Happy New Year Everybody =)

I had the privilege of reviewing ModSecurity 2.5 by Magnus Mischel and now that the holidays are over, well, time to stop procrastinating.

For those unfamiliar with ModSecurity, it is an Apache module designed to enhance (Apache server) security. For more information on mod_security see this link .

ModSecurity is a security tool that has a number of features, but how to unleash the power of these advanced features ? Sure one can download and install mod_security and the community rule set, but where to go from there ? Where to turn for assistance with deploying mod_security ?

Enter ModSecurity 2.5 by Magnus Mischel

Although when working with Apache security it is helpful if you understand the basics of HTTP headers, this book will help get you started with mod_security. The book starts with installation of mod_security and then covers configuration and customization. The features of mod_security are detailed with clear explanations and examples.

The Book consists of 9 chapters and 2 appendices.

Chapter 1 Describes how to obtain and compile mod_security from source code. Often when working with security it is preferable to install the most up to date version rather then relying on older binaries from repositories. As such the instructions for compiling are easy to follow and will make compiling mod_security from source less intimidating. The author then describes how to configure Apache to use mod_security and test the initial installation.

Chapter 2 Describes how to write rules for mod_security. For those who are unfamiliar with regular expressions, there is a brief but thorough review of the syntax of regular expressions (and may be helpful even if you are familiar with regular expressions). The chapter concludes with several examples of practical rules to block undesired traffic by IP address, region, or after failing a set number of log in attempts.

Chapter 3 presents an analysis of how mod_security affects performance and suggests methods to both test and optimize performance.

Chapter 4 continues with a description of how to use and review the log files for mod_security. The chapter begins with a description of the logs and an overview of the options. The chapter concludes with a description of how to install and use the ModSecurity Console, which provides a web based graphical log analysis. Although again compiling is necessary, the directions were easy to understand and I was able to download and install the ModSecurity Console without any problems. I found the Console easy to understand and use.

Chapter 5 covers additional practical examples of using mod_security via the use of “Virtual Patching”. The general idea here is that if there is a known vulnerability in Apache, or mysql, one may be able to deploy a set of rules using mod_security that will prevent exploitation of such a zero day exploit while waiting for a patch from upstream. As is characteristic of the book, the chapter concludes with an example of a theoretical mysql injection and how to “virtual patch” the vulnerability with mod_security. Cross-site scripting and the twitter worm are covered as additional examples.

Chapter 6 is titled “Blocking Common Attacks” and as you might imagine covers very practical security threats such as http fingerprinting, blocking proxy requests, cross-site scripting, cross site forgeries, shell command execution attempts, and SQL injection (to name a few). An overview if each potential threat is provided if you do not know the terminology and then specific examples and mod_security rules are described.

Chapter 7 covers chroot jails. The concept of a chroot jail is introduced and using mod_security to simplify using apache in a chroot jail is then described.

Chapter 8 – REMO. Remo is a web based graphical tool to write and edit mod_security rules. Again easy to follow directions were provided and REMO was easy to install. The chapter covers how to configure REMO and use the interface to modify rules.

The book concludes with chapter 9 “Protecting a Web Application”. This chapter details how to write and monitor a custom set of rules for a web application, YaBB (Yet another Bulletin Board). This is a daunting task and if you feel your are super man (or woman) go for it. The process involves a thorough understanding of the normal functions of the web application and would require a test server to use for development and testing of rules. Ethereal or fiddler are used to monitor http activity and this information is then used to write a rule set for YaBB. The rules then are debugged.

Appendix A is a compendium of Directives and variables for use with mod_security.

Appendix B covers Regular Expressions in more detail.

OK, so not exactly light reading. This book will provide a solid foundation for ModSecurity and should be extremely helpful in understanding an deploying mod_security.