Mod_Security 2.5

Need for a Webserver Security Module

It is pretty difficult to secure application software’s. Common targets are Open Source software like PHPNuke. An attacker can easily find out vulnerabilities in the code.

If your application is vulnerable to SQL injection, invoking the URL above may very well delete all user data from your application.
You can use mod_rewrite to avoid this attack. it is very easy to detect the words drop and table, and then redirect the client away from the original URL. A determined attacker could simply invoke the same URL as above but use the POST method instead of GET. Since POST variables are not considered in the normal processing of most modules, the attack would go through.

To prevent the “drop table” SQL injection attack with mod_security, add the following to your Apache configuration:

SecFilter “drop[[:space:]]table”

The only parameter is a regular expression to be applied to the incoming request. This seems achievable with mod_rewrite, but the difference here is that mod_security will detect and prevent attacks performed using either GET or POST.

Introduction

ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella – shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

The module filters, and optionally rejects, incoming requests based on a number of different criteria like CGI variables, HTTP headers, environment variables, and even individual script parameters. mod_security can also create an audit log, storing full request details in a separate file, including POST payloads (the audit feature can be turned on or off on a per-server or per-directory basis).

Installation

mod_security installation is quite straight forward. I am quoting the steps for mod_security 2.5, installation of older versions may differ.

#wget http://www.modsecurity.org/download/modsecurity-apache_2.5.9.tar.gz

#tar -xvzf modsecurity-apache_2.5.9.tar.gz

#cd  modsecurity-apache_2.5.9

#./configure;make;make install

Configuration

Edit httpd.conf and add the following lines.

LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>

SecRuleEngine On

<other Directives>

</IfModule>

The most used directive is SecRule:

SecRule VARIABLES OPERATOR [ACTIONS]

The above directive will check the variable for the operator and performs the action

SecRule REQUEST_URI  abc

The above will look for the pattern abc in thevariable REQUEST_URI.
There can be any number of variables in the VARIABLES section (separated by pipes)

There are five types of action:

1. Disruptive actions – interrupt current transaction.

2. Non-disruptive actions – change state.

3. Flow actions – change rule flow.

4. Meta-data actions – contain rule metadata.

5. Data actions – mere placeholders for otheractions.

Usage example:SecRule ARGS ddd log,deny,status:500

Advantage

The advantage of mod_security is “security”.

1. No network side configuration
2. Easy management.
3. Free as in Beer
4. HTTP intrusion detection and prevention

Disadvantages

1. You have to become a security expert
2. You have to become a protocol expert.
3. The configuration must be done manually.
4. Performance degradation

Last Words…

Security is a word being battled upon to decide if its really possible.

The bad guys develop new methods to crack security, while the good guys try to prevent it. The truth is that the good guys are always a step behind. mod_security is a tool which can help them have iron hands.

Article Authored by Sandeep PK

Author, Sandeep PK, is a Systems Engineer with SupportPRO. Sandeep specializes in L2 and L3 Linux administration. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.