Apache mod security 3.1

1,024 views

Published on

  • Be the first to comment

  • Be the first to like this

Apache mod security 3.1

  1. 1. Apache Mod SecurityHAI, DINHVINAHOST
  2. 2. Agenda 1. Regular Expression 2. Rules Usage 3. Default Action 4. Chained Actions 5. Persistent Collection and examples 6. Transformation Function 7. Validate Contents
  3. 3. Regular Expression
  4. 4. Regular Expression UsageUse to match massstrings of text, such asparticular characters,words, or patterns ofcharacters
  5. 5. Regular Expression Usage Email Address Matching b[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}b IP Addresses Matching b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)b Testing Tools: Regexpal.com, regular-expressions.info
  6. 6. Rules Usage
  7. 7. Rules Usage Use “|” as “OR” logical expression SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS: Referer "@validateByteRange 1-255“ "log,auditlog,msg:Request Missing an AcceptHeader, severity:2,id:960015,t:urlDecodeUni,phase:1“ Use “!” as “NOT” logical expression
  8. 8. Rules Usage Use Regular Expression to make a Rule SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:POST request must have aContent- Length header„ Use “:” to pick a variable from a Collection SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
  9. 9. Default Actions
  10. 10. Default ActionsUse to set a Use “Default” Default“Default Behavior” SetDefaultAction Actions isof Apache Mod directive to add into phase:2,Security. If anything configuration file log,has not been auditlog,defined happen, passApache will applyDefault Actions
  11. 11. Rules Usage SetDefaultAction phase:2,log,auditlog,pass. SecRule REQUEST_URI "abc" SecRule REQUEST_URI "abc" phase:2,log,auditlog,passSecRule REQUEST_URI "abc" nolog SecRule REQUEST_URI "abc" phase:2,auditlog,pass
  12. 12. Chained Actions
  13. 13. Chained Actions Group Rules together Similar to “AND” logical expression in programming language Add “chain” action in every rule, except the last one Example: SecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog,deny,status:406" SecRule REQUEST_METHOD "GET" "t:none“
  14. 14. Persistent Collections
  15. 15. Persistent Collections TX Collection only exist in a transaction. After the data has been transfer Why completely, variables will be remove Persistent Collection? Persistent Collection can keep a record of variables through several transactions.
  16. 16. Persistent 1. Monitor user behavior based on IP AddressCollections 2. Monitor Sessions 3. User behavior monitoring 4. Prevent Session Hijacking Attack 5. Detect Denial of Service (DoS) Attack 6. Detect Brute Force Attack
  17. 17. Persistent Collections IP SESSION USER Created by using Created by using Created by using initcol directive setsid directive setid directiveHold client address Hold session Hold user variables variables variables
  18. 18. Persistent Collections Define date directory first using SecDataDir directive For example: SecDataDir /etc/httpd/modsec_data
  19. 19. Persistent Collections Limit Request Rate example: SecAction initcol:ip=%{REMOTE_ADDR},pass,auditlog SecAction "phase:5,deprecatevar:ip.counter=1/1,pass,auditlog" SecRule IP:COUNTER "@gt 60" "phase:2,pause:300,deny,status:403,skip:1,nolog" SecAction "phase:2,pass,setvar:ip.counter=+1,nolog"
  20. 20. TransformationFunctions
  21. 21. Transformation functions Mod Security match exactly strings and variables Transformation function will transform different string formats into a single string
  22. 22. Transformation functions By default, there are:  lowercase  replaceNull  compressWhitespace
  23. 23. Validate Contents
  24. 24. Validate ContentsCheck the validation of HTTP Requests@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encode g ingValidate Byte Validate XML files Validate XML files Validate URL Validate UTF-8Range by DTD by Schema Encoding Encoding
  25. 25. Validate ContentsValidate Byte Range@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encode g ingValidate Byte Validate XML files Validate XML files Validate URL Validate UTF-8Range by DTD by Schema Encoding Encoding
  26. 26. Validate Byte RangeAllow number only in Content field of Request HeaderSecRule REQUEST_HEADERS:Content "@validateByteRange48-57“ "phase:4,deny,log,status:403“
  27. 27. Validate ContentsValidate XML files by DTD(Document Type Definition)@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encode g ingValidate Byte Validate XML files Validate XML files Validate URL Validate UTF-8Range by DTD by Schema Encoding Encoding
  28. 28. Validate DTD A Document Type Definition (DTD) is a set of markup declarations that define a document type for an SGML-family markup language (SGML, XML, HTML). It‟s define what components should be included and their format
  29. 29. Validate ContentsValidate XML files by Schema@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encode g ingValidate Byte Validate XML files Validate XML files Validate URL Validate UTF-8Range by DTD by Schema Encoding Encoding
  30. 30. Validate SchemaDTD supports only PCDATA and CDATA format.Schema supports detailed descriptions about data inXML files. For example: string, normalizedString,integer, positiveInteger
  31. 31. Validate ContentsValidate URL Encoding@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encode g ingValidate Byte Validate XML files Validate XML files Validate URL Validate UTF-8Range by DTD by Schema Encoding Encoding
  32. 32. Validate URL Encoding RFC 1738 only allow ASCII in a URL HTML: supports ISO-8859-1 (ISO-Latin) HTML4: Supports Unicode characters
  33. 33. Validate ContentsValidate UTF-8 Encoding@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encode g ingValidate Byte Validate XML files Validate XML files Validate URL Validate UTF-8Range by DTD by Schema Encoding Encoding
  34. 34. Validate UTF-8 Encoding UTF-8 is used on almost every webservers to encode strings and compatible with ASCII SecRule ARGS "@validateUtf8Encoding"
  35. 35. Demonstrations
  36. 36. Steps
  37. 37. Thanks for joiningwith me!

×