9

I'm running this on my staging server for the first time and I think I did everything correctly. I can see entries in modsec_audit.log when I run nikto2 against it, but for the life of me I can't manually make mod_security block anything. I've dropped SQL into URLs, into forms, etc and I just got our typical user friendly HTML 404 page, not a block from mod_security, which should be a 403 error or an outright block.

I'm worried that its only detecting and not stopping. I've checked my config and its definitely set to stop attacks not just detect them. Any idea on how I can verify this thing is actually blocking attacks? Anyone have a test URL or something I can do that will prove to me that its actually working?

DrZaiusApeLord
  • 1,174
  • 2
  • 9
  • 18

7 Answers7

5

By default the engine will only be detecting mode:

SecRuleEngine DetectionOnly

You need to adjust SecRuleEngine On

sed -ie 's/^\s*SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf

and restart Apache.

Simon East
  • 1,484
  • 1
  • 14
  • 18
Hrvoje Špoljar
  • 5,162
  • 25
  • 42
5

In your browser try to access a website hosted on that server like in this example:

http://www.anywebsitefromthatserver.com/aphpfilethatdonotexist.php?something=../../etc

Then check Modsecurity log and you'll have something similar (If you have WHM / cPanel -> check in WHM -> Modsecurity Tools to see the log):

2017-12-14 10:28:41 www.anywebsitefromthatserver.com    YOUR IP: 68.XX.XX.XX    CRITICAL    404  930100: Path Traversal Attack (/../)

The detailed log will be like:

Request:    GET /aphpfilethatdonotexist.php?something=../../etc
Action Description: Warning.
Justification:  Pattern match "(?i)(?:\\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8 ..." at REQUEST_URI_RAW.

If you'll see a similar log then you can be sure your Modsecurity is activated and working.

Marius
  • 151
  • 1
  • 2
3

I found an answer to this. Just visit your site like so: example.com/etc/passwd

That'll bring up an instant 403 from mod_security and log it in its default log.

DrZaiusApeLord
  • 1,174
  • 2
  • 9
  • 18
3

I have a check as below

$ curl -ks -o /dev/null -w '%{http_code}' "https://something.example.com/foo?username=1'%20or%20'1'%20=%20'"

If you get a 403, then ModSecurity is working as expected.

vikas027
  • 1,149
  • 2
  • 11
  • 14
3

You could have a look at Rapid7 guide for basic configuration.

https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/

There are a couple of test curls which should produce log entries. The log entries appear in both /var/log/apache2/access and /var/log/apache2/modsec_audit.log depending on your setup

XSS test

curl 'http://www.example.com/?q="><script>alert(1)</script>'

SQL injection

curl "http://www.example.com/?q='1 OR 1=1"
dcos
  • 143
  • 1
  • 5
1

You can Google for some online 'XSS tester' or 'XSS scanner' and let the tool to carry out a few solicited attacks on your staging site. The tool might also provide you with a report detailing the outcome of the 'attack'.

You can then tail your logs to see if the entries match with the report, particularly the date, time and IP address if there's any.

Vicky
  • 26
  • 3
0

Try this: https://example.com/?id=1 and 'c'='c'

Replace example.com with your domain name. use the whole URL as highlighted above. This should return 403.

Abe
  • 123
  • 5