Thursday, November 15, 2007

Basics of Mod_Security

This past week, i was auditing a customer's web server defence against web attacks and i realised that he did not install mod_security as one of their modules in the server. Well, considering it is a huge customer, they should at least do some basic filtering using mod_security since their servers are running on linux. I had mentioned about mod_security in my previous post and for those who are still not sure what it is, mod_security is a web application firewall that is an Apache Web Server add-on module that provides intrusion detection, content filtering, and web-based attack protection. It is good at detecting and stopping many known web attacks, such as many SQL injection type attacks, cross-site scripting, directory traversal type attacks, and many others. Below is a snippet of a simple basic mod_security configuration:


# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding On

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log actionable requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/apache2/audit_log

# Debug level set to a minimum
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 2

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

# Add custom secfilter rules here


Of course, you can add on more items and it depends on what you need it to filter and protect. Mod_Security does come with a performance cost, however, the security benefits far outweight the performance cost. Do consider using it.

The Hacka Man

6 comments:

Ryan Barnett said...

First of all, great post. I am the ModSecurity Community Manager and part of my job is to "get teh word" out about ModSecurity so that peoplel know about it and what it can do for them. I love hearing that people who are conducting web assessments are recommending it as a potential solution to immediately "virtually patch" identified vulnerabilities :)

Just a quick comment, I noticed that you used ModSecurity v1 rules in your example. Are you aware of the new ModSecurity v2 version and the corresponding free Core Rules? There are many great feature enhancements that users should be aware of, however it only works on Apache 2.x hosts so ModSecurity v1 may still be the only option.

--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

Anonymous said...

Hi Ryan, you can email me and we can discuss more.

hackathology

.mario said...

In my opinion mod_security has to be used with care. It's - like most if not all systems - no perfect system to harden your application and just installing and using it _could_ create a false sense of security.

Anonymous said...

hi mario, i do agree with your comments, however, with mod_security it will almost thwarf of 80-90% of the attacks compared without any web application firewall installed. Mod_security definitely needs to be installed with care and configured with scrutinity.

hackathology

Unknown said...

The holidays are a time ed hardy of getting together with friends ed hardy shoes and family, attending elaborate ed hardy clothing parties, and other exciting events ed hardy clothes that involves dressing up in stunning ed hardy store wardrobes. If you ed hardy Bikini are pregnant during ed hardy swimsuits the holidays, it does not ed hardy Caps mean that you are unable buy ed hardy to look fabulous and ed hardy swimwear stylish. Now, an expectant ed hardy sale mother has many styles of chic ed hardy glasses maternity clothing that allows cheap ed hardy her to show off her baby bump Christian audigier while looking spectacular.

Android Game Development said...

Very nice post. I just stumbled upon your weblog and wanted to say that I have truly enjoyed surfing around your blog posts. After all I will be subscribing to your rss feed and I hope you write again very soon!