Book Image

ModSecurity 2.5

Book Image

ModSecurity 2.5

Overview of this book

With more than 67% of web servers running Apache and web-based attacks becoming more and more prevalent, web security has become a critical area for web site managers. Most existing tools work on the TCP/IP level, failing to use the specifics of the HTTP protocol in their operation. Mod_security is a module running on Apache, which will help you overcome the security threats prevalent in the online world. A complete guide to using ModSecurity, this book will show you how to secure your web application and server, and does so by using real-world examples of attacks currently in use. It will help you learn about SQL injection, cross-site scripting attacks, cross-site request forgeries, null byte attacks, and many more so that you know how attackers operate. Using clear, step-by-step instructions this book starts by teaching you how to install and set up ModSecurity, before diving into the rule language with examples. It assumes no prior knowledge of ModSecurity, so as long as you are familiar with basic Linux administration, you can start to learn right away. Real-life case studies are used to illustrate the dangers on the Web today ñ you will for example learn how the recent worm that hit Twitter works, and how you could have used ModSecurity to stop it in its tracks. The mechanisms behind these and other attacks are described in detail, and you will learn everything you need to know to make sure your server and web application remain unscathed on the increasingly dangerous web. Have you ever wondered how attackers figure out the exact web server version running on a system? They use a technique called HTTP fingerprinting, and you will learn about this in depth and how to defend against it by flying your web server under a "false flag". The last part of the book shows you how to really lock down a web application by implementing a positive security model that only allows through requests that conform to a specific, pre-approved model, and denying anything that is even the slightest bit out of line.

Related Content you might be interested in

Current Title:

Small book image
ModSecurity 2.5
Nov, 2009 | 280 pages
No titles found
Table of Contents (17 chapters)
ModSecurity 2.5
ModSecurity 2.5
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
Preface
Preface
Free Chapter
1
Installation and Configuration
Installation and Configuration
Versions
Downloading
Unpacking the source code
Required additional libraries and files
Compilation
Integrating ModSecurity with Apache
Configuration file
Testing your installation
Summary
2
Writing Rules
Writing Rules
SecRule syntax
Creating chained rules
Rule IDs
An introduction to regular expressions
Simple string matching
Matching numbers
More about collections
Transformation functions
Other operators
Phases and rule ordering
Actions—what to do when a rule matches
SecAction
Using the ctl action to control the rule engine
Macro expansion
SecRule in practice
Executing shell scripts
Injecting data into responses
Inspecting uploaded files
Summary
3
Performance
Performance
A typical HTTP request
A real-world performance test
Optimizing performance
Summary
4
Audit Logging
Audit Logging
Enabling the audit log engine
Determining what to log
The configuration so far
Log format
Concurrent logging
Selectively disabling logging
Audit log sanitization actions
The ModSecurity Console
Summary
5
Virtual Patching
Virtual Patching
Why use virtual patching?
Creating a virtual patch
From vulnerability discovery to virtual patch: An example
Testing your patches
Real-life examples
Summary
6
Blocking Common Attacks
Blocking Common Attacks
HTTP fingerprinting
Blocking proxied requests
Cross-site scripting
Cross-site request forgeries
Shell command execution attempts
Null byte attacks
Source code revelation
Directory traversal attacks
Blog spam
SQL injection
Website defacement
Brute force attacks
Directory indexing
Detecting the real IP address of an attacker
Summary
7
Chroot Jails
Chroot Jails
What is a chroot jail?
A sample attack
Traditional chrooting
How ModSecurity helps jailing Apache
Using ModSecurity to create a chroot jail
Verifying that the jail works
Chroot caveats
Summary
8
REMO
REMO
More about Remo
Installation
Remo rules
Analyzing log files
Configuration tweaks
Summary
9
Protecting a Web Application
Protecting a Web Application
Considerations before beginning
The web application
Groundwork
Step 1: Identifying user actions
Step 2: Getting detailed information on each action
Step 3: Writing rules
Step 4: Testing the new ruleset
Actions
Blocking what's allowed—denying everything else
Cookies
Headers
Securing the "Start New Topic" action
The ruleset so far
The finished ruleset
Alternative approaches
Keeping everything up to date
Summary
Directives and Variables
Directives and Variables
Directives
Variables
Regular Expressions
Regular Expressions
What is a regular expression?
Regular expression flavors
Example of a regular expression
The Dot character
Quantifiers—star, plus, and question mark
Alternation
Backreferences
Non-capturing parentheses
Character classes
Anchors
Lazy quantifiers
Debugging regular expressions
Additional resources
Our email address regex
Summary
Index
Index

Compilation

As with other Linux software that comes as source, you need to compile ModSecurity to be able to use it. Compilation will result in a file called mod_security2.so, which is a binary shared module used by the Apache server in a plugin-like fashion. This module file contains all the functionality of ModSecurity.

Note

The fact that ModSecurity is an Apache module and not a stand-alone application (it could have been written as a reverse proxy server, filtering requests and then passing them to Apache) confers many advantages. One of these is the ability to inspect SSL connections and see data compressed using mod_deflate without having to write any additional code to decrypt or decompress the data first.

To get started compiling the source, change to the root user as you will require root privileges to install ModSecurity. Then change to the apache2 subfolder of the directory where you unpacked ModSecurity (for example, /home/download/modsecurity-apache/apache2/). This directory contains the source files and all the files needed to build the binary module.

To be able to compile the binary, you need a Makefile, which is a file that contains details of your particular server setup such as which compiler is available and what options it supports. To generate the Makefile, run the following command:

[apache2]$ ./configure
...
config.status: creating Makefile
config.status: creating build/apxs-wrapper
config.status: creating mod_security2_config.h

If the configure script stops with an error indicating that the PCRE library cannot be found, this is usually because you have compiled Apache from source and it has used the PCRE library that is bundled with the Apache distribution. Running configure --with-pcre=/path/to/apache-src/srclib/pcre should solve the problem (if it doesn't, edit Makefile and change the PCRE_CFLAGS and PCRE_LIBS variables to point to the pcre directory).

After this command has completed, check for the presence of a file called Makefile in the current directory. After making sure it exists you can go ahead and compile the binary:

[apache2]$ make

You should see a fairly long list of messages written to the terminal as the compilation takes place, and if everything goes well there should be no error messages (though you may get a few compiler warnings, which you can ignore).

Previous Section
End of Section 6
Next Section