In this lab we are going to augment web01 by adding a web application firewall (WAF). The wazuh agent should currently be able to forward apache error logs so a good deal of our work is done for us already. We are then going to run malicious http requests against web01 to see how our WAF performs.
Adding software to web01
web01's ability to talk to the WAN and the WANs ability to talk to web01 might be currently restricted. Updating and patching the server is one of the things we must do from time to time. VYOS itself cannot filter by domain name such as allowing traffic to updates.centos.org. It has to be by IP address or subnet. For this reason, many organizations go to an internal mirror for this purpose. We will use a work around.
WAN-to-DMZ
If not already present, we need to add a new permanent rule to vyos such that established connections from the DMZ-to-WAN are allowed back through the WAN-to-DMZ firewall. If that rule (typically rule 1) is not there, add it.
DMZ-to-WAN
Make a rule to allow all traffic (temporaily)
set firewall name DMZ-to-WAN default-action accept
set firewall name WAN-to-DMZ default-action accept
Adding mod_security, the core rule set and php to web01
The following command will install mod_security, the core ruleset associated with this layer 7 firewall and the php necessary to make a webshell work
Once you have installed mod_security get rid of your firewall rule
set firewall name DMZ-to-WAN default-action drop
set firewall name WAN-to-DMZ default-action drop
Deliverable 1. Restart httpd on web01. Provide two screenshots similar to the ones below that shows that the security2_module is loaded.
Restart httpd
Run the following commands to show that security2_module is loaded
This command is used to list the loaded Apache modules (httpd -M) and then filter (grep) the output to show only the modules related to security2. The security2 module typically refers to mod_security, which is an Apache module that provides web application firewall (WAF) functionalities. Therefore, sudo httpd -M | grep security2 will display information about whether the mod_security module is loaded in your Apache server configuration.
cd /etc/httpd
ls and you should be able to see the modsecurity files
You can find the apache (httpd) error log in /var/log/httpd/error_log
Once in the /var/log directory, run the following command:
Testing ModSecurity
Deliverable 2. Provide a screenshot showing that you can get to web01 from rw01. Make sure you show your are on rw01 (hostname).
I copied my orginal index.html to index.txt in the /var/www/html directory just in case I wanted to use it again, but not delete it.
Download a php webshell to /var/www/html/shell.php on web01
You can either manually copy/paste it into a file or use wget to import the file
If you use the wget method, you will need to enable traffic on the firewall
Make sure to wget the raw code
I used the mv command to change the name of the original file downloaded from the link above to change the name to shell.php
Below is what is in the shell.php file:
Deliverable 3. Use the php webshell to execute a command like ifconfig, hostname or whoami. Provide a screenshot showing remote code execution like the one below. You may need to be explicit about the path of the program you wish to run
/sbin/ifconfig
/sbin/ifconfig run
hostname
hostname command run
whoami
whoami command run
Deliverable 4. provide a screenshot that shows what happens when you attempt to run the following command within your webshell.
When I run, cat /etc/passwd I get an HTTP error saying I am forbidden to access this resource
Deliverable 5. Find the error or warning associated with Deliverable 4 in the apache error_log. Provide a screenshot.
sudo /var/log/httpd/error_log | grep /etc/passwd
Deliverable 6. Find the same alert in wazuh, provide a screenshot similar to the one below. You will see two types of events. 404 events directly from the apache logs but you should see some modsecurity events as well.
These logs don't say /etc/passwd in them, but I know they are the logs from my failed attempt at catting /etc/passwd since I did it a bunch of times in a row and many more logs showed up.
