Tag Archive for 'security'

24
May

On the value of mod_security

By admin Comments
Categories: Programming

Over on plastic bag, Tom has a problem.

The problem in one word is spam.

He actually had two problems (a mass download of his site via a “wget recursively” style script, and the mass spamming of his blog via a “post continuously” script), but both have the same answer: the Apache module named mod_security.

I investigated and installed mod_security on my server in the winter of 2004 when a PHP worm was harvesting forum addresses from Google and then propagating itself via vulnerable GET requests using the PERL module to perform the request.

The essence of mod_security is that it is a software firewall that you can include within the Apache web server, and that it filters traffic before it generates a request within your web application.

This image sums it up pretty nicely:
mod_security illustration

Installation is reasonably easy, so I won’t repeat the documentation that you can find on their site.

The key part is defining the rules, and two rules would’ve saved Tom from his downtime:

The first should block wget and httrack user agents to prevent mass download, and for the hell of it the PERL module that was used in most PERL worms:
SecFilterSelective HTTP_USER_AGENT httrack
SecFilterSelective HTTP_USER_AGENT wget
SecFilterSelective HTTP_USER_AGENT lwp

The second filter should block GET requests on mt-comments.cgi. I’m guessing this one because I don’t use MT, however comments are POST’d to via the form at the bottom, and I think that most spam would simply be using GET… so let’s nuke that… note the chaining together of these so that the condition must match both parts of the rule for the rule to be applied:
SecFilterSelective SCRIPT_FILENAME mt-comments.cgi chain
SecFilterSelective REQUEST_METHOD GET

There may be far more we can do to that… I’m just jotting this down as a quick example of a rule that may do it. I’d want to look at how Movable Type works and test the rules prior to sending them live. That latter one may be far too broad, for example.

But in general, that’s all we need to do… block all mass downloads, and block all GET scripted spam against the comments page of MT.

I’m sure there are many more examples of mod_security helping out, on Bowlie I use it to prevent PHP worms, detect intrusions, and kill spam. If it’s not yet part of your toolkit for administrating an Apache web server, it most definately should be.

And to help you get started, some starter links and example pages:
Mod Security Manual
Security Focus Guide
Mod Security Quick Examples