BEGINNERS GUIDE TO MOD_SECURITY

Mod_security

It is an open source ,cross-platform WAF i.e Web Application Firewall.It is also known as “SWISS ARMY KNIFE” of WAFs.It blocks commonly known exploits by using some defined regular expressions and rule sets.mostly it is found enabled on all InMotion servers .It is helpful in blocking common code injection attacks.It provides outstanding protection against threats to data with the help of applications and protecting against known attacks that target vulnerabilities in public software.

What Mod_Security can do?

• Parsing

     Mod_security makes sense of as much supported data formats as available and then extracts bits of data for using as rules in future.

• Buffring

      When we do typical installation ,then both the resquest and response bodies are buffered ,resulting that Mod_Security sees complete request and response before these request are passed to application for processing.

It is one of the imp. Feature in modsecurity

• Logging

      Audit logging/transaction logging is main part of what modsecurity do .Because of this feature we are able to record complete HTTPs traffic .Request header ,response header response body -these all bits are available to us because of this feature.

• Rule Engine

       Before the Rule Engine start ,all bits and pieces of data are prepared and made ready for inspection.

COMMERCIAL MOD_SECURITY RULES

1.  Virtual patching

2.  IP reputation

3.  Web Based malware detection

4.  Webshell or backdoor detection

5.  Botnet attack detection

6.  http denial of service attack detection

7.  antivirus scanning of file attachments.

IMPACT OF MOD_SECURITY ON WEB SERVERS

 Installing mod_security on our servers changes how our web servers operates.When we install mod_security on our server our resources like CPU and RAM comsumption increases .

Below is a list of various activities of mod_security which increase resource consumption:

·     Mod_security adds to the parsing already done by Apache ,which results in slight inc. of CPU consumption.

·     Parsers  like XML are more expensive.

·     Input/output operations are required for handling of uploaded files

·     Parsing results in RAM consumption because every extracted element  needs to be copied in its own space.

Installing Mod_security

Note:- Always install mod_security from source as it is best way to be updated with the latest versions and rules ,and even we are able to make changes we want to make

STEPs :-

Downloading  releases

For downloading mod_security just go to official site of mod_security or follow the given link  http://www.modsecurity.org/download/

Now there download both the main distribution and the cryptographic signature or Just type the followings commands in your OS

$ wget http://www.modsecurity.org/download/modsecurity-apache_2.5.10-dev2.tar.gz

$ wget http://www.modsecurity.org/download/modsecurity-apache_2.5.10-dev2.tar.gz.asc

NOTE:- Beware of trojans which may be planted by the third parties

Configuration :-

Main config files are given below :-

1.  main.conf                             Main configuration file

2.  rules-first.conf                    Rules that need to run first

3.  rules.conf                             Your principal rule file

4.  rules-last.conf                     Rules that need to run last

NOTE :- Our main configuration file i.e, (modsecurity.conf) should only contain followings lines.

IfModule mod_security2.c

Include /opt/modsecurity/etc/main.conf 

Include/opt/modsecurity/etc/rules-first.conf Include/opt/modsecurity/etc/rules.conf

Include/opt/modsecurity/etc/rules-last.conf 

/IfModule

Now setup mod_security to APACHE server

----------

------

---

FURTHER INSTALLATION STEPS ARE IN BEGINNERS GUIDE TO MOD_SECURITY 2 (article will be uploaded soon)

So keep visiting cyberintelligence.in article portal.