Lab 5.1 Wazuh WAF - AinsleyPlayer/SEC-350 GitHub Wiki
In this lab we are going to augment web01 by adding a web application firewall (WAF). The wazuh agent should currently be able to forward apache error logs so a good deal of our work is done for us already. We are then going to run malicious http requests against web01 to see how our WAF performs.
Adding software to web01
web01's ability to talk to the WAN and the WANs ability to talk to web01 might be currently restricted. Updating and patching the server is one of the things we must do from time to time. VYOS itself cannot filter by domain name such as allowing traffic to updates.centos.org. It has to be by IP address or subnet. For this reason, many organizations go to an internal mirror for this purpose. We will use a work around.
WAN-to-DMZ
If not already present, we need to add a new permanent rule to vyos such that established connections from the DMZ-to-WAN are allowed back through the WAN-to-DMZ firewall. If that rule (typically rule 1) is not there, add it.
DMZ-to-WAN
Again, we may need to add a temporary rule for software updates that we either delete, disable or discard when complete. This rule should have the following characteristics. Set the rule number to 999 or similar Set the action to accept (this is wide open) Set the source ip address to be the web server
Adding mod_security, the core rule set and php to web01 There are far too many inaccurate guides on mod_security out there, so please just use the following unless you have done this a bunch of times before. The following command will install mod_security, the core ruleset associated with this layer 7 firewall and the php necessary to make a webshell work.
sudo yum install mod_security mod_security_crs php php-common php-opcache php-cli php-gd php-curl php-mysqlnd -y
Once the installation has worked, make sure to delete, disable or discard rule 999 if you created one. Make sure to commit so that we are locked down once again.
Deliverable 1.
Restart httpd on web01. Provide two screenshots similar to the ones below that shows that the security2_module is loaded.