Free Sample
+ Collection

ModSecurity 2.5

Magnus Mischel

Prevent web application hacking with this easy to use guide
RRP $29.99
RRP $49.99
Print + eBook

Want this title & more?

$12.99 p/month

Subscribe to PacktLib

Enjoy full and instant access to over 2000 books and videos – you’ll find everything you need to stay ahead of the curve and make sure you can always get the job done.

Book Details

ISBN 139781847194749
Paperback280 pages

About This Book

  • Secure your system by knowing exactly how a hacker would break into it
  • Covers writing rules in-depth and Modsecurity rule language elements such as variables, actions, and request phases
  • Covers the common attacks in use on the Web, and ways to find the geographical location of an attacker and send alert emails when attacks are discovered
  • Packed with many real-life examples for better understanding

Who This Book Is For

This book is written for system administrators or anyone running an Apache web server who wants to learn how to secure that server. It assumes that you are familiar with using the Linux shell and command-line tools, but does its best to explain everything so that those who are not Linux experts can make full use of ModSecurity.

Table of Contents

Chapter 1: Installation and Configuration
Unpacking the source code
Required additional libraries and files
Integrating ModSecurity with Apache
Configuration file
Testing your installation
Chapter 2: Writing Rules
SecRule syntax
Creating chained rules
Rule IDs
An introduction to regular expressions
Simple string matching
Matching numbers
More about collections
Transformation functions
Other operators
Phases and rule ordering
Actions—what to do when a rule matches
Using the ctl action to control the rule engine
Macro expansion
SecRule in practice
Executing shell scripts
Injecting data into responses
Inspecting uploaded files
Chapter 3: Performance
A typical HTTP request
A real-world performance test
Optimizing performance
Chapter 4: Audit Logging
Enabling the audit log engine
Determining what to log
The configuration so far
Log format
Concurrent logging
Selectively disabling logging
Audit log sanitization actions
The ModSecurity Console
Chapter 5: Virtual Patching
Why use virtual patching?
Creating a virtual patch
From vulnerability discovery to virtual patch: An example
Testing your patches
Real-life examples
Chapter 6: Blocking Common Attacks
HTTP fingerprinting
Blocking proxied requests
Cross-site scripting
Cross-site request forgeries
Shell command execution attempts
Null byte attacks
Source code revelation
Directory traversal attacks
Blog spam
SQL injection
Website defacement
Brute force attacks
Directory indexing
Detecting the real IP address of an attacker
Chapter 7: Chroot Jails
What is a chroot jail?
A sample attack
Traditional chrooting
How ModSecurity helps jailing Apache
Using ModSecurity to create a chroot jail
Verifying that the jail works
Chroot caveats
Chapter 8: REMO
More about Remo
Remo rules
Analyzing log files
Configuration tweaks
Chapter 9: Protecting a Web Application
Considerations before beginning
The web application
Step 1: Identifying user actions
Step 2: Getting detailed information on each action
Step 3: Writing rules
Step 4: Testing the new ruleset
Blocking what's allowed—denying everything else
Securing the "Start New Topic" action
The ruleset so far
The finished ruleset
Alternative approaches
Keeping everything up to date

What You Will Learn

  • Compile ModSecurity from source and install it on a Linux system
  • Log any anomalous event and use the ModSecurity console to view log data online so that attempted break-ins can be quickly discovered and dealt with
  • Learn how a recent worm disabled Twitter and how it could have been stopped using ModSecurity
  • Guard against web site defacement by having ModSecurity scan for unauthorized changes to your web pages then alert you about issues via email.
  • Locate the geographical position of an attacker using ModSecurity applications
  • Know how attackers operate by learning about SQL injection, cross-site scripting attacks, cross-site request forgeries, null byte attacks, and many more
  • Put Apache in a chroot jail using ModSecurity – no more frustrating hours of tinkering to get everything working as it should
  • Prevent HTTP fingerprinting by flying your Apache server under a false flag
  • Protect against newly discovered vulnerabilities that don't have a vendor-supplied patch, using ModSecurity "just-in-time" patching
  • Prevent the source code of your web application being shown to the world if something goes wrong with your server configuration
  • Discover the real IP address of an attacker using ModSecurity, even if the attacker is behind a proxy server

In Detail

With more than 67% of web servers running Apache and web-based attacks becoming more and more prevalent, web security has become a critical area for web site managers. Most existing tools work on the TCP/IP level, failing to use the specifics of the HTTP protocol in their operation. Mod_security is a module running on Apache, which will help you overcome the security threats prevalent in the online world.

A complete guide to using ModSecurity, this book will show you how to secure your web application and server, and does so by using real-world examples of attacks currently in use. It will help you learn about SQL injection, cross-site scripting attacks, cross-site request forgeries, null byte attacks, and many more so that you know how attackers operate.
Using clear, step-by-step instructions this book starts by teaching you how to install and set up ModSecurity, before diving into the rule language with examples. It assumes no prior knowledge of ModSecurity, so as long as you are familiar with basic Linux administration, you can start to learn right away.

Real-life case studies are used to illustrate the dangers on the Web today – you will for example learn how the recent worm that hit Twitter works, and how you could have used ModSecurity to stop it in its tracks. The mechanisms behind these and other attacks are described in detail, and you will learn everything you need to know to make sure your server and web application remain unscathed on the increasingly dangerous web. Have you ever wondered how attackers figure out the exact web server version running on a system? They use a technique called HTTP fingerprinting, and you will learn about this in depth and how to defend against it by flying your web server under a "false flag".

The last part of the book shows you how to really lock down a web application by implementing a positive security model that only allows through requests that conform to a specific, pre-approved model, and denying anything that is even the slightest bit out of line.


Read More

Recommended for You