ADMIN
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
nutS And boltS<br />
modSecurity<br />
© KrishnaKumar Sivaraman, 123RF.com<br />
Protecting web servers with ModSecurity<br />
Apache Protector<br />
even securely configured and patched web servers can be compromised<br />
because of vulnerabilities in a web application. modSecurity is an Apache<br />
extension that acts as a web application firewall to protect the web server<br />
against attacks. by Sebastian wolfgarten<br />
Security issues on the web are no<br />
longer typically a result of poor configuration<br />
or the lack of up-to-date<br />
server software. Tomcat, Apache,<br />
and even IIS have become extremely<br />
mature over the past few years – so<br />
much so that they don’t have any noticeable<br />
vulnerabilities, although exceptions<br />
can always turn up to prove<br />
the rule. Thus, hackers have turned<br />
their attention to the web applications<br />
and scripts running on the servers.<br />
Increasingly complex user requirements<br />
are making web applications<br />
more complex, too: Ajax, interaction<br />
with external databases, back-end<br />
interfaces, and directory services are<br />
just part of the package for a modern<br />
application. And, attack vectors grow<br />
to match this development (see the<br />
“Attacks on Web Servers” box).<br />
Firewalls for the Web<br />
In contrast to legacy packet filters,<br />
Web Application Firewalls (WAFs)<br />
don’t inspect data in the network<br />
or transport layer, but rather at the<br />
HTTP protocol level (i.e., in OSI Layer<br />
7) [1]. They actually speak HTTP. For<br />
this to happen, these firewalls analyze<br />
incoming and outgoing client requests<br />
and server responses to distinguish<br />
between benevolent and malevolent<br />
requests on the basis of rules.<br />
If necessary, they can even launch<br />
countermeasures; if configured to do<br />
so, the software will also inspect encrypted<br />
HTTPS connections.<br />
Accessories en Masse<br />
Where classical network-based firewalls<br />
– I’m exaggerating slightly<br />
here – either permit any or no HTTP<br />
connections, WAFs target individual<br />
HTTP connections based on their<br />
content. ModSecurity is a highperformance<br />
WAF for Apache and a<br />
complex module for the Apache web<br />
server. Originally developed by Ivan<br />
Ristic, Breach Security handles its distribution<br />
and development [2].<br />
Two variants of the software are available:<br />
the open source variant released<br />
under the GPLv2, and a commercial<br />
version with professional support,<br />
pre-configured appliances, and management<br />
consoles. ModSecurity runs<br />
on Linux, Solaris, FreeBSD, OpenBSD,<br />
NetBSD, AIX, and Windows, with<br />
the later versions only available for<br />
Apache 2.x. This article discusses<br />
version 2.5.10; the successor 2.5.11 is<br />
merely a bugfix.<br />
The software’s functional scope is<br />
enormous but comprehensively documented<br />
[3]. It logs HTTP requests<br />
and gives administrators unrestricted<br />
access to the individual elements of<br />
a request, such as the content of a<br />
POST request. It also identifies attacks<br />
in real time based on positive or<br />
negative security models and detects<br />
anomalies based on supplied patterns<br />
for known vulnerabilities.<br />
The powerful rules discover whether<br />
credit cards are in the data stream or<br />
use GeoIP to prevent access from certain<br />
regions. ModSecurity checks not<br />
only incoming requests but also the<br />
server’s outgoing responses. The software<br />
can implement chroot environments.<br />
As a reverse proxy, it protects<br />
web applications on other web servers,<br />
such as Tomcat or IIS.<br />
Breach also provides a collection of<br />
core rules that guarantees the basic<br />
security of the web server. Comprehensive<br />
documentation, many<br />
examples, and a mailing list provide<br />
support for the user. This makes Mod-<br />
Security a good choice for protecting<br />
web servers and their applications<br />
against vulnerabilities. But before you<br />
can even consider tackling the highly<br />
86 Admin 01 www.Admin-mAgAzine.com