Apache Security - Ivan Ristic [187]
Intercepts HTTP requests before they are fully processed by the web server
Intercepts the request body (e.g., the POST payload)
Intercepts, stores, and optionally validates uploaded files
Performs anti-evasion actions automatically
Performs request analysis by processing a set of rules defined in the configuration
Intercepts HTTP responses before they are sent back to the client (Apache 2 only)
Performs response analysis by processing a set of rules defined in the configuration
Takes one of the predefined actions or executes an external script when a request or a response fails analysis (a process called detection)
Depending on the configuration, a failed request may be prevented from being processed, and a failed response may be prevented from being seen by the client (a process called prevention)
Performs audit logging
In this section, I present a deployment guide for mod_security, but the principles behind it are the same and can be applied to any web application firewall. For a detailed reference manual, visit the project documentation area at http://www.modsecurity.org/documentation/.
Introduction
The basic ingredients of every mod_security configuration are:
Anti-evasion features
Encoding validation features
Rules (to detect invalid requests)
Actions (to handle invalid requests)
The purpose of this section is to present enough information as to how these ingredients interact with each other to enable you to configure and use mod_security. The subsequent sections will cover some advanced topics to give you more insight needed in some specific cases.
Installation and basic configuration
To install mod_security, you need to compile it using the apxs tool, as you would any other module. Some contributors provide system-specific binaries for download, and I put links to their web sites at http://www.modsecurity.org/download/. If you have installed Apache from source, apxs will be with other Apache binaries in the /usr/local/apache/bin/ folder. If you cannot find the apxs tool on your system, examine the vendor-provided documentation to learn how to add it. For example, on Red Hat systems apxs is a part of the httpd-devel package.
Position to the correct source code directory (there's one directory for each Apache branch) and execute the following commands:
# /usr/local/apache/bin/apxs -cia mod_security.c
# /usr/local/apache/bin/apachectl stop
# /usr/local/apache/bin/apachectl start
After having restarted Apache, mod_security will be active but disabled. I recommend the following configuration to enable it with minimal chances of denying legitimate requests. You can enable mod_security with fewer configuration directives. Most options have default settings that are the same as the following configurations, but I prefer to configure things explicitly rather than wonder if I understand what the default settings are:
# Enable mod_security
SecFilterEngine On
# Retrieve request payload
SecFilterScanPOST On
# Reasonable automatic validation defaults
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat Off
SecFilterNormalizeCookies Off
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Reject invalid requests with status 403
SecFilterDefaultAction deny,log,status:403
# Only record the relevant information
SecAuditEngine RelevantOnly
SecAuditLog /var/www/logs/audit_log
# Where to store temporary and intercepted files
SecUploadDir /var/www/logs/files/
# Do not store intercepted files for the time being
SecUploadKeepFiles Off
# Use 0 for the debug level in production
# and 4 for testing
SecFilterDebugLog /var/www/logs/modsec_debug_log
SecFilterDebugLevel 4
Starting from the top, this configuration data enables mod_security and tells