Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th January 2008, 11:28
Karel Karel is offline
Junior Member
 
Join Date: Jun 2007
Posts: 12
Thanks: 0
Thanked 1 Time in 1 Post
Default mod_security, mod_security2

Hello,

I just installed mod_security2 and I have several problems.

I enforce open_basedir on my server (Debian Testing) + have a list of disallowed php functions for every host (exec() and others), but I want to add extra layer of security. Unfortunately, the rules for mod_security2 seem to be quite an overkill (they may be powerful, but also time consuming and performance hog). So, my questions:
  • What is the difference between mod_security and mod_security2? Most guides seem to mention mod_security (which has simple, reasonable rules, but is no longer developed). Are there any (big) security holes in mod_security? I wasn't able to find any comparison.
  • Is there any other module with similar functionality? (No chroot/jail, it's unmaintainable).
  • Are there any simple tests whether mod_security2 is working? I added rules from http://www.gotroot.com/mod_security+rules, which should prevent simple attacks like reading /etc/passwd, but even though it logged some false positives, mod_security2 didn't stop me from displaying this file (not did it log an attack). Maybe the rules didn't work, but they are several lines of regexp each, so it's impossible to check each of them - on contrary to simple rules of mod_security(1).
Reply With Quote
Sponsored Links
  #2  
Old 28th January 2008, 19:47
Karel Karel is offline
Junior Member
 
Join Date: Jun 2007
Posts: 12
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

OK, I did my 'homework'. There don't seem to be any huge changes in mod_security2, only drawbacks. It got more complicated, the rules are so complicated they had to create a gui application (my server is text only). I guess I'm going with mod_security(1), because I need to protect my server, not my clients (those who need protection pay me for maintaining their software and I'm relatively successful in avoiding huge security holes).

What's new in ModSecurity 2.0 and why should I upgrade if I am already using ModSecurity 1.x?

There are many significant changes and enhancemnts in ModSecurity 2.0 over the 1.x branch, including:

* In order to use the free Core Rules, you must use the 2.x version of ModSecurity as it takes advantage of specific features not available in previous versions.
* Five processing phases (where there were only two in 1.9.x). These are: request headers, request body, response headers, response body, and logging. Those users who wanted to do things at the earliest possible moment can do them now.
* Per-rule transformation options (previously normalization was implicit and hard-coded). Many new transformation functions were added.
* Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
* Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and application users).
* Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
* Support for web applications and session IDs.
* Regular Expression back-references (allows one to create custom variables using transaction content).
* There are now many functions that can be applied to the variables (where previously one could only use regular expressions).
* XML support (parsing, validation, XPath).
Reply With Quote
The Following User Says Thank You to Karel For This Useful Post:
falko (29th January 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 18:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.