ModSecurity 2.5电子书

ModSecurity 2.5

Table of Contents

ModSecurity 2.5

Credits

About the Author

About the Reviewers

Preface

What ModSecurity is

Why you need ModSecurity

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Installation and Configuration

Versions

Downloading

Checking the integrity of the downloaded source archive

Unpacking the source code

Required additional libraries and files

Compilation

Integrating ModSecurity with Apache

Configuration file

Completing the configuration

Testing your installation

Creating a simple ModSecurity rule

Disguising the web server signature

Summary

2. Writing Rules

SecRule syntax

Variables and collections

The transaction collection

Storing data between requests

Examining several variables

Quotes: Sometimes you need them and sometimes you don't

Creating chained rules

Rule IDs

An introduction to regular expressions

Examples of regular expressions

More about regular expressions

Using @rx to block a remote host

Simple string matching

Matching numbers

More about collections

Counting items in collections

Filtering collection fields using a regular expression

Built-in fields

Transformation functions

Other operators

Set-based pattern matching with @pm and @pmFromFile

@pmFromFile

Performance of the phrase matching operators

Validating character ranges

Phases and rule ordering

Actions—what to do when a rule matches

Allowing requests

Blocking requests

Taking no action but continuing rule processing

Dropping requests

Redirecting and proxying requests

SecAction

Using the ctl action to control the rule engine

How to use the ctl action

Macro expansion

SecRule in practice

Blocking uncommon request methods

Restricting access to certain times of day

Detecting credit card leaks

Detecting credit card numbers

The Luhn algorithm and false positives

Tracking the geographical location of your visitors

GEO collection fields

Blocking users from specific countries

Load balancing requests between servers on different continents

Pausing requests for a specified amount of time

Executing shell scripts

Sending alert emails

Sending more detailed alert emails

Counting file downloads

Blocking brute-force password guessing

Injecting data into responses

Inspecting uploaded files

Summary

3. Performance

A typical HTTP request

A real-world performance test

The core ruleset

Installing the core ruleset

Making sure it works

Performance testing basics

Using httperf

Getting a baseline: Testing without ModSecurity

Response time

Memory usage

CPU usage

ModSecurity without any loaded rules

ModSecurity with the core ruleset loaded

Response time

Memory usage

Finding the bottleneck

Wrapping up core ruleset performance

Optimizing performance

Memory consumption

Bypassing inspection of static content

Using @pm and @pmFromFile

Logging

Writing regular expressions for best performance

Use non-capturing parentheses wherever possible

Use one regular expression whenever possible

Summary

4. Audit Logging

Enabling the audit log engine

Single versus multiple file logging

Determining what to log

The configuration so far

Log format

Concurrent logging

Selectively disabling logging

Audit log sanitization actions

The ModSecurity Console

Installing the ModSecurity Console

Accessing the Console

Compiling mlogc

Configuring mlogc

Forwarding logs to the ModSecurity Console

Summary

5. Virtual Patching

Why use virtual patching?

Speed

Stability

Flexibility

Cost-effectiveness

Creating a virtual patch

From vulnerability discovery to virtual patch: An example

Creating the patch

Changing the web application for additional security

Testing your patches

Real-life examples

Geeklog

Patching Geeklog

Cross-site scripting

Real-life example: The Twitter worm

Summary

6. Blocking Common Attacks

HTTP fingerprinting

How HTTP fingerprinting works

Server banner

Response header

HTTP protocol responses

Issuing an HTTP DELETE request

Bad HTTP version numbers

Bad protocol name

The ETag HTTP header

Using ModSecurity to defeat HTTP fingerprinting

Blocking proxied requests

Cross-site scripting

Preventing XSS attacks

PDF XSS protection

HttpOnly cookies to prevent XSS attacks

Session identifiers

Cross-site request forgeries

Protecting against cross-site request forgeries

Shell command execution attempts

Null byte attacks

ModSecurity and null bytes

Source code revelation

Directory traversal attacks

Blog spam

SQL injection

Standard injection attempts

Retrieving data from multiple tables with UNION

Multiple queries in one call

Reading arbitrary files

Writing data to files

Preventing SQL injection attacks

What to block

Website defacement

Brute force attacks

Directory indexing

Detecting the real IP address of an attacker

Summary

7. Chroot Jails

What is a chroot jail?

A sample attack

Traditional chrooting

How ModSecurity helps jailing Apache

Using ModSecurity to create a chroot jail

Verifying that the jail works

Chroot caveats

Summary

8. REMO

More about Remo

Installation

Remo rules

Creating and editing rules

Installing the rules

Analyzing log files

Configuration tweaks

Summary

9. Protecting a Web Application

Considerations before beginning

The web application

Groundwork

Step 1: Identifying user actions

Step 2: Getting detailed information on each action

Step 3: Writing rules

Step 4: Testing the new ruleset

Actions

Blocking what's allowed—denying everything else

Cookies

Headers

Securing the "Start New Topic" action

The ruleset so far

The finished ruleset

Alternative approaches

Keeping everything up to date

Summary

A. Directives and Variables

Directives

SecAction

SecArgumentSeparator

SecAuditEngine

SecAuditLog

SecAuditLog2

SecAuditLogParts

SecAuditLogRelevantStatus

SecAuditLogStorageDir

SecAuditLogType

SecCacheTransformations (deprecated/experimental)

SecChrootDir

SecComponentSignature

SecContentInjection

SecCookieFormat

SecDataDir

SecDebugLog

SecDebugLogLevel

SecDefaultAction

SecGeoLookupDb

SecGuardianLog

SecMarker

SecPdfProtect

SecPdfProtectMethod

SecPdfProtectSecret

SecPdfProtectTimeout

SecPdfProtectTokenName

SeqRequestBodyAccess

SecRequestBodyLimit

SecRequestBodyNoFilesLimit

SecRequestBodyInMemoryLimit

SecResponseBodyLimit

SecResponseBodyLimitAction

SecResponseBodyMimeType

SecResponseBodyMimeTypesClear

SecResponseBodyAccess

SecRule

SecRuleInheritance

SecRuleEngine

SecRuleRemoveById

SecRuleRemoveByMsg

SecRuleUpdateActionById

SecServerSignature

SecTmpDir

SecUploadDir

SecUploadFileMode

SecUploadKeepFiles

SecWebAppId

Variables

ARGS

ARGS_COMBINED_SIZE

ARGS_NAMES

ARGS_GET

ARGS_GET_NAMES

ARGS_POST

ARGS_POST_NAMES

AUTH_TYPE

ENV

FILES

FILES_COMBINED_SIZE

FILES_NAMES

FILES_SIZES

FILES_TMPNAMES

GEO

HIGHEST_SEVERITY

MATCHED_VAR

MATCHED_VAR_NAME

MODSEC_BUILD

MULTIPART_CRLF_LF_LINES

MULTIPART_STRICT_ERROR

MULTIPART_UNMATCHED_BOUNDARY

PATH_INFO

QUERY_STRING

REMOTE_ADDR

REMOTE_HOST

REMOTE_PORT

REMOTE_USER

REQBODY_PROCESSOR

REQBODY_PROCESSOR_ERROR

REQBODY_PROCESSOR_ERROR_MSG

REQUEST_BASENAME

REQUEST_BODY

REQUEST_COOKIES

REQUEST_COOKIES_NAMES

REQUEST_FILENAME

REQUEST_HEADERS

REQUEST_HEADERS_NAMES

REQUEST_LINE

REQUEST_METHOD

REQUEST_PROTOCOL

REQUEST_URI

REQUEST_URI_RAW

RESPONSE_BODY

RESPONSE_CONTENT_LENGTH

RESPONSE_CONTENT_TYPE

RESPONSE_HEADERS

RESPONSE_HEADERS_NAMES

RESPONSE_PROTOCOL

RESPONSE_STATUS

RULE

SCRIPT_BASENAME

SCRIPT_FILENAME

SCRIPT_GID

SCRIPT_GROUPNAME

SCRIPT_MODE

SCRIPT_UID

SCRIPT_USERNAME

SERVER_ADDR

SERVER_NAME

SERVER_PORT

SESSION

SESSIONID

TIME

TIME_DAY

TIME_EPOCH

TIME_HOUR

TIME_MIN

TIME_MON

TIME_SEC

TIME_WDAY

TIME_YEAR

TX

USERID

WEBAPPID

WEBSERVER_ERROR_LOG

XML

B. Regular Expressions

What is a regular expression?

Regular expression flavors

Example of a regular expression

Identifying an email address

The Dot character

Quantifiers—star, plus, and question mark

Question Mark

Star

Plus sign

Grouping

Ranges

Alternation

Backreferences

Captures and ModSecurity

Non-capturing parentheses

Character classes

Negated matching

Shorthand notation

Anchors

Start and end of string

Word Boundary

Lazy quantifiers

Debugging regular expressions

Additional resources

Our email address regex

Summary

Index