mod_security introduction at study2study #3
Upcoming SlideShare
Loading in...5
×
 

mod_security introduction at study2study #3

on

  • 3,860 views

study2study

study2study

Statistics

Views

Total Views
3,860
Views on SlideShare
2,569
Embed Views
1,291

Actions

Likes
1
Downloads
28
Comments
0

10 Embeds 1,291

http://www.sssg.org 1027
http://paper.li 73
http://d.hatena.ne.jp 72
http://infra.rrdtool.net 47
http://webcache.googleusercontent.com 27
http://feeds.feedburner.com 23
url_unknown 15
http://www.slideshare.net 5
http://static.slidesharecdn.com 1
http://cache.yahoofs.jp 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

mod_security introduction at study2study #3 mod_security introduction at study2study #3 Presentation Transcript

  • ModSecurity @n0ts Naoya Nakazawa study2study #3 27/04/2011
  • Naoya Nakazawa@n0tshttp://www.sssg.org/blogs/naoya/ - Carpe Diem
  • NO SOURCE CODE※ @smellman
  • ModSecurity
  • Open Source WebApplication Firewall
  • 4 Projects
  • ModSecurity for Apache Apache Apache
  • ModSecurity Core Rule Set CRS
  • ModProfilerModSecurity
  • OverviewHTTP
  • !!!
  • # yum info mod_security Available Packages Name : mod_security Arch : x86_64 Version : 2.5.12 Release : 1.el5 Size : 1.0 M Repo : epel Summary : Security module for the Apache HTTP Server URL : http:/ /www.modsecurity.org/ License : GPLv2 Description: ModSecurity is an open source intrusion detection and prevention : engine for web applications. It operates embedded into the web : server, acting as a powerful umbrella - shielding web applications : from attacks.
  • /etc/httpd/modsecurity.d|-- base_rules ... 28 files|-- modsecurity_crs_10_config.conf|-- modsecurity_localrules.conf`-- optional_rules ... 9files
  • ...
  • modsecurity_crs_10_config.conf ModSecuriry
  • SecComponentSignature "core ruleset/2.0.5" ModSecurity
  • SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" 1 3 SecRule SecAction action1,action2,action3... phase1
  • Phase:1Phase:2Phase:3Phase:4Phase:5
  • SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" t:none pass nolog initcol:global=global global initcol:ip=%{remote_addr} ip %{remote_addr} IP
  • SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"SecAction "phase:1,t:none,nolog,pass, setvar:tx.critical_anomaly_score=20, setvar:tx.error_anomaly_score=15, setvar:tx.warning_anomaly_score=10, setvar:tx.notice_anomaly_score=5"SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"SecAction "phase:1,t:none,nolog,pass, setvar:tx.allowed_methods=GET HEAD POST OPTIONS, setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-datatext/xml application/xml, setvar:tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1, setvar:tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com.config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log.mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd.xsx, setvar:tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if"
  • SecDefaultAction "phase:2,pass" phase:2 pass
  • SecRuleEngine OnOn ModSecurity
  • modsecurity_localrules.conf
  • /base_rulesstudy2study
  • SecAuditEngine OnSecAuditLog OnSecAuditLog logs/mod_security_audit.log
  • Apache
  • END
  • http://sourceforge.net/apps/mediawiki/mod-security/index.php