Book Image

ModSecurity 2.5

Book Image

ModSecurity 2.5

Overview of this book

With more than 67% of web servers running Apache and web-based attacks becoming more and more prevalent, web security has become a critical area for web site managers. Most existing tools work on the TCP/IP level, failing to use the specifics of the HTTP protocol in their operation. Mod_security is a module running on Apache, which will help you overcome the security threats prevalent in the online world. A complete guide to using ModSecurity, this book will show you how to secure your web application and server, and does so by using real-world examples of attacks currently in use. It will help you learn about SQL injection, cross-site scripting attacks, cross-site request forgeries, null byte attacks, and many more so that you know how attackers operate. Using clear, step-by-step instructions this book starts by teaching you how to install and set up ModSecurity, before diving into the rule language with examples. It assumes no prior knowledge of ModSecurity, so as long as you are familiar with basic Linux administration, you can start to learn right away. Real-life case studies are used to illustrate the dangers on the Web today ñ you will for example learn how the recent worm that hit Twitter works, and how you could have used ModSecurity to stop it in its tracks. The mechanisms behind these and other attacks are described in detail, and you will learn everything you need to know to make sure your server and web application remain unscathed on the increasingly dangerous web. Have you ever wondered how attackers figure out the exact web server version running on a system? They use a technique called HTTP fingerprinting, and you will learn about this in depth and how to defend against it by flying your web server under a "false flag". The last part of the book shows you how to really lock down a web application by implementing a positive security model that only allows through requests that conform to a specific, pre-approved model, and denying anything that is even the slightest bit out of line.

Related Content you might be interested in

Current Title:

Small book image
ModSecurity 2.5
Nov, 2009 | 280 pages
No titles found
Table of Contents (17 chapters)
ModSecurity 2.5
ModSecurity 2.5
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
Preface
Preface
Free Chapter
1
Installation and Configuration
Installation and Configuration
Versions
Downloading
Unpacking the source code
Required additional libraries and files
Compilation
Integrating ModSecurity with Apache
Configuration file
Testing your installation
Summary
2
Writing Rules
Writing Rules
SecRule syntax
Creating chained rules
Rule IDs
An introduction to regular expressions
Simple string matching
Matching numbers
More about collections
Transformation functions
Other operators
Phases and rule ordering
Actions—what to do when a rule matches
SecAction
Using the ctl action to control the rule engine
Macro expansion
SecRule in practice
Executing shell scripts
Injecting data into responses
Inspecting uploaded files
Summary
3
Performance
Performance
A typical HTTP request
A real-world performance test
Optimizing performance
Summary
4
Audit Logging
Audit Logging
Enabling the audit log engine
Determining what to log
The configuration so far
Log format
Concurrent logging
Selectively disabling logging
Audit log sanitization actions
The ModSecurity Console
Summary
5
Virtual Patching
Virtual Patching
Why use virtual patching?
Creating a virtual patch
From vulnerability discovery to virtual patch: An example
Testing your patches
Real-life examples
Summary
6
Blocking Common Attacks
Blocking Common Attacks
HTTP fingerprinting
Blocking proxied requests
Cross-site scripting
Cross-site request forgeries
Shell command execution attempts
Null byte attacks
Source code revelation
Directory traversal attacks
Blog spam
SQL injection
Website defacement
Brute force attacks
Directory indexing
Detecting the real IP address of an attacker
Summary
7
Chroot Jails
Chroot Jails
What is a chroot jail?
A sample attack
Traditional chrooting
How ModSecurity helps jailing Apache
Using ModSecurity to create a chroot jail
Verifying that the jail works
Chroot caveats
Summary
8
REMO
REMO
More about Remo
Installation
Remo rules
Analyzing log files
Configuration tweaks
Summary
9
Protecting a Web Application
Protecting a Web Application
Considerations before beginning
The web application
Groundwork
Step 1: Identifying user actions
Step 2: Getting detailed information on each action
Step 3: Writing rules
Step 4: Testing the new ruleset
Actions
Blocking what's allowed—denying everything else
Cookies
Headers
Securing the "Start New Topic" action
The ruleset so far
The finished ruleset
Alternative approaches
Keeping everything up to date
Summary
Directives and Variables
Directives and Variables
Directives
Variables
Regular Expressions
Regular Expressions
What is a regular expression?
Regular expression flavors
Example of a regular expression
The Dot character
Quantifiers—star, plus, and question mark
Alternation
Backreferences
Non-capturing parentheses
Character classes
Anchors
Lazy quantifiers
Debugging regular expressions
Additional resources
Our email address regex
Summary
Index
Index

Integrating ModSecurity with Apache

The compilation process outlined in the previous section results in a file called mod_security2.so being created. This is an Apache dynamic shared object which is a plugin to Apache that adds functionality to the web server without requiring it to be recompiled. This file contains all the ModSecurity functionality, and integrating it like any other Apache module is, except for some basic configuration, all it takes to enable ModSecurity on your server.

The mod_security2.so file is output to the modsecurity-apache/apache2/.libs directory by the compiler. To let Apache know about ModSecurity, start by copying the mod_security2.so file to your Apache modules directory. Typically the modules directory will be something like /etc/httpd/modules, but the location will vary depending on your setup.

The next step is to edit the Apache configuration file and add a line to let the web server know about the new module. Start your favorite editor and open up httpd.conf (again, the location will vary depending on your setup, but assuming the same Apache base directory as in the previous section, the file will be in /etc/httpd/conf/httpd.conf). It's a good idea to create a backup copy of httpd.conf before you start editing the file, so that you can revert to the backup if anything goes wrong.

In httpd.conf there will be a fairly long list of configuration directives that start with the word LoadModule. Find this section of LoadModule directives and add the following line to the top of the list:

LoadModule security2_module modules/mod_security2.so

The security2_module string is known as the module identifier, and is declared in the source code of each module. It is used by Apache to later identify the module in such directives as IfModule, which turn on or off processing of configuration directives based on whether or not the module is loaded.

After adding this line, exit the editor and run apachectl configtest. This will test the new configuration file and report back any errors so you can fix them before attempting to restart the server. If all went well, run apachectl restart to restart the web server. This will load ModSecurity which means the fun part of writing rules can soon begin!

Previous Section
End of Section 7
Next Section