ADMIN

Recommendations

Info

Nuts and bolts ModSecurity Figure 1: Once ModSecurity has been enabled, it will log suspicious activity at the detail level specified in SecAuditLogParts – in this case, an SQL injection attack. The third instruction defines the auditlog storage location relative to the Apache installation path. Finally, the SecAuditLogParts instruction defines the information that ModSecurity logs in the auditlog (Table 2). In this case, this is the header and the content of the request, along with the ModSecurity reaction. The results are shown in Figure 1. After this preparation, you can add the most important directive to your configuration: SecRule. This defines a filter rule and optionally an action that the module will perform if it discovers a match for the rule. If you don’t define an action, the tool will run the standard command defined in the SecDefaultAction directive. Rules always follow this pattern: SecRule Variable Operator [Action] The number of variables is huge, and they cover every single element of the client request (both for POST and for GET), as well as the most important server environment details [6]. Additionally, you can use regular expressions. For example, to investigate an HTTP request to find out whether the client requests the /etc/passwd string in a GET method, you would use this rule: SecRule REQUEST_HEADERS: User‐Agent "nikto" This example tells the web server to refuse requests from the Nikto security scanner [7]. If you want Mod- Security to run a specific action for a rule, you can overwrite the default action: SecRule REQUEST_HEADERS:User‐Agent "nikto" U "phase:2,pass,msg:'Nikto‐Scan logged'" This rule tells the module to write a Nikto scan logged message to the logfile when it detects the Nikto user agent in a client request in phase 2. The rule then overwrites the drop default action, which is defined by SecDefaultAction with the pass action. This allows the client request to pass. To test ModSecurity, Listing 1 gives you an overview of the basic configuration discussed thus far. Practice Session After restarting Apache, a request like http://www.example.com/index. html?file=/etc/passwd would trigger the sample rule in line 8. Then the action defined in line 9 would block the request. The client sees an HTTP 403 Forbidden error. At the same time, lines 3 through 7 tell ModSecurity to log the transaction in the auditlog and send a detailed overview of the way the client request was processed to the debuglog. This means that your Apache error_log file will contain a note to the effect that a client request was effectively blocked, as shown in Listing 2. Once ModSecurity is working correctly, you can start adding rules and modifying them for the web applications you want to protect. The Art of Detecting Attacks To provide effective protection against a huge assortment of attacks, system administrators need to set up a robust ruleset for ModSecurity. To formulate rules that protect you against SQL injection, cross-site scripting, or local and remote file inclusion attacks, for example, you need in-depth knowledge of how attacks on web servers work. Of course, not every administrator has this knowledge or the time to re-invent the wheel. To address this, the Open Web Application Security Project (OWASP) offers a predefined ruleset for ModSecurity [8] that relies on anomaly detection to protect web servers against a number of SecRule REQUEST_URI "/etc/passwd" If the request matches the rule, Mod- Security runs the default deny action. To filter by browser type, you would do this: Listing 1: Basic Configuration for ModSecurity 01 SecRuleEngine On 02 SecAuditEngine On 03 SecAuditLogType Serial 04 SecAuditLog logs/audit.log 05 SecAuditLogParts ABCFHZ 06 SecDebugLog logs/debug.log 07 SecDebugLogLevel 5 08 SecRule REQUEST_URI "/etc/passwd" 09 SecDefaultAction phase:2,log,auditlog,deny,status:403 Table 2: SecAuditLogParts Arguments Abbreviation A B C D E F G H J K Z Description Header for the entry (mandatory) Request header Request content; only available if content exists and ModSecurity is configured to store it Reserved Temporary response content; only available if ModSecurity is configured for this Final response header after possible manipulation by ModSecurity; Apache itself writes the Date and Server headers Reserved Auditlog trailer equivalent to C, except where the request contains form data; in this case, the software constructs a suitable request that excludes file content to simplify matches Reserved Line by line list of all matching rules in the order of their application End of entry (mandatory) 88 Admin 01 www.admin-magazine.com
ModSecurity Nuts and bolts Insider Attacks A vulnerability in a web application can thus expose an Apache web server despite its being hardened and up to date. This is particularly dangerous if the server is deployed in a hosting environment where many customers share the resources of a physical web server. Protection mechanisms, such as virtualization or jails, will separate the individual instances; however, the security of the whole system depends on its weakest link. With a sniffer, for example, attackers can simply sniff password authentication conversations if they’re not encrypted. And, this gives attackers an inside vector. Scripting languages and frameworks like PHP or Ruby on Rails help web developers achieve results quickly, but they often conceal dangers that occur when security is not given sufficient attention. More complex environments, such as Java, Tomcat, and JBoss, are not necessarily the answer because they hide many aspects from the developer. After restarting, your Apache web server will have a solid suit of armor that responds with an HTTP 403 to any client requests classified as attacks. A word of caution: Web masters should first test the core rules extensively in a lab environment before letting them loose on a production system. Otherwise, the danger of preventing legitimate user access is possible. Also, remember that Modstandard attacks, such as invalid client requests, SQL injection, cross-site scripting, and email or command injection. This gives you basic, fairly robust protection, which you can then modify to match your own application environment as needed. To install these core rules, download the package and unpack it in your Apache’s conf configuration directory. Then, move the rules, including the base_rules subdirectory, to the ModSecurity directory. You can look at the configuration in the modsecurity_crs_10_global_config.conf and modsecurity_crs_10_config.conf files and modify it to suit your needs. The rules are well documented. Also, you might want to enable audit and debug logging to see exactly what the module is doing. To do so, you need to include the core rules in httpd.conf as follows: Include conf/modsecurity/*.conf Include conf/modsecurity/ base_rules/*.conf Security will mean about a 5 percent performance overhead for your web server. Preventing Attacks on the United Nations In some situations, you can’t fix a web application vulnerability immediately. Imagine a major online store discovering a security hole a week before Christmas and needing several days to fix the problem, meaning the shop would be offline for that time. The owner has to make a decision: Live with the risk and keep the shop, including the vulnerability, online so you can benefit from lucrative pre- Christmas shopping, or protect the company and its customers by taking the website down and fixing the vulnerability. ModSecurity offers a technical workaround in the form of virtual patching that allows you to define one or multiple rules that prevent the vulnerability from being exploited without actually removing it. The ModSecurity documentation refers to a case that dates back to 2007, when attackers were trying to hack the United Nations website [9]. The sub-page with talks by Secretary-General Ban Ki-moon [10] had a statID parameter that exposed an SQL injection vulnerability (Figure 2). If you discover a vulnerability of this kind, you can temporarily define a rule for ModSecurity that will prevent hackers from exploiting the vulnerability even though it still exists. Although this isn’t a good long-term solution, it does prevent a disaster until the web developers can remove the vulnerability from the source code on the page. The following solution would work for the UN bug: E Listing 2: Rule Match SecAuditLogType Serial [Wed Nov 04 05:39:19 2009] [error] [client 192.168.209.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "/etc/passwd" at REQUEST_URI. [file "/usr/local/ Figure 2: The website of UN Secretary-General Ban Ki-moon was affected by an input parameter variable validation vulnerability. A ModSecurity virtual patching rule protected the website temporarily until the UN system administrator fixed the problem. httpd‐2.2.14/conf/httpd.conf"] [line "420"] [hostname "www.example.com"] [uri "/index.html"] [unique_id "SvFZ138AAQEAAAc4AgQAAAAA"] www.admin-magazine.com Admin 01 89
Page 1 and 2:
ADMIN Network & Security Rescue CD
Page 3 and 4:
Welcome to Admin WELCOME ALL FOR AD
Page 5 and 6:
Table of Contents SERVICE 8 Spacewa
Page 7 and 8:
POWERHOUSE PERL 11 cool projects! F
Page 9 and 10:
Spacewalk Features configuration fi
Page 11 and 12:
Spacewalk Features Figure 2: Assign
Page 13 and 14:
Spacewalk Features kickstart profil
Page 15 and 16:
Icinga Features Table 1: States Opt
Page 17 and 18:
Icinga Features ministrators only n
Page 19 and 20:
Icinga Features Figure 6: Network o
Page 21 and 22:
MySQL Forks and Patches Features th
Page 23 and 24:
MySQL Forks and Patches Features In
Page 25 and 26:
Exchange 2010 Features © peapop, F
Page 27 and 28:
they can now synchronize text messa
Page 29 and 30:
Backup Software Features data. One
Page 31 and 32:
Backup Software Features tended), l
Page 33 and 34:
Backup Software Features Two “wiz
Page 35 and 36:
Backup & Disaster Recovery Georgeto
Page 37 and 38: OCFS2 Tools ing. OCFS2 is fairly si
Page 39 and 40: OCFS2 Tools F Figure 2: Unspectacul
Page 41 and 42: To do this, you need to change the
Page 43 and 44: Synergy Tools Figure 1: Synergy as
Page 45 and 46: SystemTap Tools The SystemTap [3] t
Page 47 and 48: SystemTap Tools Instead of searchin
Page 49 and 50: Package Your Scripts Virtualization
Page 51 and 52: Linux Magazine ACADEMY curl U http:
Page 53 and 54: openVz VirtuAlizAtion live migratio
Page 55 and 56: OpenVZ Virtualization a number of c
Page 57 and 58: OpenVZ Virtualization OpenVZ kernel
Page 59 and 60: AND SAVE 30%! ADMIN Network & Secur
Page 61 and 62: Virtual Machine Manager Virtualizat
Page 63 and 64: Virtual Machine Manager Virtualizat
Page 65 and 66: Teamviewer Management and be contro
Page 67 and 68: NOV. 7-12 2010 24th Large Installat
Page 69 and 70: Chef Management Server Provides rec
Page 71 and 72: Chef Management ‐r http://s3.amaz
Page 73 and 74: Chef Management Figure 5: The clien
Page 75 and 76: Sysinternals Management AdInsight a
Page 77 and 78: Sysinternals Management Name Table
Page 79 and 80: PAM and Hardware Nuts and Bolts Fig
Page 81 and 82: November 13-19, 2010 • Ernest N.
Page 83 and 84: PAM and Hardware Nuts and Bolts to
Page 85 and 86: ON NEWSSTANDS NOW ! UBUNTU USER MAG
Page 87: modSecurity nutS And boltS complex
Page 91 and 92: REAL SOLUTIONS FOR REAL NETWORKS Ea
Page 93 and 94: Daemon Monitoring Nuts and Bolts Fi
Page 95 and 96: VPns with SSTP nuTS And BoLTS Hands
Page 97 and 98: VPNs with SSTP Nuts and Bolts Figur
Page 100: DEDICATED SERVERS £59 FROM PER MON
show all

ADMIN

Create successful ePaper yourself

Delete template?

Save as template?