Aerosol Posted December 8, 2014 Report Posted December 8, 2014 ModSecurityModSecurity is an Open Source Web Application project (Apache module) that aims to secure web applications running on webservers and block penetration or hacking attempts investigating in the body of http requests. It provides intrusion detection and prevention for web applications and aims at shielding web applications from attacks like SQL injections, cross-site scripting and path traversal attacks ... About Apache modulesThe Apache WebServer is a modular application where the user can choose the functionality to include in the server by selecting desired modules. Modules can be either statically compiled into the httpd binary when the server is built or compiled as Dynamic Shared Objects (DSOs) separately from the main httpd binary file. DSO modules may be compiled at the time the server is built, or they may be compiled and added at a later time using the Apache Extension Tool (apxs). After a module is compiled into a DSO, it will have an extension like mod.so. Installing mod-securityMod-security can be installed with apt-get manager on Debian, or on Fedora system Yum can be used. First, we'll update apt-get source database: LinuxBox# apt-get update Ign http://ftp.de.debian.org lenny Release.gpg Ign http://ftp.de.debian.org/debian/ lenny/main Translation-en Hit http://security.debian.org squeeze/updates Release.gpg Ign http://security.debian.org/ squeeze/updates/contrib Translation-en Ign http://security.debian.org/ squeeze/updates/contrib Translation-en_US Ign http://ftp.de.debian.org/debian/ lenny/main Translation-en_US Hit http://ftp.de.debian.org squeeze Release.gpg Ign http://ftp.de.debian.org/debian/ squeeze/main Translation-en Ign http://ftp.de.debian.org/debian/ squeeze/main Translation-en_US Ign http://ftp.de.debian.org lenny Release Ign http://security.debian.org/ squeeze/updates/main Translation-en Ign http://security.debian.org/ squeeze/updates/main Translation-en_US Hit http://security.debian.org squeeze/updates Release Hit http://ftp.de.debian.org squeeze Release ... .. .After updating source list, we can install mod-security: LinuxBox# apt-get install libapache-mod-security Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: liblua5.1-0 mod-security-common The following NEW packages will be installed: libapache-mod-security liblua5.1-0 mod-security-common 0 upgraded, 3 newly installed, 0 to remove and 73 not upgraded. Need to get 1,158 kB of archives. After this operation, 3,490 kB of additional disk space will be used. Do you want to continue [Y/n]? ... .. . Setting up libapache-mod-security (2.5.12-1) ... Reloading web server config: apache2.In /etc/apache2/mods-available/ we can find available apache modules and mod-security: LinuxBox# ls /etc/apache2/mods-available/ | grep mod mod-security.load LinuxBox#(In /etc/apache2/mods-enbled are located symlinks on modules which are enabled) Enabling or disabling Apache modulesOnce apache module is installed we can enable it with a2dismod, or disable it with a2dismod command, after which we have to restart the Apache server with "/etc/init.d/apache2 restart" command: LinuxBox# a2dismod mod-security && /etc/init.d/apache2 restart Module mod-security disabled. Run '/etc/init.d/apache2 restart' to activate new configuration! Restarting web server: apache2 ... waiting . LinuxBox# a2enmod mod-security && /etc/init.d/apache2 restart Enabling module mod-security. Run '/etc/init.d/apache2 restart' to activate new configuration! Restarting web server: apache2 ... waiting .Check loaded modulesTo check and see loaded modules, modules which are enabled, apachectl -M can be used: LinuxBox# apachectl -MLoaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_prefork_module (static) http_module (static) so_module (static) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) mime_module (shared) security2_module (shared) negotiation_module (shared) perl_module (shared) php5_module (shared) python_module (shared) reqtimeout_module (shared) setenvif_module (shared) status_module (shared) unique_id_module (shared)Syntax OK LinuxBox#Source Quote
wildchild Posted December 8, 2014 Report Posted December 8, 2014 Since we're talking about Apache security, tell me how can you use this module to protect against Slow Loris. Quote
Aerosol Posted December 8, 2014 Author Report Posted December 8, 2014 to be honest I'm not good when it comes to servers so I can't tell, I postedfor those who are interested. Quote
wildchild Posted December 9, 2014 Report Posted December 9, 2014 Oh well, I was trying to engage you in a technical debate regarding this subject and see if others would participate given the fact that Apache has a great percentage of being used as a webserver nowadays. This topic would have been indexed and proved useful amongst sysadmins and security professionals. Quote
PingLord Posted December 9, 2014 Report Posted December 9, 2014 As far as i remember slowloris is doing half http session . I have not used Mod_security for some time but i think nginx could help with this with limit req conn directive ( i think aelius knows better how the directive is called ). 1 Quote
Guest Posted December 9, 2014 Report Posted December 9, 2014 Since we're talking about Apache security, tell me how can you use this module to protect against Slow Loris.Well, modsec will not protect you from all kind of slowloris, I'd recommend using libapache2-mod-antiloris (deb) or mod_qos or even some IPTables / Netfilter rules. PS: If you really need to filter the malware traffic via apache's modsec, you may use COMODO's Free ModSecurity Rules, it does the job for a large pattern of attacks/intrusions: https://waf.comodo.com/ Quote
wildchild Posted December 9, 2014 Report Posted December 9, 2014 That's correct, modsec can only partially used for this kind of attack.Using nginx as a reverse proxy is a way of dealing with it because its design is not flawed by the Maximum Clients model. nginx uses worker threads so basically there's no limit to the number of connections that it can handle.Tweaking sysctl.conf properly can also contribute to the matter. Quote
Guest Posted December 9, 2014 Report Posted December 9, 2014 That's correct, modsec can only partially used for this kind of attack.Using nginx as a reverse proxy is a way of dealing with it because its design is not flawed by the Maximum Clients model. nginx uses worker threads so basically there's no limit to the number of connections that it can handle.Tweaking sysctl.conf properly can also contribute to the matter.Well ... yes and no.It's way more efficient to secure apache than turning it into a backend webserver using nginx as a reverse proxy because if you do that, then you basically have two webservers running and serving the same amount of connections and traffic ... so, in most cases the resource consumption will be a little bit higher than using apache as a standalone webserver (and the only one).But if you hate apache, I'd recommend using ONLY nginx as a standalone webserver, replacing apache. Quote
wildchild Posted December 9, 2014 Report Posted December 9, 2014 (edited) You'd be amazed how well they can work if you configure them properly, especially with all kinds of plugins like magento. nginx is also better for caching static files rather than using some apache mods. It's up to anyone, I personally never leave apache without a haproxy/varnish/nginx in front of it. You can always make a proxy_pass. Sincerely, an nginx user.PS: my clients usually use dedicated hardware in production and there's no bottleneck. Maybe on smaller machines I'd use only apache, however a regular FreeBSD uses very few resources so an nginx in almost unnoticed. Edited December 9, 2014 by wildchild Quote
