Please enable JavaScript.
Coggle requires JavaScript to display documents.
(๐ 20. Enterprise Best Practices, โ๏ธ 4. Attacks Blocked by WAF, ๐ 21.โฆ
๐ 20. Enterprise Best Practices
Principle of Least Privilege
Enable HTTPS only
Update OWASP Core Rule Set regularly
Tune false positives
Backup configuration
Version control rules
Centralized logging
Continuous monitoring
High Availability deployment
Load balancing
Regular penetration testing
Security audits
Patch operating system
Patch web server
Patch WAF
Integrate with SIEM
Alert Security Operations Center
Incident response procedures
Change management
Configuration management
Disaster recovery planning
โ๏ธ 4. Attacks Blocked by WAF
๐ Structured Query Language Injection (SQL Injection)
Reads database
Deletes data
Bypasses authentication
Example
'
OR 1=1
UNION SELECT
๐ป Cross Site Scripting (XSS)
Stored
Reflected
Document Object Model (DOM)
๐ Local File Inclusion (LFI)
../../etc/passwd
๐ Remote File Inclusion (RFI)
๐ฅ Command Injection
;
&&
||
$(command)
๐ Authentication Bypass
๐ช Cookie Manipulation
๐ค File Upload Attack
PHP Shell
JSP Shell
ASPX Shell
๐ฆ Path Traversal
๐งฌ XML External Entity (XXE)
๐ก Server Side Request Forgery (SSRF)
๐ช Cross Site Request Forgery (CSRF)
๐ Web Shell Upload
๐ฆ Brute Force Login
๐ค Bot Traffic
๐ซ Denial of Service
๐ซ Distributed Denial of Service
๐ Directory Enumeration
๐ HTTP Header Manipulation
๐ญ User-Agent Spoofing
๐ 21. Enterprise Skills
Apache HTTP Server administration
Nginx administration
Linux system administration
HTTP protocol
HTTPS and Transport Layer Security
OWASP Top 10
Regular Expressions
ModSecurity rules
Log analysis
SIEM integration
Reverse Proxy
Load Balancing
Web Security
Incident Response
Threat Hunting
Performance Tuning
Automation using Ansible
Infrastructure as Code
DevSecOps
๐ 5. Request Inspection
URL
URI
HTTP Method
GET
POST
PUT
DELETE
PATCH
OPTIONS
HEAD
Headers
Cookies
Query String
Request Body
JSON
XML
Multipart Form Data
File Upload
Session
Token
Authorization Header
๐ 9. Important Linux Directories
/etc/modsecurity/
/etc/modsecurity/modsecurity.conf
/etc/modsecurity/crs/
/usr/share/modsecurity-crs/
/etc/nginx/
/etc/apache2/
/etc/httpd/
/var/log/apache2/
/var/log/httpd/
/var/log/nginx/
/var/log/modsec_audit.log
/var/log/modsec_debug.log
๐ 13. OWASP Core Rule Set
Initialization Rules
Protocol Validation
SQL Injection Detection
Cross Site Scripting Detection
Local File Inclusion Detection
Remote File Inclusion Detection
Remote Command Execution Detection
PHP Injection Detection
Scanner Detection
Session Fixation Detection
Blocking Evaluation
๐ 6. Rule Engine
Positive Security Model
Allow only trusted requests
Negative Security Model
Block known attacks
Signature Based Detection
Pattern Matching
Regular Expressions
Custom Rules
Score Based Detection
Reputation Based Detection
GeoIP Filtering
Rate Limiting
๐จ 16. Monitoring
Request Count
Blocked Requests
Allowed Requests
Rule Hits
Attack Trends
Top Attackers
Source IP Addresses
Countries
User Agents
Response Codes
๐ป 18. Useful Commands
apachectl configtest
apachectl -M
nginx -t
systemctl status apache2
systemctl status httpd
systemctl status nginx
journalctl -u apache2
journalctl -u nginx
tail -f /var/log/modsec_audit.log
grep ModSecurity /var/log/apache2/error.log
๐๏ธ 2. WAF Position in Enterprise Network
๐ Internet
๐ Domain Name System (DNS)
โ๏ธ Load Balancer
๐ก๏ธ Web Application Firewall
๐ Reverse Proxy
๐ Web Server
Apache HTTP Server
Nginx
โ๏ธ Application Server
PHP
Java
Python
Node.js
.NET
๐๏ธ Database Server
MySQL
MariaDB
PostgreSQL
Oracle Database
๐ 14. Logging
Audit Log
Error Log
Access Log
Debug Log
JSON Logging
Syslog
Remote Syslog
SIEM Integration
๐งช 17. Testing
curl
wget
Burp Suite
OWASP Zed Attack Proxy
Nikto
SQLMap
Nmap
WhatWeb
๐ก 3. Open Systems Interconnection (OSI) Layer
Layer 1 Physical
Layer 2 Data Link
Layer 3 Network
Layer 4 Transport
Layer 5 Session
Layer 6 Presentation
๐ก๏ธ Layer 7 Application
HTTP
HTTPS
REST API
GraphQL
SOAP
๐ง 12. Main Configuration
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
SecDebugLog /var/log/modsec_debug.log
SecDebugLogLevel 3
๐ 19. Request Processing Flow
Client sends HTTP request
DNS resolves hostname
Load Balancer receives traffic
WAF inspects request
Rules evaluated
Attack detected
Block request
Return HTTP 403 Forbidden
Log event
No attack detected
Forward request
Web Server
Application Server
Database
Response returned
WAF inspects response if enabled
Client receives response
๐ง 8. Linux Deployment
Ubuntu
Debian
Red Hat Enterprise Linux
Rocky Linux
AlmaLinux
SUSE Linux Enterprise
๐ 11. Configuration Files
modsecurity.conf
crs-setup.conf
REQUEST-901-INITIALIZATION.conf
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
REQUEST-941-APPLICATION-ATTACK-XSS.conf
RESPONSE-999-EXCLUSION-RULES.conf
๐ 15. SIEM Integration
Elastic Stack
Wazuh
Splunk
IBM QRadar
Microsoft Sentinel
Graylog
๐ 1. What is a Web Application Firewall (WAF)
๐ Definition
Protects web applications from attacks targeting HyperText Transfer Protocol (HTTP) and HyperText Transfer Protocol Secure (HTTPS)
Inspects application-layer traffic (OSI Layer 7)
Filters, monitors, logs, and blocks malicious requests
Protects websites, APIs (Application Programming Interfaces), and web services
Works before requests reach Apache HTTP Server, Nginx, or application servers
๐ฏ Goals
Prevent web attacks
Protect confidential information
Reduce attack surface
Meet compliance requirements
Improve application availability
๐ข Enterprise Use Cases
Banking
Healthcare
Government
Cloud services
E-commerce
Software as a Service (SaaS)
Internal enterprise portals
โ๏ธ 10. Installation
Ubuntu
sudo apt update
sudo apt install libapache2-mod-security2
sudo apt install modsecurity-crs
Red Hat Enterprise Linux
sudo dnf install mod_security
sudo dnf install mod_security_crs
Verify
apachectl -M
nginx -V
๐ ๏ธ 7. Enterprise WAF Solutions
Open Source
ModSecurity
NAXSI
Coraza
Commercial
F5 Advanced WAF
Imperva
Barracuda
Fortinet FortiWeb
Cloudflare WAF
Amazon Web Services WAF
Microsoft Azure Web Application Firewall