Monday, November 10, 2008

Securing Apache web with ModSecurity

If you are hosting your websites with Apache web server, which is mostly the case if your web server is running on Linux platform, you should seriously consider installing ModSecurity to provide intrusion detection and prevention for your web applications.

ModSecurity is an open source, free web application firewall (WAF) Apache module. According to Forrester Research, it is the most widely deployed web application firewall nowadays.

WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It aims at shielding web applications from known and unknown attacks, such as SQL injection, cross-site scripting, path traversal, etc.

Features of ModSecurity includes:

  • HTTP Traffic Logging - ModSecurity makes full HTTP transaction logging possible, allowing complete requests and responses to be logged.
  • Real-Time Monitoring and Attack Detection - ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. In this case, ModSecurity operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems.
  • Attack Prevention and Just-in-time Patching - ModSecurity can also act immediately to prevent attacks from reaching your web applications.

ModSecurity supports the following security models:
  • Negative Security Model - Looks for known bad, malicious requests. This method is effective at blocking a large number of automated attacks, however it is not the best approach for identifying new attack vectors.

  • Positive Security Model - When positive security model is deployed, only requests that are known to be valid are accepted, with everything else rejected. This approach works best with applications that are heavily used but rarely updated.

  • Virtual Patching - With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it), making your systems secure until a proper patch is produced.

  • Extrusion Detection Model - ModSecurity can also monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages or Credit Card Numbers, etc.

ModSecurity is included in all the major Linux distributions. Look for "libapache2-mod-security" or just "mod_security" in your Linux distribution to install it.

Click here for detailed documentations about ModSecurity.


Post a Comment

Hint: Click on the "Older Posts" link to continue reading, or click here for a listing of all my past 3 months articles.