Successfully reported this slideshow.

mod_security introduction at study2study #3

4,510 views

Published on

study2study

Published in: Technology
  • Be the first to comment

mod_security introduction at study2study #3

  1. 1. ModSecurity @n0ts Naoya Nakazawa study2study #3 27/04/2011
  2. 2. Naoya Nakazawa@n0tshttp://www.sssg.org/blogs/naoya/ - Carpe Diem
  3. 3. NO SOURCE CODE※ @smellman
  4. 4. ModSecurity
  5. 5. Open Source WebApplication Firewall
  6. 6. 4 Projects
  7. 7. ModSecurity for Apache Apache Apache
  8. 8. ModSecurity Core Rule Set CRS
  9. 9. ModProfilerModSecurity
  10. 10. OverviewHTTP
  11. 11. !!!
  12. 12. # yum info mod_security Available Packages Name : mod_security Arch : x86_64 Version : 2.5.12 Release : 1.el5 Size : 1.0 M Repo : epel Summary : Security module for the Apache HTTP Server URL : http:/ /www.modsecurity.org/ License : GPLv2 Description: ModSecurity is an open source intrusion detection and prevention : engine for web applications. It operates embedded into the web : server, acting as a powerful umbrella - shielding web applications : from attacks.
  13. 13. /etc/httpd/modsecurity.d|-- base_rules ... 28 files|-- modsecurity_crs_10_config.conf|-- modsecurity_localrules.conf`-- optional_rules ... 9files
  14. 14. ...
  15. 15. modsecurity_crs_10_config.conf ModSecuriry
  16. 16. SecComponentSignature "core ruleset/2.0.5" ModSecurity
  17. 17. SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" 1 3 SecRule SecAction action1,action2,action3... phase1
  18. 18. Phase:1Phase:2Phase:3Phase:4Phase:5
  19. 19. SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" t:none pass nolog initcol:global=global global initcol:ip=%{remote_addr} ip %{remote_addr} IP
  20. 20. SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"SecAction "phase:1,t:none,nolog,pass, setvar:tx.critical_anomaly_score=20, setvar:tx.error_anomaly_score=15, setvar:tx.warning_anomaly_score=10, setvar:tx.notice_anomaly_score=5"SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"SecAction "phase:1,t:none,nolog,pass, setvar:tx.allowed_methods=GET HEAD POST OPTIONS, setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-datatext/xml application/xml, setvar:tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1, setvar:tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com.config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log.mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd.xsx, setvar:tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if"
  21. 21. SecDefaultAction "phase:2,pass" phase:2 pass
  22. 22. SecRuleEngine OnOn ModSecurity
  23. 23. modsecurity_localrules.conf
  24. 24. /base_rulesstudy2study
  25. 25. SecAuditEngine OnSecAuditLog OnSecAuditLog logs/mod_security_audit.log
  26. 26. Apache
  27. 27. END
  28. 28. http://sourceforge.net/apps/mediawiki/mod-security/index.php

×