look out honey 'cause I'm using technology

mod_security for Apache

Mod_securityI’ve worked with mod_security before, but now it’s running on this webserver, as I’ve just seen a ton of crap being thrown at the server. Webservers are just a good target, they’re out there and they usually ‘just work’ so most people don’t keep on top of them. Plus, plenty of crafted URLs can do funny POST or GET commands and cause trouble, or worse, expose a system that is vulnerable to SQL injection attacks. Since I last looked into mod_security they’ve been acquired, which explains the marketing verbiage they list:

ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. It is also an open source project that aims to make the web application firewall technology available to everyone.

But yeah, as long as it stays Open Source, I won’t complain (that much). So this goes steps beyond earlier IDS (intrusion detection system) like Snort, since with mod_security it is set up to do one thing; to protect Apache from being attacked. Of course you can place rules to blocks all sorts of stuff, to redirect requests, to watch for malformed URLs and even run within a chrooted environment. This is good stuff, and it’s very simple to get the basics up and running via this howto. From there monitor your modsec.log file and adjust accordingly. I can see this being very useful to large environments that run Apache, hopefully I’ll be able to integrate some of this at my new position.

This entry was posted on Thursday, December 21st, 2006 at 11:44 am and is filed under geek and tagged with . You can follow any responses to this entry through the RSS 2.0 feed.

    
  • http://fak3r.com/ fak3r

    Note to self, buy this:

    Apache Security by Ivan Ristic (creator of mod_security)

  • http://fak3r.com fak3r

    Note to self, buy this:

    Apache Security by Ivan Ristic (creator of mod_security)

  • http://fak3r.com/ fak3r

    In chasing down an error mod_security caused one user on the Roundcube-users mailing list, I recieved this setup for some of the extended mod_sec rulesets:

    [quote comment="1643"]Thanks for your reply. Roundcube did something funny with it though. Now that I’ve hit reply I can see what your wrote. I’ll check the archive later to see if I missed anything.

    Sorry, I meant to put more information in and forgot. I’m running a default install of Fedora Core 5 with Apache2, PHP5, MySQL, Dovecot and sendmail. I’m also only using the beta version of Roundcube.

    As to the ruleset, I’m using those from gotroot which can be found here. http://www.gotroot.com/mod_security rules but not all. I have added the following to the base rules in mod_security.conf. Using them all can load up your server. The error logs seem to relate to useragents. You could try just that file if the rest are too hard on your server.

    Include /etc/httpd/modsec/apache2-rules.conf
    Include /etc/httpd/modsec/rules.conf
    Include /etc/httpd/modsec/rootkits.conf
    Include /etc/httpd/modsec/useragents.conf
    Include /etc/httpd/modsec/recons.conf
    Include /etc/httpd/modsec/badips.conf
    # Include /etc/httpd/modsec/blacklist.conf
    Include /etc/httpd/modsec/blacklist2.conf
    Include /etc/httpd/modsec/jitp.conf
    # Include /etc/httpd/modsec/proxy.conf

    [/quote]

  • http://fak3r.com fak3r

    In chasing down an error mod_security caused one user on the Roundcube-users mailing list, I recieved this setup for some of the extended mod_sec rulesets:

    [quote comment="1643"]Thanks for your reply. Roundcube did something funny with it though. Now that I’ve hit reply I can see what your wrote. I’ll check the archive later to see if I missed anything.

    Sorry, I meant to put more information in and forgot. I’m running a default install of Fedora Core 5 with Apache2, PHP5, MySQL, Dovecot and sendmail. I’m also only using the beta version of Roundcube.

    As to the ruleset, I’m using those from gotroot which can be found here. http://www.gotroot.com/mod_security rules but not all. I have added the following to the base rules in mod_security.conf. Using them all can load up your server. The error logs seem to relate to useragents. You could try just that file if the rest are too hard on your server.

    Include /etc/httpd/modsec/apache2-rules.conf
    Include /etc/httpd/modsec/rules.conf
    Include /etc/httpd/modsec/rootkits.conf
    Include /etc/httpd/modsec/useragents.conf
    Include /etc/httpd/modsec/recons.conf
    Include /etc/httpd/modsec/badips.conf
    # Include /etc/httpd/modsec/blacklist.conf
    Include /etc/httpd/modsec/blacklist2.conf
    Include /etc/httpd/modsec/jitp.conf
    # Include /etc/httpd/modsec/proxy.conf

    [/quote]

blog comments powered by Disqus