[Klug-general] New Webserver ModSecurity

Jeremy Hooks jeremyhooks at googlemail.com
Mon Sep 29 19:40:36 UTC 2008


Hi Nathan (and anyone else interested)
Just a quick email regarding installing ModSecurity on the new server, which
we spoke about briefly at the meeting yesterday.  I am happy to install
ModSecurity and help any other server administration, but I am new to the
group so I will understand if you don't want to give me access right away

In case you've not come across it before, ModSecurity is an opensource (GPL)
web application firewall.  Basically, it sits between Apache and any server
side scripting/CGI and runs all requests against a list common exploits
(negative security) and/or a list of valid requests (positive security) -
depending on the ruleset used.

There are two common rules-sets.  Breach's (the company behind ModSec) core
rules, which is fully opensource and GotRoot's rules which is more
proprietary - still plain text but it is released to non-subscribers after
30 days delay.

As I understand it, the core rules are quite generic and offer good
protection against a lots of common known and unknown exploits - however it
errs on the side of security, so it can some times break parts of a web app.
(usually because they are doing something a little unwise).  Got Root seem
to be built around common applications and is (probably) more actively
developed, however this does mean the ruleset is larger and there will
probably more of a performance hit.  It might be best to start of using both
rulesets (I think Got Root is designed to be able to work) and change this
if we run into problems (I will check the modsec lists to see if anyone sees
a problem with this).

The is also another product from Breach which is worth considering,
ModSecurity Console.  It is a proprietary app. but it is free for none up to
3 nodes (servers).  It basically makes life easier if you want to actively
monitor your logs.  I haven't tried it, so far I have been happy greping the
log files when I have a problem.

I don't pretend to know a lot about ModSec (probably not even 5% of all
there is to know), but I am confident that I can set it up and drastically
improve the security of the web server.  I have been using it for more than
two years on our dedicated remote host at work and we haven't had any
problem despite running horribly insecure PHP (horde, mambo (now joomla),
amongst others).

Regards.

Jeremy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/kent/attachments/20080929/61f2261a/attachment.htm 


More information about the Kent mailing list