2. Who am I
• Co-Founder Infosecgirls (infosecgirls.in)
• Security Consultant at Synopsys
• Active member of Null Bangalore
• Committee member at OWASP Women in Appsec
• Twitter : @ShruthiKamath30
3. Agenda
• What is WAF?
• What is mod security?
• Mod security rules examples
• Setup
• Demo
4. Introduction to WAF
• A web application firewall is used as a security device
protecting the web server from attack.
• Web application firewalls (WAF) are an evolving information
security technology designed to protect web sites from attack.
• WAF solutions are capable of preventing attacks that network
firewalls and intrusion detection systems can't.
• They do not require modification of application source code.
6. Introduction to Mod Security
• ModSecurity is a popular Open-source Web application
firewall (WAF).
• Originally designed as a module for the Apache HTTP
Server.
• Used across a number of different platforms including
Apache HTTP Server, Microsoft IIS and NGINX.
7. • The platform itself provides a rule configuration language
known as 'SecRules' .
• It is used for real-time monitoring, logging, and filtering of
Hypertext Transfer Protocol communications based on user-
defined rules.
• ModSecurity is known to have the following capabilities:
Security monitoring and access control
Full HTTP traffic logging
Security assessment
Web application hardening
Simple request or Regular expression based Filtering
URL Encoding Validation
8. Mod security rules
Rule Example 1 – XSS attack
• SecRule ARGS|REQUEST_HEADERS “@rx <script>” id:101,msg:
‘XSS Attack’,severity:ERROR,deny,status:404
Rule Example 2 – Whitelist IP Address
• SecRule REMOTE_ADDR “@ipMatch 192.168.1.101”
id:102,phase:1,t:none,nolog,pass,ctl:ruleEngine=off
9. mod_security with Apache Set Up
on Ubuntu
• Ubuntu LAMP Server installation
• sudo apt-get install apache2
• sudo apt-get install mysql-server
• sudo apt-get install php5 libapache2-mod-php5
• sudo /etc/init.d/apache2 restart
• apt-get install libapache2-modsecurity
• apachectl -M | grep --color security
• service apache2 reload
• ls -l /var/log/apache2/modsec_audit.log
10. Configuring mod_security
• nano /etc/modsecurity/modsecurity.conf
• SecRuleEngine DetectionOnly
• logs requests and doesn't block anything.
• SecRuleEngine On
• Blocks according to rule match.
• SecResponseBodyAccess On
• Buffer response bodies
• SecRequestBodyLimit 13107200~ 12.5MB
• specifies the maximum POST data size.
• SecRequestBodyNoFilesLimit 131072~128KB
• size of POST data minus file uploads
• SecRequestBodyInMemoryLimit 131072
• maximum request body size that ModSecurity will store in
memory
11. Setting Up Rules
• ls -l /usr/share/modsecurity-crs/
• nano /etc/apache2/mods-enabled/modsecurity.conf
• Add the following directives inside <IfModule
security2_module> </IfModule>:
• Include "/usr/share/modsecurity-crs/*.conf“
• Include "/usr/share/modsecurity-
crs/activated_rules/*.conf"