In this post I’ll be covering the topic of ModSecurity, what it is and what you can do with it.
When it comes to security it’s a have-to! If you haven’t heard about it or don’t use it yet then I have to inform you that you probably have missed out on something amazing!
Security wise that is…
The question “What is ModSecurity?” is a natural first question that somebody who haven’t heard about it before would ask.
Not going into details ModSecurity is an apache module that works sort of like a firewall, in this case a web application firewall, which analyzes client requests before they get processed by apache itself.
It is constantly looking for malicious content, when found ModSecurity rejects the request and performs any of the built-in-functions that were set in the rules.
This adds a valuable extra layer of protection to the web server, more secure as it shields the applications from attacks.
Now let’s take a closer look on how it works, so you can get a better insight on how truly awesome this mod is!
So the request is sent to the server, however before reaching apache, ModSecurity analyzes and checks it, basically parses the request.
It then performs a series of transformations to change the input into a form that is suited for analysis, which is a very good step as this helps preventing various attacks like null byte attacks, multiple slash characters and self referring directories to mention some.
The next thing ModSecurity does is to perform a bunch of built in checks, to mention a few, it validates the URL- and Unicode encoding.
You could even configure to only allow certain byte values to prevent shellcode to be injected.
Last step before the request reaches apache is that the request goes through a bunch of user-defined input-filters and whenever there’s a match the user-defined action is performed.
I’ll be giving you some examples on a couple of good rules you should or could use if you want to later in this article.
After these validations the request depending on its nature can have been logged and/or blocked or just sent to apache with no hassle where the request is carried out as usually.
Now to the beauty of ModSecurity, which is of course is the output validation.
So the output goes through another set of user-defined filter laws, and if it matches one or many of the filters a list of user-defined actions are carried out.
And as in the previous validation it here too can get blocked and/or logged or sent back to the source of the request in the first time.
This is in my opinion a very good step, to prevent things you do not want people to see be shown.
The last step can if set up correctly prevent unwanted information leaks!
Also as mentioned ModSecurity can be set up to log the whole request including both input and output headers or just specific situations that have triggered a reaction from the mod.
So let’s take a look on how a basic configuration of ModSecurity can look like.
You could have it in the apache config-file but normally you have a separate config-file for each apache module which is imported to the main apache configuration.
#modsec.conf
# Turn on modsecurity
SecFilterEngine On#Will only log invalid request for further analysis.
#Audit_log logs the complete requests.
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log#Excessive logging can be turned on for like debugging mode
#Warning this will most likely slow down the server, here it’s turned off.
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log# Scan request body
SecFilterScanPOST On
#Scan response body
SecFilterScanOutput# Check URL encoding
SecFilterCheckURLEncoding On#Check Unicode encoding
SecFilterCheckUnicodeEncoding On#only allow specific byte values to be part of the request
#this one is set on a rather standard value, nothing strict really
SecFilterForceByteRange 1 255# normalizes the cookies sent and retrieved
SecFilterNormalizeCookies On#by default deny the requests with status 406
SecFilterDefaultAction “deny,log,status:406″#Here you can put your own modSecurity rules
#further down you’ll find some examples.
Now that we have set up the basic things, it’s time to add some of the custom rules, which is in my opinion what makes ModSecurity to such a great security tool!
But remember that everyone can’t have the same rules or configuration as others; depending on what you are running you might need to allow some things that others don’t have to.
So remember that you should first sit down and take a look on what your web application needs to be able to work correctly as otherwise some of these rules, and even the ones in the config-file above can cause your application to not work as it should.
With this in mind here’s a list on some good rules I have gathered during the period I’ve been using ModSecurity.
In the end of this article I’ll add a link to a great package of rules that you should browse through, it contains some very useful rules worth having.
# A collection of rules I’ve come across during the period I’ve used this mod.
# necessary to stop spammers doing mail injection into PHP mail forms
SecFilterSelective ARGS_VALUES “\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@”#Stop formmail from being hijacked and used for spam
SecFilterSelective “ARG_recipient” !@your-url\.org$
#preventing information leaks
SecFilterSelective OUTPUT “Fatal error:”
#Detecting some intrusions and intrusion attempts
SecFilterSelective OUTPUT “Volume Serial Number”
SecFilterSelective OUTPUT “Command completed”
SecFilterSelective OUTPUT “Bad command or filename”
SecFilterSelective OUTPUT “file(s) copied”
SecFilterSelective OUTPUT “Index of /cgi-bin/”
SecFilterSelective OUTPUT “.*uid\=\(”#identify missing/empty headers and variables
SecRule &REQUEST_HEADERS:Host “@eq 0″ “skip:1,log,auditlog,msg:’Request Missing a Host Header’,id:’960008′,severity:’4′”
SecRule REQUEST_HEADERS:Host “^$” “log,auditlog,msg:’Request Missing a Host Header’,id:’960008′,severity:’4′”
To get more rules I recommend you strongly to download the package of rules and to read the ModSecurity documentation to get a better understanding on how to use this great tool!
Download package of rules
Visit the site of ModSecurity
I’ll be releasing another article on the subject of ModSecurity, but will be targeting; how to write your own custom rules.
Leave a Reply