ModSecurity 2.5

ModSecurity 2.5

by Magnus Mischel
Released November 2009
Publisher(s): Packt Publishing
ISBN: 9781847194749

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Prevent web application hacking with this easy to use guide

  • Secure your system by knowing exactly how a hacker would break into it

  • Covers writing rules in-depth and Modsecurity rule language elements such as variables, actions, and request phases

  • Covers the common attacks in use on the Web, and ways to find the geographical location of an attacker and send alert emails when attacks are discovered

  • Packed with many real-life examples for better understanding

    • In Detail

    With more than 67% of web servers running Apache and web-based attacks becoming more and more prevalent, web security has become a critical area for web site managers. Most existing tools work on the TCP/IP level, failing to use the specifics of the HTTP protocol in their operation. Mod_security is a module running on Apache, which will help you overcome the security threats prevalent in the online world.

    A complete guide to using ModSecurity, this book will show you how to secure your web application and server, and does so by using real-world examples of attacks currently in use. It will help you learn about SQL injection, cross-site scripting attacks, cross-site request forgeries, null byte attacks, and many more so that you know how attackers operate. Using clear, step-by-step instructions this book starts by teaching you how to install and set up ModSecurity, before diving into the rule language with examples. It assumes no prior knowledge of ModSecurity, so as long as you are familiar with basic Linux administration, you can start to learn right away.

    Real-life case studies are used to illustrate the dangers on the Web today – you will for example learn how the recent worm that hit Twitter works, and how you could have used ModSecurity to stop it in its tracks. The mechanisms behind these and other attacks are described in detail, and you will learn everything you need to know to make sure your server and web application remain unscathed on the increasingly dangerous web. Have you ever wondered how attackers figure out the exact web server version running on a system? They use a technique called HTTP fingerprinting, and you will learn about this in depth and how to defend against it by flying your web server under a ""false flag"".

    The last part of the book shows you how to really lock down a web application by implementing a positive security model that only allows through requests that conform to a specific, pre-approved model, and denying anything that is even the slightest bit out of line.

    Table of contents

    1. ModSecurity 2.5
    2. Credits
    3. About the Author
    4. About the Reviewers
    5. Preface
      1. What ModSecurity is
      2. Why you need ModSecurity
      3. What this book covers
      4. What you need for this book
      5. Who this book is for
      6. Conventions
      7. Reader feedback
      8. Customer support
        1. Errata
        2. Piracy
        3. Questions
    6. 1. Installation and Configuration
      1. Versions
      2. Downloading
        1. Checking the integrity of the downloaded source archive
      3. Unpacking the source code
      4. Required additional libraries and files
      5. Compilation
      6. Integrating ModSecurity with Apache
      7. Configuration file
        1. Completing the configuration
      8. Testing your installation
        1. Creating a simple ModSecurity rule
        2. Disguising the web server signature
      9. Summary
    7. 2. Writing Rules
      1. SecRule syntax
        1. Variables and collections
        2. The transaction collection
        3. Storing data between requests
        4. Examining several variables
        5. Quotes: Sometimes you need them and sometimes you don't
      2. Creating chained rules
      3. Rule IDs
      4. An introduction to regular expressions
        1. Examples of regular expressions
        2. More about regular expressions
        3. Using @rx to block a remote host
      5. Simple string matching
      6. Matching numbers
      7. More about collections
        1. Counting items in collections
        2. Filtering collection fields using a regular expression
        3. Built-in fields
      8. Transformation functions
      9. Other operators
        1. Set-based pattern matching with @pm and @pmFromFile
          1. @pmFromFile
          2. Performance of the phrase matching operators
        2. Validating character ranges
      10. Phases and rule ordering
      11. Actions—what to do when a rule matches
        1. Allowing requests
        2. Blocking requests
        3. Taking no action but continuing rule processing
        4. Dropping requests
        5. Redirecting and proxying requests
      12. SecAction
      13. Using the ctl action to control the rule engine
        1. How to use the ctl action
      14. Macro expansion
      15. SecRule in practice
        1. Blocking uncommon request methods
        2. Restricting access to certain times of day
        3. Detecting credit card leaks
          1. Detecting credit card numbers
          2. The Luhn algorithm and false positives
        4. Tracking the geographical location of your visitors
          1. GEO collection fields
          2. Blocking users from specific countries
          3. Load balancing requests between servers on different continents
        5. Pausing requests for a specified amount of time
      16. Executing shell scripts
        1. Sending alert emails
        2. Sending more detailed alert emails
        3. Counting file downloads
        4. Blocking brute-force password guessing
      17. Injecting data into responses
      18. Inspecting uploaded files
        1. Summary
    8. 3. Performance
      1. A typical HTTP request
      2. A real-world performance test
        1. The core ruleset
        2. Installing the core ruleset
        3. Making sure it works
        4. Performance testing basics
          1. Using httperf
        5. Getting a baseline: Testing without ModSecurity
          1. Response time
          2. Memory usage
          3. CPU usage
        6. ModSecurity without any loaded rules
        7. ModSecurity with the core ruleset loaded
          1. Response time
          2. Memory usage
          3. Finding the bottleneck
          4. Wrapping up core ruleset performance
      3. Optimizing performance
        1. Memory consumption
        2. Bypassing inspection of static content
        3. Using @pm and @pmFromFile
        4. Logging
        5. Writing regular expressions for best performance
          1. Use non-capturing parentheses wherever possible
          2. Use one regular expression whenever possible
      4. Summary
    9. 4. Audit Logging
      1. Enabling the audit log engine
        1. Single versus multiple file logging
      2. Determining what to log
      3. The configuration so far
      4. Log format
      5. Concurrent logging
      6. Selectively disabling logging
      7. Audit log sanitization actions
      8. The ModSecurity Console
        1. Installing the ModSecurity Console
        2. Accessing the Console
        3. Compiling mlogc
        4. Configuring mlogc
        5. Forwarding logs to the ModSecurity Console
      9. Summary
    10. 5. Virtual Patching
      1. Why use virtual patching?
        1. Speed
        2. Stability
        3. Flexibility
        4. Cost-effectiveness
      2. Creating a virtual patch
      3. From vulnerability discovery to virtual patch: An example
        1. Creating the patch
        2. Changing the web application for additional security
      4. Testing your patches
      5. Real-life examples
        1. Geeklog
          1. Patching Geeklog
        2. Cross-site scripting
          1. Real-life example: The Twitter worm
      6. Summary
    11. 6. Blocking Common Attacks
      1. HTTP fingerprinting
        1. How HTTP fingerprinting works
          1. Server banner
          2. Response header
          3. HTTP protocol responses
            1. Issuing an HTTP DELETE request
            2. Bad HTTP version numbers
            3. Bad protocol name
            4. The ETag HTTP header
        2. Using ModSecurity to defeat HTTP fingerprinting
      2. Blocking proxied requests
      3. Cross-site scripting
        1. Preventing XSS attacks
        2. PDF XSS protection
          1. HttpOnly cookies to prevent XSS attacks
            1. Session identifiers
      4. Cross-site request forgeries
        1. Protecting against cross-site request forgeries
      5. Shell command execution attempts
      6. Null byte attacks
        1. ModSecurity and null bytes
      7. Source code revelation
      8. Directory traversal attacks
      9. Blog spam
      10. SQL injection
        1. Standard injection attempts
          1. Retrieving data from multiple tables with UNION
          2. Multiple queries in one call
          3. Reading arbitrary files
          4. Writing data to files
        2. Preventing SQL injection attacks
          1. What to block
      11. Website defacement
      12. Brute force attacks
      13. Directory indexing
      14. Detecting the real IP address of an attacker
      15. Summary
    12. 7. Chroot Jails
      1. What is a chroot jail?
      2. A sample attack
      3. Traditional chrooting
      4. How ModSecurity helps jailing Apache
      5. Using ModSecurity to create a chroot jail
      6. Verifying that the jail works
      7. Chroot caveats
      8. Summary
    13. 8. REMO
      1. More about Remo
      2. Installation
      3. Remo rules
        1. Creating and editing rules
        2. Installing the rules
      4. Analyzing log files
      5. Configuration tweaks
      6. Summary
    14. 9. Protecting a Web Application
      1. Considerations before beginning
      2. The web application
      3. Groundwork
      4. Step 1: Identifying user actions
      5. Step 2: Getting detailed information on each action
      6. Step 3: Writing rules
      7. Step 4: Testing the new ruleset
      8. Actions
      9. Blocking what's allowed—denying everything else
      10. Cookies
      11. Headers
      12. Securing the "Start New Topic" action
      13. The ruleset so far
      14. The finished ruleset
      15. Alternative approaches
      16. Keeping everything up to date
      17. Summary
    15. A. Directives and Variables
      1. Directives
        1. SecAction
        2. SecArgumentSeparator
        3. SecAuditEngine
        4. SecAuditLog
        5. SecAuditLog2
        6. SecAuditLogParts
        7. SecAuditLogRelevantStatus
        8. SecAuditLogStorageDir
        9. SecAuditLogType
        10. SecCacheTransformations (deprecated/experimental)
        11. SecChrootDir
        12. SecComponentSignature
        13. SecContentInjection
        14. SecCookieFormat
        15. SecDataDir
        16. SecDebugLog
        17. SecDebugLogLevel
        18. SecDefaultAction
        19. SecGeoLookupDb
        20. SecGuardianLog
        21. SecMarker
        22. SecPdfProtect
        23. SecPdfProtectMethod
        24. SecPdfProtectSecret
        25. SecPdfProtectTimeout
        26. SecPdfProtectTokenName
        27. SeqRequestBodyAccess
        28. SecRequestBodyLimit
        29. SecRequestBodyNoFilesLimit
        30. SecRequestBodyInMemoryLimit
        31. SecResponseBodyLimit
        32. SecResponseBodyLimitAction
        33. SecResponseBodyMimeType
        34. SecResponseBodyMimeTypesClear
        35. SecResponseBodyAccess
        36. SecRule
        37. SecRuleInheritance
        38. SecRuleEngine
        39. SecRuleRemoveById
        40. SecRuleRemoveByMsg
        41. SecRuleUpdateActionById
        42. SecServerSignature
        43. SecTmpDir
        44. SecUploadDir
        45. SecUploadFileMode
        46. SecUploadKeepFiles
        47. SecWebAppId
      2. Variables
        1. ARGS
        2. ARGS_COMBINED_SIZE
        3. ARGS_NAMES
        4. ARGS_GET
        5. ARGS_GET_NAMES
        6. ARGS_POST
        7. ARGS_POST_NAMES
        8. AUTH_TYPE
        9. ENV
        10. FILES
        11. FILES_COMBINED_SIZE
        12. FILES_NAMES
        13. FILES_SIZES
        14. FILES_TMPNAMES
        15. GEO
        16. HIGHEST_SEVERITY
        17. MATCHED_VAR
        18. MATCHED_VAR_NAME
        19. MODSEC_BUILD
        20. MULTIPART_CRLF_LF_LINES
        21. MULTIPART_STRICT_ERROR
        22. MULTIPART_UNMATCHED_BOUNDARY
        23. PATH_INFO
        24. QUERY_STRING
        25. REMOTE_ADDR
        26. REMOTE_HOST
        27. REMOTE_PORT
        28. REMOTE_USER
        29. REQBODY_PROCESSOR
        30. REQBODY_PROCESSOR_ERROR
        31. REQBODY_PROCESSOR_ERROR_MSG
        32. REQUEST_BASENAME
        33. REQUEST_BODY
        34. REQUEST_COOKIES
        35. REQUEST_COOKIES_NAMES
        36. REQUEST_FILENAME
        37. REQUEST_HEADERS
        38. REQUEST_HEADERS_NAMES
        39. REQUEST_LINE
        40. REQUEST_METHOD
        41. REQUEST_PROTOCOL
        42. REQUEST_URI
        43. REQUEST_URI_RAW
        44. RESPONSE_BODY
        45. RESPONSE_CONTENT_LENGTH
        46. RESPONSE_CONTENT_TYPE
        47. RESPONSE_HEADERS
        48. RESPONSE_HEADERS_NAMES
        49. RESPONSE_PROTOCOL
        50. RESPONSE_STATUS
        51. RULE
        52. SCRIPT_BASENAME
        53. SCRIPT_FILENAME
        54. SCRIPT_GID
        55. SCRIPT_GROUPNAME
        56. SCRIPT_MODE
        57. SCRIPT_UID
        58. SCRIPT_USERNAME
        59. SERVER_ADDR
        60. SERVER_NAME
        61. SERVER_PORT
        62. SESSION
        63. SESSIONID
        64. TIME
        65. TIME_DAY
        66. TIME_EPOCH
        67. TIME_HOUR
        68. TIME_MIN
        69. TIME_MON
        70. TIME_SEC
        71. TIME_WDAY
        72. TIME_YEAR
        73. TX
        74. USERID
        75. WEBAPPID
        76. WEBSERVER_ERROR_LOG
        77. XML
    16. B. Regular Expressions
      1. What is a regular expression?
      2. Regular expression flavors
      3. Example of a regular expression
        1. Identifying an email address
      4. The Dot character
      5. Quantifiers—star, plus, and question mark
        1. Question Mark
        2. Star
        3. Plus sign
        4. Grouping
        5. Ranges
      6. Alternation
      7. Backreferences
        1. Captures and ModSecurity
      8. Non-capturing parentheses
      9. Character classes
        1. Negated matching
        2. Shorthand notation
      10. Anchors
        1. Start and end of string
        2. Word Boundary
      11. Lazy quantifiers
      12. Debugging regular expressions
      13. Additional resources
      14. Our email address regex
      15. Summary

    Product information

    • Title: ModSecurity 2.5
    • Author(s): Magnus Mischel
    • Release date: November 2009
    • Publisher(s): Packt Publishing
    • ISBN: 9781847194749