ModSecurity 2.5 : securing your Apache installation and web applications / Magnus Mischel.

Format:

Book

Author/Creator:

Mischel, Magnus.

Series:

From technologies to solutions.

From technologies to solutions

Language:

English

Subjects (All):

Apache (Computer file : Apache Group).

Firewalls (Computer security).

Physical Description:

1 online resource (280 p.)

Edition:

1st edition

Place of Publication:

Birmingham, U.K. : Packt Pub., 2009.

Language Note:

English

System Details:

text file

Summary:

Prevent web application hacking with this easy to use guide Secure your system by knowing exactly how a hacker would break into it Covers writing rules in-depth and Modsecurity rule language elements such as variables, actions, and request phases Covers the common attacks in use on the Web, and ways to find the geographical location of an attacker and send alert emails when attacks are discovered Packed with many real-life examples for better understanding In Detail With more than 67% of web servers running Apache and web-based attacks becoming more and more prevalent, web security has become a critical area for web site managers. Most existing tools work on the TCP/IP level, failing to use the specifics of the HTTP protocol in their operation. Mod_security is a module running on Apache, which will help you overcome the security threats prevalent in the online world. A complete guide to using ModSecurity, this book will show you how to secure your web application and server, and does so by using real-world examples of attacks currently in use. It will help you learn about SQL injection, cross-site scripting attacks, cross-site request forgeries, null byte attacks, and many more so that you know how attackers operate. Using clear, step-by-step instructions this book starts by teaching you how to install and set up ModSecurity, before diving into the rule language with examples. It assumes no prior knowledge of ModSecurity, so as long as you are familiar with basic Linux administration, you can start to learn right away. Real-life case studies are used to illustrate the dangers on the Web today – you will for example learn how the recent worm that hit Twitter works, and how you could have used ModSecurity to stop it in its tracks. The mechanisms behind these and other attacks are described in detail, and you will learn everything you need to know to make sure your server and web application remain unscathed on the increasingly dangerous web. Have you ever wondered how attackers figure out the exact web server version running on a system? They use a technique called HTTP fingerprinting, and you will learn about this in depth and how to defend against it by flying your web server under a ""false flag"". The last part of the book shows you how to really lock down a web application by implementing a positive security model that only allows through requests that conform to a specific, pre-approved model, and denying anything that is even the slightes...

Contents:

Intro

ModSecurity 2.5

Table of Contents

Credits

About the Author

About the Reviewers

Preface

What ModSecurity is

Why you need ModSecurity

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Installation and Configuration

Versions

Downloading

Checking the integrity of the downloaded source archive

Unpacking the source code

Required additional libraries and files

Compilation

Integrating ModSecurity with Apache

Configuration file

Completing the configuration

Testing your installation

Creating a simple ModSecurity rule

Disguising the web server signature

Summary

2. Writing Rules

SecRule syntax

Variables and collections

The transaction collection

Storing data between requests

Examining several variables

Quotes: Sometimes you need them and sometimes you don't

Creating chained rules

Rule IDs

An introduction to regular expressions

Examples of regular expressions

More about regular expressions

Using @rx to block a remote host

Simple string matching

Matching numbers

More about collections

Counting items in collections

Filtering collection fields using a regular expression

Built-in fields

Transformation functions

Other operators

Set-based pattern matching with @pm and @pmFromFile

@pmFromFile

Performance of the phrase matching operators

Validating character ranges

Phases and rule ordering

Actions-what to do when a rule matches

Allowing requests

Blocking requests

Taking no action but continuing rule processing

Dropping requests

Redirecting and proxying requests

SecAction

Using the ctl action to control the rule engine

How to use the ctl action.

Macro expansion

SecRule in practice

Blocking uncommon request methods

Restricting access to certain times of day

Detecting credit card leaks

Detecting credit card numbers

The Luhn algorithm and false positives

Tracking the geographical location of your visitors

GEO collection fields

Blocking users from specific countries

Load balancing requests between servers on different continents

Pausing requests for a specified amount of time

Executing shell scripts

Sending alert emails

Sending more detailed alert emails

Counting file downloads

Blocking brute-force password guessing

Injecting data into responses

Inspecting uploaded files

3. Performance

A typical HTTP request

A real-world performance test

The core ruleset

Installing the core ruleset

Making sure it works

Performance testing basics

Using httperf

Getting a baseline: Testing without ModSecurity

Response time

Memory usage

CPU usage

ModSecurity without any loaded rules

ModSecurity with the core ruleset loaded

Finding the bottleneck

Wrapping up core ruleset performance

Optimizing performance

Memory consumption

Bypassing inspection of static content

Using @pm and @pmFromFile

Logging

Writing regular expressions for best performance

Use non-capturing parentheses wherever possible

Use one regular expression whenever possible

4. Audit Logging

Enabling the audit log engine

Single versus multiple file logging

Determining what to log

The configuration so far

Log format

Concurrent logging

Selectively disabling logging

Audit log sanitization actions

The ModSecurity Console

Installing the ModSecurity Console

Accessing the Console

Compiling mlogc

Configuring mlogc.

Forwarding logs to the ModSecurity Console

5. Virtual Patching

Why use virtual patching?

Speed

Stability

Flexibility

Cost-effectiveness

Creating a virtual patch

From vulnerability discovery to virtual patch: An example

Creating the patch

Changing the web application for additional security

Testing your patches

Real-life examples

Geeklog

Patching Geeklog

Cross-site scripting

Real-life example: The Twitter worm

6. Blocking Common Attacks

HTTP fingerprinting

How HTTP fingerprinting works

Server banner

Response header

HTTP protocol responses

Issuing an HTTP DELETE request

Bad HTTP version numbers

Bad protocol name

The ETag HTTP header

Using ModSecurity to defeat HTTP fingerprinting

Blocking proxied requests

Preventing XSS attacks

PDF XSS protection

HttpOnly cookies to prevent XSS attacks

Session identifiers

Cross-site request forgeries

Protecting against cross-site request forgeries

Shell command execution attempts

Null byte attacks

ModSecurity and null bytes

Source code revelation

Directory traversal attacks

Blog spam

SQL injection

Standard injection attempts

Retrieving data from multiple tables with UNION

Multiple queries in one call

Reading arbitrary files

Writing data to files

Preventing SQL injection attacks

What to block

Website defacement

Brute force attacks

Directory indexing

Detecting the real IP address of an attacker

7. Chroot Jails

What is a chroot jail?

A sample attack

Traditional chrooting

How ModSecurity helps jailing Apache

Using ModSecurity to create a chroot jail

Verifying that the jail works

Chroot caveats

8. REMO

More about Remo

Installation

Remo rules.

Creating and editing rules

Installing the rules

Analyzing log files

Configuration tweaks

9. Protecting a Web Application

Considerations before beginning

The web application

Groundwork

Step 1: Identifying user actions

Step 2: Getting detailed information on each action

Step 3: Writing rules

Step 4: Testing the new ruleset

Actions

Blocking what's allowed-denying everything else

Cookies

Headers

Securing the "Start New Topic" action

The ruleset so far

The finished ruleset

Alternative approaches

Keeping everything up to date

A. Directives and Variables

Directives

SecArgumentSeparator

SecAuditEngine

SecAuditLog

SecAuditLog2

SecAuditLogParts

SecAuditLogRelevantStatus

SecAuditLogStorageDir

SecAuditLogType

SecCacheTransformations (deprecated/experimental)

SecChrootDir

SecComponentSignature

SecContentInjection

SecCookieFormat

SecDataDir

SecDebugLog

SecDebugLogLevel

SecDefaultAction

SecGeoLookupDb

SecGuardianLog

SecMarker

SecPdfProtect

SecPdfProtectMethod

SecPdfProtectSecret

SecPdfProtectTimeout

SecPdfProtectTokenName

SeqRequestBodyAccess

SecRequestBodyLimit

SecRequestBodyNoFilesLimit

SecRequestBodyInMemoryLimit

SecResponseBodyLimit

SecResponseBodyLimitAction

SecResponseBodyMimeType

SecResponseBodyMimeTypesClear

SecResponseBodyAccess

SecRule

SecRuleInheritance

SecRuleEngine

SecRuleRemoveById

SecRuleRemoveByMsg

SecRuleUpdateActionById

SecServerSignature

SecTmpDir

SecUploadDir

SecUploadFileMode

SecUploadKeepFiles

SecWebAppId

Variables

ARGS

ARGS_COMBINED_SIZE

ARGS_NAMES

ARGS_GET

ARGS_GET_NAMES

ARGS_POST

ARGS_POST_NAMES

AUTH_TYPE

ENV

FILES

FILES_COMBINED_SIZE

FILES_NAMES

FILES_SIZES.

FILES_TMPNAMES

GEO

HIGHEST_SEVERITY

MATCHED_VAR

MATCHED_VAR_NAME

MODSEC_BUILD

MULTIPART_CRLF_LF_LINES

MULTIPART_STRICT_ERROR

MULTIPART_UNMATCHED_BOUNDARY

PATH_INFO

QUERY_STRING

REMOTE_ADDR

REMOTE_HOST

REMOTE_PORT

REMOTE_USER

REQBODY_PROCESSOR

REQBODY_PROCESSOR_ERROR

REQBODY_PROCESSOR_ERROR_MSG

REQUEST_BASENAME

REQUEST_BODY

REQUEST_COOKIES

REQUEST_COOKIES_NAMES

REQUEST_FILENAME

REQUEST_HEADERS

REQUEST_HEADERS_NAMES

REQUEST_LINE

REQUEST_METHOD

REQUEST_PROTOCOL

REQUEST_URI

REQUEST_URI_RAW

RESPONSE_BODY

RESPONSE_CONTENT_LENGTH

RESPONSE_CONTENT_TYPE

RESPONSE_HEADERS

RESPONSE_HEADERS_NAMES

RESPONSE_PROTOCOL

RESPONSE_STATUS

RULE

SCRIPT_BASENAME

SCRIPT_FILENAME

SCRIPT_GID

SCRIPT_GROUPNAME

SCRIPT_MODE

SCRIPT_UID

SCRIPT_USERNAME

SERVER_ADDR

SERVER_NAME

SERVER_PORT

SESSION

SESSIONID

TIME

TIME_DAY

TIME_EPOCH

TIME_HOUR

TIME_MIN

TIME_MON

TIME_SEC

TIME_WDAY

TIME_YEAR

TX

USERID

WEBAPPID

WEBSERVER_ERROR_LOG

XML

B. Regular Expressions

What is a regular expression?

Regular expression flavors

Example of a regular expression

Identifying an email address

The Dot character

Quantifiers-star, plus, and question mark

Question Mark

Star

Plus sign

Grouping

Ranges

Alternation

Backreferences

Captures and ModSecurity

Non-capturing parentheses

Character classes

Negated matching

Shorthand notation

Anchors

Start and end of string

Word Boundary

Lazy quantifiers

Debugging regular expressions

Additional resources

Our email address regex

Index.

Notes:

"Prevent Web application hacking with this easy-to-use guide."

Includes index.

ISBN:

9786612397288

9781282397286

1282397281

9781847194756

1847194753

OCLC:

698588021