Search

Recent Posts

Tags


« | Main | »

Apache – mod_security – web application firewall

By Dale Reagan | November 24, 2008

ModSecurity is a web application firewall (WAF) for the Apache server.

I’m a big fan** of this Open Source solution – Once you install the module you can use it to:

You can also use it to simply monitor your web traffic at a more detailed level.

Recent log examples (2008)

Note that these are partial log messages which provide some idea of how the abuser is connecting to the web server as well as how mod_security is matching (screening/denying) the request.  AAA.BBB.CCC.DDD is the IP address of the abuser.   SOME_DOMAIN may or may not be involved in the attack.  PATTERN_MATCH is where I deleted some text.  I also deleted random text used by attackers (the ‘GET’ lines.)  The first two show where root-kit attacks were deflected, the second shows a generic buffer overflow attack (SQL attack) and the last simply shows that a specific IP address has been denied access.


==75e22d7c==============================

mod_security-message: Access denied with code 412. Pattern match “=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?” at REQUEST_URI

[id “390144”][rev “1”] [msg “Rootkit attack: Generic Attempt to install rootkit“] [severity “CRITICAL”]


==62693732==============================

mod_security-message: Access denied with code 412. Pattern match “=(http|www|–PATTERN_MATCH” at REQUEST_URI

[id “390144”][rev “1”] [msg “Rootkit attack: Generic Attempt to install rootkit“] [severity “CRITICAL”]


==088a7022==============================

mod_security-message: Access denied with code 403. Pattern match “(chr|fwrite|fopen|system|–PATTERN_MATCH” at THE_REQUEST

[id “330001”][rev “1”] [msg “Generic PHP exploit pattern denied“] [severity “CRITICAL”]


==967f3171==============================

mod_security-message: Access denied with code 412. Pattern match “AAA\\.BBB\\.CCC\\.DDD” at REMOTE_ADDR [severity “EMERGENCY”]


ModSecurity has default rule sets (pattern sets) which you need to review.

Working with your ISP

Your ISP should be supporting tools like mod_security ; in some cases your ISP may already be implementing rules/filters.  Since the Internet is essentially available to everyone ISPs may not be willing to make network level changes (i.e. using their network firewalls to block traffic.)  Build your case if you find excessive abuse from specific domains/IP address ranges; it would not make good business sense for an ISP to ignore such issues, especially if more than one customer indicates that network abuse is a concern.   It was only a few years ago that servers and PCs were being delivered to customers in a wide-open, anything goes configuration and now, new OS releases typically start out with a more secure, less open base – I expect web-site-owner demands to drive similar changes in the web hosting industry;  until then, lead the way and install, configure and use tools like mod_security.

Some Sample Rules/Filters (entered either in httpd.conf Or in .htaccess)

Note – these are samples/examples which may or may NOT be appropriate for use on your server(s).

### enable mod_security
SecFilterEngine On
### increase or decrease the amount of debug information
SecFilterDebugLevel 0
### require valid URL encoding?
SecFilterCheckURLEncoding On
### accept almost all byte values
SecFilterForceByteRange  9 126
### only log suspicious requests
SecAuditEngine RelevantOnly
### log unusal status msgs
SecAuditLogRelevantStatus ^5

### default action for any rule match (deny request and log the attempt)
SecFilterDefaultAction “deny,log,status:412”

### simple rules: a) set filter, b) look for pattern, c) take default action (reject)
### SecFilter PATTERN [ACTION]
### reject any content containing the text ‘via gra’
SecFilter “via gra”
### reject any posted data containing the text ‘mortgage’ or ‘some_special_word’
SecFilterSelective “POST_PAYLOAD” “(mortgage|some_special_word)”
### reject any connection attempt from the IP address AA.BB.CC.DD
SecFilterSelective “REMOTE_ADDR” “^AA.BB.CC.DD$”
### reject any post from a URL containing the text “mortgage’ or ‘texasholdem’
SecFilterSelective “HTTP_REFERER” “(mortgage|texasholdem)”

** For detailed information, documentation visit the mod_security web site – Breach Security, the maintainers of the Apache module mod_security. As my schedule allows, I am available if you need an external consultant to assist with implementing this type of effort.

Topics: Computer Technology, Media and Communications, Problem Solving, Site Progress, System and Network Security, Unix-Linux-Os, Web Technologies | Comments Off on Apache – mod_security – web application firewall

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________