ModSecurity Handbook: Getting Started - Bad Request

Recommendations

Info

I generally try to use binary packages when they are available (and they are available on Debian, which is currently my platform of choice). When I build dedicated reverse proxy installations, however, I tend to build everything from source, because that allows me access to the latest Apache and ModSecurity versions, and makes it easier to tweak things (by changing the source code of either Apache or ModSecurity) when I want to. Installation from Source Installing from source is the preferred approach to installing ModSecurity, mostly because that way you get the latest (and best) version, and because you are able to make any changes you want. Downloading Releases To download ModSecurity, go to its web site [https://www.modsecurity.org] or the Source- Forge project page [http://sourceforge.net/projects/mod-security/]. You will need both the main distribution and the cryptographic signature: $ wget http://www.modsecurity.org/download/modsecurity-apache_2.5.10-dev2.tar.gz $ wget http://www.modsecurity.org/download/modsecurity-apache_2.5.10-dev2.tar.gz.asc Verify the signature before doing anything else. That will ensure that the package you’ve just downloaded does not contain a trojan horse planted by a third party and that it hasn’t been corrupted during transport. $ gpg --verify modsecurity-apache_2.5.10-dev2.tar.gz.asc gpg: Signature made Wed 12 Aug 2009 23:27:06 BST using DSA key ID E77B534D gpg: Can't check signature: public key not found Your first attempt may not provide the expected results, but that can be solved easily by importing the referenced key from a key server: $ gpg --recv-keys E77B534D gpg: requesting key E77B534D from hkp server keys.gnupg.net gpg: /home/guest/.gnupg/trustdb.gpg: trustdb created gpg: key E77B534D: public key "Brian Rectanus (work) " … imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 Now you can try again: $ gpg --verify modsecurity-apache_2.5.10-dev2.tar.gz.asc 24 Chapter 2: Installation
gpg: Signature made Wed 12 Aug 2009 23:27:06 BST using DSA key ID E77B534D gpg: Good signature from "Brian Rectanus (work) " gpg: aka "Brian Rectanus " gpg: aka "Brian Rectanus (personal) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. While this warning might look serious, it generally isn’t a problem, and has to do with the way gpg expects you to verify the identity of an individual. The warning basically tells you that you’ve downloaded Brian’s key from somewhere, but that you don’t really know that it belongs to him. The only way to be sure, as far as gpg is concerned, is to meet Brian in real life, or to meet someone else who knows him personally. If you want to learn more, look up web of trust on Wikipedia. Downloading from Repository If you want to be on the cutting edge, downloading the latest development version directly from the Subversion (the source code control system used by the ModSecurity project) repository is the way to go. When you do this, you’ll get new features days and even months before they make it into an official stable release. Having said that, however, there is a reason why we call some versions “stable.” When you use a repository version of ModSecurity, you need to accept that there is no guarantee whatsoever that it will work correctly. For what it’s worth, I am currently running a development version in production, and I am confident that it will not bring my server down. Before you can install a development version of ModSecurity, you need to know where to find it. The repository, which is hosted with SourceForge [http://modsecurity.svn.sourceforge.net/viewvc/mod-security/], can be viewed with a browser. The view of the root of the repository is similar to that in Figure 2-1, “ModSecurity repository root”. Downloading from Repository 25
Page 1 and 2: MODSECURITY HANDBOOK The Complete G
Page 3 and 4: ModSecurity Handbook Ivan Ristić
Page 5 and 6: Table of Contents Preface to the Fr
Page 7 and 8: Advanced Logging Configuration 66 I
Page 9 and 10: Initializing Records 122 Controllin
Page 11 and 12: Rule per Keyword Approach 194 Combi
Page 13 and 14: SecRequestBodyInMemoryLimit 263 Sec
Page 15 and 16: REQUEST_BODY 287 REQUEST_BODY_LENGT
Page 17 and 18: eplaceComments 304 replaceNulls 304
Page 19 and 20: streq 330 validateByteRange 330 val
Page 21 and 22: Preface I didn’t mean to write th
Page 23 and 24: chapter goes under the hood of ModS
Page 25 and 26: open source, you can extend it dire
Page 27 and 28: I User Guide This part, with its 14
Page 29 and 30: eleased in November 2002, but a few
Page 31 and 32: similar restrictions, either direct
Page 33 and 34: Embedded Because ModSecurity is an
Page 35 and 36: Request header transformation Apach
Page 37 and 38: invoke the rules specified to work
Page 39 and 40: what was read. The fourth message t
Page 41 and 42: In the example traces, you’ve obs
Page 43 and 44: Rule writing Rule writing is an ess
Page 45 and 46: minor) version. Before reporting an
Page 47: 2 Installation Before you can insta
Page 51 and 52: Once you have determined the locati
Page 53 and 54: Compile-Time Options The configurat
Page 55 and 56: # yum install mod_security On CentO
Page 57 and 58: 3 Configuration Now that you have M
Page 59 and 60: Audit logs /opt/modsecurity/var/aud
Page 61 and 62: file, I refer to any other ModSecur
Page 63 and 64: SecRequestBodyAccess On Once this f
Page 65 and 66: Note To instruct ModSecurity to ins
Page 67 and 68: For now, we also assume that you wi
Page 69 and 70: The SecArgumentSeparator directive
Page 71 and 72: DA %{MULTIPART_DATA_AFTER}, \ HF %{
Page 73 and 74: 4 Logging This section covers the l
Page 75 and 76: One way to make debugging easier is
Page 77 and 78: the use of multiple segments is to
Page 79 and 80: Concurrent Audit Log Initially, Mod
Page 81 and 82: How Remote Logging Works Remote log
Page 83 and 84: Activating Remote Logging You will
Page 85 and 86: That’s basically all you need to
Page 87 and 88: Note Storage of intercepted files c
Page 89 and 90: print "$output\n"; Note If you need
Page 91 and 92: Dynamically Altering Logging Config
Page 93 and 94: Now you need to add a phase rule th
Page 95 and 96: Index A Action part H header, 343 a
Page 97 and 98: adding new variable, 235 extension
Page 99 and 100:
performance comparing rule sets, 18
Page 101 and 102:
SecChrootDir directive, 252 SecColl
Page 103:
WebApp-Info part H header, 346 web
show all

ModSecurity Handbook: Getting Started - Bad Request

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?