WEB_Basic-Фадеев_Александр-Практика-4

# WEB_Basic-Фадеев_Александр-Практика-4 ### Установка nginx и Modsecurity на ubuntu Install one of the following PPA’s with the following command: ![](https://i.imgur.com/fdKhKWQ.png) install Nginx with the following: ![](https://i.imgur.com/l44gjuj.png) Add Nginx Source Code to Repository ![](https://i.imgur.com/vueJAVQ.png) ![](https://i.imgur.com/tUM3LKF.png) Download Nginx Source ![](https://i.imgur.com/pb1jUnm.png) ![](https://i.imgur.com/ElVVVk0.png) ![](https://i.imgur.com/ronnSd4.png) ![](https://i.imgur.com/wds2bma.png) ![](https://i.imgur.com/2gOEZ8Z.png) Install libmodsecurity3 for ModSecurity Clone ModSecurity Repsoitory from Github ![](https://i.imgur.com/wDKxvq8.png) Install libmodsecurity3 Dependencies ![](https://i.imgur.com/mOKP80T.png) ![](https://i.imgur.com/kgfvL1g.png) ![](https://i.imgur.com/ZEEgkAT.png) ![](https://i.imgur.com/BmVUJTW.png) Building the ModSecurity Environment ![](https://i.imgur.com/zVVpJLF.png) ![](https://i.imgur.com/4V9DtHs.png) Compiling the ModSecurity Source Code ![](https://i.imgur.com/uT4Lsgm.png) make -j 1 ![](https://i.imgur.com/FJPUKt2.png) Install ModSecurity-nginx Connector ![](https://i.imgur.com/mOj3fEd.png) ![](https://i.imgur.com/G3gUMnD.png) ![](https://i.imgur.com/0b3n29Y.png) ![](https://i.imgur.com/RxWxrfZ.png) ![](https://i.imgur.com/lsdf3Yl.png) ![](https://i.imgur.com/qGFY4JA.png) Load and Configure ModSecurity-nginx Connector with Nginx add the line to the file near the top ![](https://i.imgur.com/ifrcBP2.png) Now add the following code under the HTTP {} section as follows: ``` modsecurity on; modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf; ``` Create and Configure Directory and Files for ModSecurity ![](https://i.imgur.com/x04Y4rN.png) ![](https://i.imgur.com/ePGDWSB.png) Change the line to this to enable ModSecurity: SecRuleEngine DetectionOnly -> SecRuleEngine On ![](https://i.imgur.com/DguENaj.png) we need to change the line 224 ![](https://i.imgur.com/HpmiHeV.png) `SecAuditLogParts ABCEFHJKZ`(this is correct version) ![](https://i.imgur.com/QLWT3xC.png) ![](https://i.imgur.com/UYFzSVF.png) ![](https://i.imgur.com/SXN08WD.png) Install OWASP Core Rule Set for ModSecurity ![](https://i.imgur.com/1hCs5w1.png) ![](https://i.imgur.com/UTAmwex.png) ![](https://i.imgur.com/EV56eJV.png) ![](https://i.imgur.com/kxDaGNW.png) ![](https://i.imgur.com/0yEJ7ry.png) ![](https://i.imgur.com/4kxa31l.png) ![](https://i.imgur.com/lJkLId0.png) ![](https://i.imgur.com/GGSAuPr.png) ### Провести 3 атаки из списка OWASP top 10 и продемонстрировать работоспособность WAF (должны быть сработки правил WAF) - XSS ![](https://i.imgur.com/ZHrTM3D.png) ![](https://i.imgur.com/ExfWQ9o.png) ![](https://i.imgur.com/tGelBEH.png) - path traversal ![](https://i.imgur.com/yoBDtzZ.png) - CSRF ![](https://i.imgur.com/Y9aoiaX.png)