Shruthi Kamath gave an introduction to Mod Security, an open-source web application firewall. She discussed what a WAF is and how it protects web servers from attacks. Mod Security was originally an Apache module but can now be used on other platforms like IIS and Nginx. It uses rule-based filtering to monitor and log HTTP traffic. Kamath provided examples of Mod Security rules and demonstrated how to install, configure, and set up rules for Mod Security on an Apache server.

1. Introduction to Mod Security
-Shruthi Kamath
Null Bangalore Meet - March

2. Who am I
• Co-Founder Infosecgirls (infosecgirls.in)
• Security Consultant at Synopsys
• Active member of Null Bangalore
• Committee member at OWASP Women in Appsec
• Twitter : @ShruthiKamath30

3. Agenda
• What is WAF?
• What is mod security?
• Mod security rules examples
• Setup
• Demo

4. Introduction to WAF
• A web application firewall is used as a security device
protecting the web server from attack.
• Web application firewalls (WAF) are an evolving information
security technology designed to protect web sites from attack.
• WAF solutions are capable of preventing attacks that network
firewalls and intrusion detection systems can't.
• They do not require modification of application source code.

5. Source:
http://searchsecurity.techtarget.com/magazineContent/Comparative-Product-Review-Six-Web-Application-Firewalls

6. Introduction to Mod Security
• ModSecurity is a popular Open-source Web application
firewall (WAF).
• Originally designed as a module for the Apache HTTP
Server.
• Used across a number of different platforms including
Apache HTTP Server, Microsoft IIS and NGINX.

7. • The platform itself provides a rule configuration language
known as 'SecRules' .
• It is used for real-time monitoring, logging, and filtering of
Hypertext Transfer Protocol communications based on user-
defined rules.
• ModSecurity is known to have the following capabilities:
Security monitoring and access control
Full HTTP traffic logging
Security assessment
Web application hardening
Simple request or Regular expression based Filtering
URL Encoding Validation

8. Mod security rules
Rule Example 1 – XSS attack
• SecRule ARGS|REQUEST_HEADERS “@rx <script>” id:101,msg:
‘XSS Attack’,severity:ERROR,deny,status:404
Rule Example 2 – Whitelist IP Address
• SecRule REMOTE_ADDR “@ipMatch 192.168.1.101”
id:102,phase:1,t:none,nolog,pass,ctl:ruleEngine=off

9. mod_security with Apache Set Up
on Ubuntu
• Ubuntu LAMP Server installation
• sudo apt-get install apache2
• sudo apt-get install mysql-server
• sudo apt-get install php5 libapache2-mod-php5
• sudo /etc/init.d/apache2 restart
• apt-get install libapache2-modsecurity
• apachectl -M | grep --color security
• service apache2 reload
• ls -l /var/log/apache2/modsec_audit.log

10. Configuring mod_security
• nano /etc/modsecurity/modsecurity.conf
• SecRuleEngine DetectionOnly
• logs requests and doesn't block anything.
• SecRuleEngine On
• Blocks according to rule match.
• SecResponseBodyAccess On
• Buffer response bodies
• SecRequestBodyLimit 13107200~ 12.5MB
• specifies the maximum POST data size.
• SecRequestBodyNoFilesLimit 131072~128KB
• size of POST data minus file uploads
• SecRequestBodyInMemoryLimit 131072
• maximum request body size that ModSecurity will store in
memory

11. Setting Up Rules
• ls -l /usr/share/modsecurity-crs/
• nano /etc/apache2/mods-enabled/modsecurity.conf
• Add the following directives inside <IfModule
security2_module> </IfModule>:
• Include "/usr/share/modsecurity-crs/*.conf“
• Include "/usr/share/modsecurity-
crs/activated_rules/*.conf"

12. • cd /usr/share/modsecurity-crs/activated_rules/
• ln -s /usr/share/modsecurity-
crs/base_rules/modsecurity_crs_41_xss_attacks.conf
• service apache2 reload

13. Demo Time

14. Useful links
• http://www.modsecurity.org/about.html
• https://github.com/SpiderLabs/ModSecurity/wiki/Reference-
Manual
• https://modsecurity.org/crs/

15. Thank You