Unable to protect Metasploitable using Apache ModSecurity image

[slava110]

Hi. I've set up Metasploitable 2 (intentionally exploitable VM image) in a VM connected using bridged network to host. Then I run nmap vulnerability check script using nmap -sV --script vulners <target>. It discovered a bunch of vulnerabilities in VM as it should. Then I started Docker containers with ModSecurity Apache and ModSecurity Nginx using these commands:
docker run -d --name modsec-apache -p 80:8080 -e BACKEND=http://192.168.0.104:80 owasp/modsecurity-crs:apache
docker run -d --name modsec-nginx -p 90:8080 -e BACKEND=http://192.168.0.104:80 owasp/modsecurity-crs:nginx
And run nmap vulnerability tests on localhost
nmap detected multiple vulnerabilities on port 80, but none on port 90.
Does modsecurity-apache protect backend host or do I need to change some settings for it to work?
I've tried setting PORT environment variable, it didn't help (set it to 8080).

[theseion]

Hi @slava110, sorry for the delay.

The backend will be protected by ModSecurity by default, that's the idea of the images, although the configuration will of course not be ideal for your setup. I don't see anything wrong with the setup you describe, so I'm rather wondering if maybe nmap is doing something special based on the port...

Do you have any more information? Does nmap find vulnerabilities if you publish nginx on port 80 instead of 90?