ModSecurity 2.5 securing your Apache installation and web applications
Prevent web application hacking with this easy to use guide Secure your system by knowing exactly how a hacker would break into it Covers writing rules in-depth and Modsecurity rule language elements such as variables, actions, and request phases Covers the common attacks in use on the Web, and ways...
| Autor principal: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham, U.K. :
Packt Pub
2009.
|
| Edición: | 1st edition |
| Colección: | From technologies to solutions.
|
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009627922306719 |
Tabla de Contenidos:
- Intro
- ModSecurity 2.5
- Table of Contents
- ModSecurity 2.5
- Credits
- About the Author
- About the Reviewers
- Preface
- What ModSecurity is
- Why you need ModSecurity
- What this book covers
- What you need for this book
- Who this book is for
- Conventions
- Reader feedback
- Customer support
- Errata
- Piracy
- Questions
- 1. Installation and Configuration
- Versions
- Downloading
- Checking the integrity of the downloaded source archive
- Unpacking the source code
- Required additional libraries and files
- Compilation
- Integrating ModSecurity with Apache
- Configuration file
- Completing the configuration
- Testing your installation
- Creating a simple ModSecurity rule
- Disguising the web server signature
- Summary
- 2. Writing Rules
- SecRule syntax
- Variables and collections
- The transaction collection
- Storing data between requests
- Examining several variables
- Quotes: Sometimes you need them and sometimes you don't
- Creating chained rules
- Rule IDs
- An introduction to regular expressions
- Examples of regular expressions
- More about regular expressions
- Using @rx to block a remote host
- Simple string matching
- Matching numbers
- More about collections
- Counting items in collections
- Filtering collection fields using a regular expression
- Built-in fields
- Transformation functions
- Other operators
- Set-based pattern matching with @pm and @pmFromFile
- @pmFromFile
- Performance of the phrase matching operators
- Validating character ranges
- Phases and rule ordering
- Actions-what to do when a rule matches
- Allowing requests
- Blocking requests
- Taking no action but continuing rule processing
- Dropping requests
- Redirecting and proxying requests
- SecAction
- Using the ctl action to control the rule engine
- How to use the ctl action.
- Macro expansion
- SecRule in practice
- Blocking uncommon request methods
- Restricting access to certain times of day
- Detecting credit card leaks
- Detecting credit card numbers
- The Luhn algorithm and false positives
- Tracking the geographical location of your visitors
- GEO collection fields
- Blocking users from specific countries
- Load balancing requests between servers on different continents
- Pausing requests for a specified amount of time
- Executing shell scripts
- Sending alert emails
- Sending more detailed alert emails
- Counting file downloads
- Blocking brute-force password guessing
- Injecting data into responses
- Inspecting uploaded files
- Summary
- 3. Performance
- A typical HTTP request
- A real-world performance test
- The core ruleset
- Installing the core ruleset
- Making sure it works
- Performance testing basics
- Using httperf
- Getting a baseline: Testing without ModSecurity
- Response time
- Memory usage
- CPU usage
- ModSecurity without any loaded rules
- ModSecurity with the core ruleset loaded
- Response time
- Memory usage
- Finding the bottleneck
- Wrapping up core ruleset performance
- Optimizing performance
- Memory consumption
- Bypassing inspection of static content
- Using @pm and @pmFromFile
- Logging
- Writing regular expressions for best performance
- Use non-capturing parentheses wherever possible
- Use one regular expression whenever possible
- Summary
- 4. Audit Logging
- Enabling the audit log engine
- Single versus multiple file logging
- Determining what to log
- The configuration so far
- Log format
- Concurrent logging
- Selectively disabling logging
- Audit log sanitization actions
- The ModSecurity Console
- Installing the ModSecurity Console
- Accessing the Console
- Compiling mlogc
- Configuring mlogc.
- Forwarding logs to the ModSecurity Console
- Summary
- 5. Virtual Patching
- Why use virtual patching?
- Speed
- Stability
- Flexibility
- Cost-effectiveness
- Creating a virtual patch
- From vulnerability discovery to virtual patch: An example
- Creating the patch
- Changing the web application for additional security
- Testing your patches
- Real-life examples
- Geeklog
- Patching Geeklog
- Cross-site scripting
- Real-life example: The Twitter worm
- Summary
- 6. Blocking Common Attacks
- HTTP fingerprinting
- How HTTP fingerprinting works
- Server banner
- Response header
- HTTP protocol responses
- Issuing an HTTP DELETE request
- Bad HTTP version numbers
- Bad protocol name
- The ETag HTTP header
- Using ModSecurity to defeat HTTP fingerprinting
- Blocking proxied requests
- Cross-site scripting
- Preventing XSS attacks
- PDF XSS protection
- HttpOnly cookies to prevent XSS attacks
- Session identifiers
- Cross-site request forgeries
- Protecting against cross-site request forgeries
- Shell command execution attempts
- Null byte attacks
- ModSecurity and null bytes
- Source code revelation
- Directory traversal attacks
- Blog spam
- SQL injection
- Standard injection attempts
- Retrieving data from multiple tables with UNION
- Multiple queries in one call
- Reading arbitrary files
- Writing data to files
- Preventing SQL injection attacks
- What to block
- Website defacement
- Brute force attacks
- Directory indexing
- Detecting the real IP address of an attacker
- Summary
- 7. Chroot Jails
- What is a chroot jail?
- A sample attack
- Traditional chrooting
- How ModSecurity helps jailing Apache
- Using ModSecurity to create a chroot jail
- Verifying that the jail works
- Chroot caveats
- Summary
- 8. REMO
- More about Remo
- Installation
- Remo rules.
- Creating and editing rules
- Installing the rules
- Analyzing log files
- Configuration tweaks
- Summary
- 9. Protecting a Web Application
- Considerations before beginning
- The web application
- Groundwork
- Step 1: Identifying user actions
- Step 2: Getting detailed information on each action
- Step 3: Writing rules
- Step 4: Testing the new ruleset
- Actions
- Blocking what's allowed-denying everything else
- Cookies
- Headers
- Securing the "Start New Topic" action
- The ruleset so far
- The finished ruleset
- Alternative approaches
- Keeping everything up to date
- Summary
- A. Directives and Variables
- Directives
- SecAction
- SecArgumentSeparator
- SecAuditEngine
- SecAuditLog
- SecAuditLog2
- SecAuditLogParts
- SecAuditLogRelevantStatus
- SecAuditLogStorageDir
- SecAuditLogType
- SecCacheTransformations (deprecated/experimental)
- SecChrootDir
- SecComponentSignature
- SecContentInjection
- SecCookieFormat
- SecDataDir
- SecDebugLog
- SecDebugLogLevel
- SecDefaultAction
- SecGeoLookupDb
- SecGuardianLog
- SecMarker
- SecPdfProtect
- SecPdfProtectMethod
- SecPdfProtectSecret
- SecPdfProtectTimeout
- SecPdfProtectTokenName
- SeqRequestBodyAccess
- SecRequestBodyLimit
- SecRequestBodyNoFilesLimit
- SecRequestBodyInMemoryLimit
- SecResponseBodyLimit
- SecResponseBodyLimitAction
- SecResponseBodyMimeType
- SecResponseBodyMimeTypesClear
- SecResponseBodyAccess
- SecRule
- SecRuleInheritance
- SecRuleEngine
- SecRuleRemoveById
- SecRuleRemoveByMsg
- SecRuleUpdateActionById
- SecServerSignature
- SecTmpDir
- SecUploadDir
- SecUploadFileMode
- SecUploadKeepFiles
- SecWebAppId
- Variables
- ARGS
- ARGS_COMBINED_SIZE
- ARGS_NAMES
- ARGS_GET
- ARGS_GET_NAMES
- ARGS_POST
- ARGS_POST_NAMES
- AUTH_TYPE
- ENV
- FILES
- FILES_COMBINED_SIZE
- FILES_NAMES
- FILES_SIZES.
- FILES_TMPNAMES
- GEO
- HIGHEST_SEVERITY
- MATCHED_VAR
- MATCHED_VAR_NAME
- MODSEC_BUILD
- MULTIPART_CRLF_LF_LINES
- MULTIPART_STRICT_ERROR
- MULTIPART_UNMATCHED_BOUNDARY
- PATH_INFO
- QUERY_STRING
- REMOTE_ADDR
- REMOTE_HOST
- REMOTE_PORT
- REMOTE_USER
- REQBODY_PROCESSOR
- REQBODY_PROCESSOR_ERROR
- REQBODY_PROCESSOR_ERROR_MSG
- REQUEST_BASENAME
- REQUEST_BODY
- REQUEST_COOKIES
- REQUEST_COOKIES_NAMES
- REQUEST_FILENAME
- REQUEST_HEADERS
- REQUEST_HEADERS_NAMES
- REQUEST_LINE
- REQUEST_METHOD
- REQUEST_PROTOCOL
- REQUEST_URI
- REQUEST_URI_RAW
- RESPONSE_BODY
- RESPONSE_CONTENT_LENGTH
- RESPONSE_CONTENT_TYPE
- RESPONSE_HEADERS
- RESPONSE_HEADERS_NAMES
- RESPONSE_PROTOCOL
- RESPONSE_STATUS
- RULE
- SCRIPT_BASENAME
- SCRIPT_FILENAME
- SCRIPT_GID
- SCRIPT_GROUPNAME
- SCRIPT_MODE
- SCRIPT_UID
- SCRIPT_USERNAME
- SERVER_ADDR
- SERVER_NAME
- SERVER_PORT
- SESSION
- SESSIONID
- TIME
- TIME_DAY
- TIME_EPOCH
- TIME_HOUR
- TIME_MIN
- TIME_MON
- TIME_SEC
- TIME_WDAY
- TIME_YEAR
- TX
- USERID
- WEBAPPID
- WEBSERVER_ERROR_LOG
- XML
- B. Regular Expressions
- What is a regular expression?
- Regular expression flavors
- Example of a regular expression
- Identifying an email address
- The Dot character
- Quantifiers-star, plus, and question mark
- Question Mark
- Star
- Plus sign
- Grouping
- Ranges
- Alternation
- Backreferences
- Captures and ModSecurity
- Non-capturing parentheses
- Character classes
- Negated matching
- Shorthand notation
- Anchors
- Start and end of string
- Word Boundary
- Lazy quantifiers
- Debugging regular expressions
- Additional resources
- Our email address regex
- Summary
- Index.
