecurity.conf-recommended modsecurity.conf
Edit modsecurity.conf and enable it
"SecRuleEngine On" "SecRequestBodyAccess Off"
Grab OWASP Top 10 Rules:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /opt/OWASP
Cron it in /etc/cron.weekly, then copy the conf file:
#!/bin/sh cd /opt/OWASP && /usr/bin/git pull cp crs-setup.conf.example /etc/modsecurity/crs-setup.conf
Link the rules:
mkdir /etc/modsecurity/rules cd /etc/modsecurity/ ln -s /opt/OWASP/rules/* .
View /etc/apache2/mods-enabled/security2.conf and make sure it’s pointed to the correct directory and files.
<IfModule security2_module>
SecDataDir /var/cache/modsecurity
Include /etc/modsecurity/crs-setup.conf
IncludeOptional /etc/modsecurity/*.conf
</IfModule>
Restart Apache:
service apache2 restart
If any rules fail, comment them out or just delete them. You’ll still be fine. To view logs, check /var/log/apache2/modsec_audit.log
Reverse proxy server HTTP and HTTPS (Debian 8):
mod_security box is 192.168.72.131 and Apache server running DVWA is 192.168.72.121. For information on DVWA install, check google. It’s easy.
For the HTTP proxy, add this config on the mod_security box to /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80> ServerAdmin administrator@myexample.net ServerAlias www.myexample.net ServerName myexample.net ErrorLog /var/log/apache2/example-error.log LogLevel info CustomLog /var/log/apache2/example-access.log combined ProxyPreserveHost On ProxyRequests off # Allow from everywhere <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /audit ! ProxyPass / http://192.168.72.121:80/ ProxyPassReverse / http://192.168.72.121.4:80/ </VirtualHost>
For multiple hosts, just add additional virtual hosts and modify ProxyPass and ProxyPassReverse.
Restart Apache.
Now when you goto http://192.168.72.131/dvwa you will be proxied to the DVWA(192.168.72.121) server and have protections of mod_security.
For SSL, first enable it on both servers:
sudo a2enmod ssl sudo service apache2 restart
Create a self signed cert on the DVWA box:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache.key -out /etc/ssl/private/apache.crt
Copy these to the mod_security box /etc/ssl/private/ directory.
Mod the /etc/apache2/sites-available/default-ssl.conf on the DVWA box:
SSLCertificateFile /etc/ssl/private/apache.crt SSLCertificateKeyFile /etc/ssl/private/apache.key
Enable the site and restart apache:
sudo a2ensite default-ssl.conf sudo service apache2 restart
Similar to above, but mod the /etc/apache2/sites-available/default-ssl.conf file on the Modsecurity box:
<VirtualHost *:443> ServerAdmin administrator@myexample.net ServerAlias www.myexample.net ServerName myexample.net ErrorLog /var/log/apache2/example-error.log LogLevel info CustomLog /var/log/apache2/example-access.log combined <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine on SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLCertificateFile /etc/ssl/private/apache.crt SSLCertificateKeyFile /etc/ssl/private/apache.key ProxyRequests Off ProxyPreserveHost On ProxyPass / https://192.168.72.121/ ProxyPassReverse / https://192.168.72.121/ </VirtualHost>
For multiple hosts, just add additional virtual hosts and modify ProxyPass and ProxyPassReverse.
Enable the site and restart apache:
sudo a2ensite default-ssl.conf sudo service apache2 restart
Now when you hit the Apache server on https://192.168.72.131/dvwa you will be proxied to the actual server and gain the protections of mod_security.
0 Comments