mod_security introduction at study2study #3

4,457 views

Published on

study2study

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,457
On SlideShare
0
From Embeds
0
Number of Embeds
1,497
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • mod_security introduction at study2study #3

    1. 1. ModSecurity @n0ts Naoya Nakazawa study2study #3 27/04/2011
    2. 2. Naoya Nakazawa@n0tshttp://www.sssg.org/blogs/naoya/ - Carpe Diem
    3. 3. NO SOURCE CODE※ @smellman
    4. 4. ModSecurity
    5. 5. Open Source WebApplication Firewall
    6. 6. 4 Projects
    7. 7. ModSecurity for Apache Apache Apache
    8. 8. ModSecurity Core Rule Set CRS
    9. 9. ModProfilerModSecurity
    10. 10. OverviewHTTP
    11. 11. !!!
    12. 12. # yum info mod_security Available Packages Name : mod_security Arch : x86_64 Version : 2.5.12 Release : 1.el5 Size : 1.0 M Repo : epel Summary : Security module for the Apache HTTP Server URL : http:/ /www.modsecurity.org/ License : GPLv2 Description: ModSecurity is an open source intrusion detection and prevention : engine for web applications. It operates embedded into the web : server, acting as a powerful umbrella - shielding web applications : from attacks.
    13. 13. /etc/httpd/modsecurity.d|-- base_rules ... 28 files|-- modsecurity_crs_10_config.conf|-- modsecurity_localrules.conf`-- optional_rules ... 9files
    14. 14. ...
    15. 15. modsecurity_crs_10_config.conf ModSecuriry
    16. 16. SecComponentSignature "core ruleset/2.0.5" ModSecurity
    17. 17. SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" 1 3 SecRule SecAction action1,action2,action3... phase1
    18. 18. Phase:1Phase:2Phase:3Phase:4Phase:5
    19. 19. SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}" t:none pass nolog initcol:global=global global initcol:ip=%{remote_addr} ip %{remote_addr} IP
    20. 20. SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"SecAction "phase:1,t:none,nolog,pass, setvar:tx.critical_anomaly_score=20, setvar:tx.error_anomaly_score=15, setvar:tx.warning_anomaly_score=10, setvar:tx.notice_anomaly_score=5"SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"SecAction "phase:1,t:none,nolog,pass, setvar:tx.allowed_methods=GET HEAD POST OPTIONS, setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-datatext/xml application/xml, setvar:tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1, setvar:tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com.config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log.mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd.xsx, setvar:tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if"
    21. 21. SecDefaultAction "phase:2,pass" phase:2 pass
    22. 22. SecRuleEngine OnOn ModSecurity
    23. 23. modsecurity_localrules.conf
    24. 24. /base_rulesstudy2study
    25. 25. SecAuditEngine OnSecAuditLog OnSecAuditLog logs/mod_security_audit.log
    26. 26. Apache
    27. 27. END
    28. 28. http://sourceforge.net/apps/mediawiki/mod-security/index.php

    ×