[Klug-general] New Webserver ModSecurity

Nathan Friend nathan.friend at gmail.com
Mon Sep 29 20:22:32 UTC 2008


Hello Jeremy,
Thanks for the info, I'm sure our website guru Dan will be looking into ways
of securing the server if we go down a PHP CMS route.  I dont have logon to
the server myself.

Cheers,

Nathan.

On Mon, Sep 29, 2008 at 8:40 PM, Jeremy Hooks <jeremyhooks at googlemail.com>wrote:

> Hi Nathan (and anyone else interested)
> Just a quick email regarding installing ModSecurity on the new server,
> which we spoke about briefly at the meeting yesterday.  I am happy to
> install ModSecurity and help any other server administration, but I am new
> to the group so I will understand if you don't want to give me access right
> away
>
> In case you've not come across it before, ModSecurity is an opensource
> (GPL) web application firewall.  Basically, it sits between Apache and any
> server side scripting/CGI and runs all requests against a list common
> exploits (negative security) and/or a list of valid requests (positive
> security) - depending on the ruleset used.
>
> There are two common rules-sets.  Breach's (the company behind ModSec) core
> rules, which is fully opensource and GotRoot's rules which is more
> proprietary - still plain text but it is released to non-subscribers after
> 30 days delay.
>
> As I understand it, the core rules are quite generic and offer good
> protection against a lots of common known and unknown exploits - however it
> errs on the side of security, so it can some times break parts of a web app.
> (usually because they are doing something a little unwise).  Got Root seem
> to be built around common applications and is (probably) more actively
> developed, however this does mean the ruleset is larger and there will
> probably more of a performance hit.  It might be best to start of using both
> rulesets (I think Got Root is designed to be able to work) and change this
> if we run into problems (I will check the modsec lists to see if anyone sees
> a problem with this).
>
> The is also another product from Breach which is worth considering,
> ModSecurity Console.  It is a proprietary app. but it is free for none up to
> 3 nodes (servers).  It basically makes life easier if you want to actively
> monitor your logs.  I haven't tried it, so far I have been happy greping the
> log files when I have a problem.
>
> I don't pretend to know a lot about ModSec (probably not even 5% of all
> there is to know), but I am confident that I can set it up and drastically
> improve the security of the web server.  I have been using it for more than
> two years on our dedicated remote host at work and we haven't had any
> problem despite running horribly insecure PHP (horde, mambo (now joomla),
> amongst others).
>
> Regards.
>
> Jeremy.
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/kent/attachments/20080929/0ca1a203/attachment.htm 


More information about the Kent mailing list