0. NOTES

• this tutorial requires a basic understanding of the Linux Terminal and a text editor such as Nano or Vi
• this tutorial assumes Ubuntu on AWS. Installation elsewhere will likely be very similar.

1. SSL

2. INSTALL WAF / ENABLE MOD_SECURITY

• Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
• Install WAF
  • sudo apt-get install libapache2-modsecurity
  • Might have to run: sudo dpkg --configure -a
• Check Installation
  • apachectl -M | grep security
• Rename rules
  • mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
• Turn rules on
  • sudo vi /etc/modsecurity/modsecurity.conf
  • make sure it reads SecRuleEngine on
• Remove default rules
  • sudo rm -rf /usr/share/modsecurity-crs
• Download github rules
  • sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
• Rename setup file
  • cd /usr/share/modsecurity-crs
  • sudo mv crs-setup.conf.example crs-setup.conf
• Add all new rules
  • sudo vi /etc/apache2/mods-enabled/security2.conf
  • place the following block in the document

<IfModule security2_module>
    SecDataDir /var/cache/modsecurity 
    IncludeOptional /etc/modsecurity/*.conf 
    IncludeOptional "/usr/share/modsecurity-crs/*.conf 
    IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf 
</IfModule>

• Restart apache
  • systemctl restart apache2
• Raise paranoia level to 2 out of 5
  • sudo vi /usr/share/modsecurity-crs/crs-setup.conf
  • Edit this line to be 2 instead of 1:
    • setvar:tx.paranoia_level=2
• Test WAF
  • http://<your IP or domain name>/?q="><script>alert(1)</script>
  • http://<your IP or domain name>/?q='1 OR 1=1
  • You should get a 403 error

3 Enable Mod_Evasive

Prevents brute force attempts, spidering, Burp Suite, Nikto, etc This module limits you to X amount of page requests site-wide per interval … Install mod_evasive apt-get install libapache2-mod-evasive Create Log sudo mkdir /var/log/mod_evasive chown -R www-data:www-data /var/log/mod_evasive Create blocking script sudo mkdir /etc/apache2/scripts vi /etc/apache2/scripts/ban_ip.sh """

1. !/bin/sh

IP=$1 IPTABLES=/sbin/iptables

$IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP $IPTABLES -A banned -s $IP -p TCP --dport 443 -j DROP

echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 3 minutes echo "$IPTABLES -D banned -s $IP -p TCP --dport 443 -j DROP" | at now + 3 minutes """

• • sudo chown www-data:www-data /etc/apache2/scripts/ban_ip.sh
  • sudo chmod 550 /etc/apache2/scripts/ban_ip.sh
• Create mod_evasive config file
  • vi /etc/apache2/mods-enabled/evasive.conf

<IfModule mod_evasive20.c>

    DOSHashTableSize 3097 
    DOSPageCount 5
    DOSSiteCount 50
    DOSPageInterval 1 
    DOSSiteInterval 10 
    DOSBlockingPeriod 180
    #DOSEmailNotify email@yourdomain.com 
    DOSSystemCommand "sudo /etc/apache2/scripts/ban_ip.sh %s'" 
    DOSLogDir "/var/log/mod_evasive" 
</IfModule>

• Restart Apache
  • sudo apache2 stop
  • sudo apache2 start