This past week, i was auditing a customer's web server defence against web attacks and i realised that he did not install mod_security as one of their modules in the server. Well, considering it is a huge customer, they should at least do some basic filtering using mod_security since their servers are running on linux. I had mentioned about mod_security in my previous post and for those who are still not sure what it is, mod_security is a web application firewall that is an Apache Web Server add-on module that provides intrusion detection, content filtering, and web-based attack protection. It is good at detecting and stopping many known web attacks, such as many SQL injection type attacks, cross-site scripting, directory traversal type attacks, and many others. Below is a snippet of a simple basic mod_security configuration:
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Unicode encoding check
SecFilterCheckUnicodeEncoding On
# Only allow bytes from this range
SecFilterForceByteRange 0 255
# Only log actionable requests
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/apache2/audit_log
# Debug level set to a minimum
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 2
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"
# Add custom secfilter rules here
Of course, you can add on more items and it depends on what you need it to filter and protect. Mod_Security does come with a performance cost, however, the security benefits far outweight the performance cost. Do consider using it.
The Hacka Man
Rabu, 14 November 2007
Basics of Mod_Security
17.15
No comments
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar