Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ModSecurity 2.5

samzenpus posted more than 4 years ago | from the read-all-about-it dept.

Book Reviews 25

Martijn de Boer writes "For a long time now Apache's webserver software has been serving up the Web. Because Internet usage is still growing every day, securing your growing number of servers has become very important. ModSecurity 2.5 has been written to illustrate and educate you the ease of use and inner workings of the ModSecurity module for the most widespread webserver." Read below for the rest of Martijn's review.The cover reads “Prevent web application hacking with this easy-to-use guide” and sticks with this claim to provide you with a good pathway to secure your webserver. The book is aimed at system administrators ranging from enthusiasts running a webserver at home to your friendly administrators at a large company. Most of the book requires only familiarity with using the linux shell and basic Apache configurations, but earlier encounters with some technicalities like regular expressions may be of help during your reading.

Throughout the chapters the author takes you from the different methods of installing ModSecurity and the basics of creating your first rules to the discovery and reporting of your possible intrusions. Generally providing solutions for example geolocating the origin of the hack, and automatically scanning uploaded files for viruses, the authors background in Internet Security makes this book a valuable asset to your bookshelf.

In the chapters found later in the book, the author shows how to use tools to fingerprint your server and provides you with recipes on how to prevent these methods of gathering information about your server. There is also a lot of information about the impact of rules on the performance of your server. Because the impact is different in every situation, you will be guided around some tools to measure the performance and you will learn how to interpret this data.

Chapter 5 talks about Virtual Patching, a method of preventing misuse by intercepting bad traffic and creating a set of rules for this. This chapter is by far the best piece of information I have found on how this actually works, and how you implement such rules and configuration, and why you should use the method of virtual patching in your situation. Basically the author takes out all the question marks you will have about this method of quickly applying rules and provides a case which is fully illustrated with a lot of background information about the process of finding a insecure piece of code to solving this with a set of rules.

When Packt Publishing contacted me if I would like to review another book for them, I picked this one out of the new releases because using ModSecurity has never been a priority for me. After seeing the title and table of contents I realized that you can never start too early to dive into this subject, and start preventing misuse before it causes more trouble then you can handle, trouble always finds you at the worst times. The author has divided the book in logical chapters, and the depth of information builds up equally from beginning to end. For instance, the second chapter takes you through the basics of regular expressions, but because you will encounter them during rule creation Appendix B will educate you with all specifics of creating those expressions.
As a developer running local test servers, I have found this book very interesting and a great resource on a for me grey area of server security. I am pleasantly surprised by the clarity of the book, the writing style makes you really want to dive into your webserver to apply your newly gained insight to ModSecurity.

You can purchase ModSecurity 2.5 from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

25 comments

First! (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#30754092)

tl;dr

Get lighttpd or nginx (0)

Anonymous Coward | more than 4 years ago | (#30754174)

Seriously, get lighttpd or nginx, they are small (memory footprint) secure too. Apache is too big. If you need secure Apache, take a look at OpenBSD which comes with modified Apache web server. You can easily secure lighttpd with inbuilt chroot directive or selinux based chroots. Same applies to nginx. Or simple run it both of them under freebsd jails.

Re:Get lighttpd or nginx (1)

sproingie (1690772) | more than 4 years ago | (#30755036)

Running a different httpd does nothing to protect your app, nor does jailing it. Modsecurity is for sanitizing and rewriting requests til you get your vulnerable app patched or replaced.

Vaguely OT Question (1)

mpapet (761907) | more than 4 years ago | (#30754346)

At this point in Apache history there are *lots* of modules for Apache that really cross the line from 'server' duty to application framework. I would categorize this as one of them. (I could be wrong)

What's the reasonable break point between using Apache mods and using code to 'glue' your web application versus doing it all in PHP/Python/Whatever? As a more concrete example, it seems to me a CMS using Apache mods would be less code to maintain with about the same security exposure versus a Drupal installation.

Re:Vaguely OT Question (1)

design1066 (1081505) | more than 4 years ago | (#30756916)

Drupal uses a lot of apache mods for many advanced features.

dumb question? (1, Insightful)

girlintraining (1395911) | more than 4 years ago | (#30754446)

This might be a dumb question, but why do we have to build http servers that integrate everything? Wouldn't it make sense to design a very minimal http server which focuses on using a minimal amount of resources and have an API layer that enforces security permissions from the start? Every time I ask this, the answer eventually boils down to it being a tradeoff between performance and reliability -- either you can have a well-designed core and a strong security model, or you can allow the plugins to execute code directly in the same space as the server.

Isn't there a better way to handle this?

Re:dumb question? (0)

Anonymous Coward | more than 4 years ago | (#30754556)

Nope

Re:dumb question? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30754576)

I think we all want a larger version of the answer, so:

HELL, NO

would do it

Re:dumb question? (1)

Lord Ender (156273) | more than 4 years ago | (#30756330)

What you want is called Rack. Apache with mod_rack becomes just a simple request handler to interface with any Rack-able framework.

There are several other lighter-weight webservers which support Rack.

It's pretty clear that nearly all of Apache's features are becoming vestigial now that a simple, standardized interface to the web-app layer exists.

http://rack.rubyforge.org/ [rubyforge.org]

RIP, Apache. You were wonder in your time.

Why do you have to be an asshole about it? (1, Funny)

Anonymous Coward | more than 4 years ago | (#30756772)

It's pretty clear that nearly all of Apache's features are becoming vestigial now that a simple, standardized interface to the web-app layer exists.

Wow. I could tell you were referring to a Ruby project just by your arrogant tone.

Look, I'm sure Ruby is great. But why do so many Ruby enthusiasts come off sounding completely arrogant?

Re:Why do you have to be an asshole about it? (1, Funny)

girlintraining (1395911) | more than 4 years ago | (#30757332)

Look, I'm sure Ruby is great. But why do so many Ruby enthusiasts come off sounding completely arrogant?

It's still early in the relationship. Once they move in with her, they'll realize she wants them to do everything her way, and that their whole apartment's been redecorated and a lot of their stuff thrown out. When they complain, she'll explain it was just a little bit of 'upgrading', and that stuff was old anyway. Same thing happened with that blonde bimbo javabeans... who now works doubles at the local Denny's and looks like she's been ridden hard and put up wet.

Re:Why do you have to be an asshole about it? (0)

Anonymous Coward | more than 4 years ago | (#30757464)

To say that a piece of software is obsolete is not "being an asshole." No good can come from lying to ourselves and pretending technology never moves forward.

Re:dumb question? (1)

HNS-I (1119771) | more than 4 years ago | (#30757850)

RIP, Apache. You were wonder in your time.

Yeah REST in peace, just REPLicate what other people said and we will all be alRITE. SIGNified by your c/p SIGNature. You are not the first to have found the silver bullit, but your forecomers weren't the last.

PS. Ruby is a great language

Re:dumb question? (1)

Lord Ender (156273) | more than 4 years ago | (#30759926)

What? Are you trying to say you expect something to replace Rack as the standard for web app middleware?

It's such a simple protocol, and it has such widespread support, it's hard to imagine.

Re:dumb question? (1)

aztracker1 (702135) | more than 4 years ago | (#30757270)

See nginx or lighthttpd. Though they too have some modules, but they are generally light weight, and rely on a FastCGI module install for application frameworks.

Confusion? (3, Insightful)

saberworks (267163) | more than 4 years ago | (#30754582)

There seems to be some confusion -- this isn't a product to secure apache, it's a product to secure your web applications running on top of apache. It's designed to detect and prevent attacks on your app, not on the apache server itself.

Re:Confusion? (2, Insightful)

jfinke (68409) | more than 4 years ago | (#30754722)

I believe they classify this as a Web Application Firewall (WAF). So, theoretically, it would catch stuff like XSS, SQL Injection, etc. Now, you have your Apache misconfigured, I am not sure what it will do for you.

Nonsense (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30754990)

"For a long time now Apache's webserver software has been serving up the Web. Because Internet usage is still growing every day, securing your growing number of servers has become very important."

"Apache is a old open source project" "Internet is growing" "that's why your servers should be more secure"

Hmmm... should that really mean something? :)

Mod Security? (0)

Anonymous Coward | more than 4 years ago | (#30756644)

I believe Paul Weller already has security guards.

Mod Security (2, Informative)

neorush (1103917) | more than 4 years ago | (#30758262)

I use mod_security on all of our apache servers, it really does a great job catching SQL injection / XSS attacks. My only problem is the occasionally time that users try and post data and apache thinks that it is malicious. False positives are honestly minimal but I've had to write some very specific workarounds to fix these issues. Most of the time the false positive comes from posting HTML like from TinyMCE or FCKEditor. But it will drive you nuts if you don't realize that mod_security is enabled.

Re:Mod Security (1)

neorush (1103917) | more than 4 years ago | (#30758454)

Wanted to add: I mention this because my only gripe with mod_security is false positives, and I did not see a section on handling / reporting them. I have only caught them either from user reports or because I log all of the "malicious" posts and browse through them to see what the bad guys are up to anyway.

Re:Mod Security (-1)

Lilo-x (93462) | more than 4 years ago | (#30758632)

enable logging and review regularly, you can also run mod_security in a stealth mode that only logs attacks and doesn't block them, this is handy for testing out new rule implementations before going live :o)

Mike

Re:Mod Security (1)

TheSunborn (68004) | more than 4 years ago | (#30759862)

What kind of software are you running that require Apache to catch this?

And using mod_security instead of fixing the apps(Develors: Use prepared statements god dam it!) seems like a hack.

Re:Mod Security (1)

Chuck Chunder (21021) | more than 4 years ago | (#30760148)

What kind of software are you running that require Apache to catch this?

Imperfect software, otherwise known as all software.

If you are serious about security then a multilayered approach is a must. Sure you try and have good software, but you also try to mitigate any potential unknown flaws.

mod 04 (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30758776)

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...