Install and Configure ModSecurity with Apache on Kali Linux

Installing and configuring mod_security with apache is quite easy in Kali Linux. This tutorial will show you how to deploy mod_security with apache2 on kali linux 2.0. Kali linux is come up with apache2 pre-installed. To start apache service , open terminal  'type and enter'  following command. 

 service apache2 start 

to check apache started or not, open browser and type localhost in address bar. If apache service is started correctly, browser will show you the following page.

yeah...!!! we got exactly this page, so our apache server is working correctly. Next thing we need  is a vulnerable page to test mod_security.

Set up a Vulnerable page: 

we need a vulnerable page to test our mod_security working or not .
create a php file named login.php in document root (/var/www/html/).

 leafpad /var/www/html/login.php 

copy and paste the following code into login.php and save it.Be sure to change the "MySQL password" in the script below so that it will connect to the database:

<html>
<body>
<?php
    if(isset($_POST['login']))
    {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $con = mysqli_connect('localhost','root','your_mysql_password','sample');
        $result = mysqli_query($con, "SELECT * FROM `users` WHERE username='$username' AND password='$password'");
        if(mysqli_num_rows($result) == 0)
            echo 'Invalid username or password';
        else
            echo '<h1>Logged in</h1><p>This is text that should only be displayed when logged in with valid credentials.</p>';
    }
    else
    {
?>
        <form action="" method="post">
            Username: <input type="text" name="username"/><br />
            Password: <input type="password" name="password"/><br />
            <input type="submit" name="login" value="Login"/>
        </form>
<?php
    }
?>
</body>
</html>
 

This script will display a login form. Entering the right credentials will display a message "Logged in, This is text that should only be displayed when logged in with valid user credentials."
We need credentials in the database. Create a MySQL database and a table, then insert usernames and passwords.

mysql -u root -p

This will take you to the mysql> prompt

create database sample;
connect sample;

create table users(username VARCHAR(100),password VARCHAR(100));
insert into users values('honey','badger');
insert into users values('jenson','secret');
quit;

Open your browser, navigate to http://localhost/login.php and enter the right pair of credentials.

Username: honey
Password: badger

You'll see a message that indicates successful login. Now come back and enter a wrong pair of credentials-- you'll see the message Invalid username or password.
We can confirm that the script works right. The next job is to try our hand with SQL injection to bypass the login page. Enter the following for the username field:

' or 1=1 --  

Note that there should be a space after -- this injection won't work without that space. Leave the password field empty and hit the login button.
wow...! The script shows the message (Logged in) meant for authenticated users.
So, now we have a working apache server , and a SQLI vulnerable page,
next we are going to deploy mod_security

Install and configure ModSecurity

Hardening Apache:

Before installing mod_security we should make our apache enough hardened.

leafpad /etc/apache2/conf-enabled/security.conf

ServerSignature Off
TraceEnable Off
Header unset ETag
FileETag None

For these to take effect you'll need to enable mod_headers:

ln -s /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/headers.load

Then restart Apache:

service apache2 restart

Installing and configuring ModSecurity:

To install the web application firewall ModSecurity. Firstly, install the necessary packages:

apt-get install libapache2-mod-security2

Prepare to enable the recommended configuration:

mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Open the modsecuriry.conf file.

/etc/modsecurity/modsecurity.conf

Then edit the following

1. Set SecRuleEngine to On to activate the rules.
2. Change SecRequestBodyLimit and SecRequestBodyInMemoryLimit to 16384000 (or higher as needed) to increase the file upload size limit to 16 MB.

Next, install the OWASP Core Rule Set:

cd /tmp
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/master.zip
unzip master.zip
cp -r owasp-modsecurity-crs-master/* /etc/modsecurity/
mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
ls /etc/modsecurity/base_rules | xargs -I {} ln -s /etc/modsecurity/base_rules/{} /etc/modsecurity/activated_rules/{}
ls /etc/modsecurity/optional_rules | xargs -I {} ln -s /etc/modsecurity/optional_rules/{} /etc/modsecurity/activated_rules/{}

To add the rules to Apache, edit /etc/apache2/mods-available/security2.conf and add the following line near the end, just before </IfModule>:

Include "/etc/modsecurity/activated_rules/*.conf"

Restart Apache to active the new security rules:

service apache2 restart

If Apache is restarted successfully , that means our ModSecuirty is working propoerly.
for testing testing this. open http://localhost/login.php on browser  .Type the following parameter in username field and press Enter .

' or 1=1 -- 

If everything working fine  you will get an Access Denied !!!!

Feel free to ask question
Bye