ModSecurity Handbook

by Mike on June 22, 2010

in Book Reviews

It was almost 20 years ago now I received a very disturbing email, someone stated,  “your server has been hacked … you need to check it out.”  Sure enough my dedicated server at one of the largest hosting companies, can you say “disaster magnet”, was hacked.  This event forever changed the way I viewed the Internet and the necessity of security, specifically firewalls.  I have kept that email for all these years just as a reminder of what can happen.  A incomplete firewall led to a compromise.

These days almost everyone understands the importance of a good firewall guarding the ports that allow access to our servers. However, what many people do not realize is that there is a serious danger lurking on one of those ports.  Port 80 typically used for web servers needs to be open to allow access to web content, but what is really happening on port 80?  The Apache web server as good as it is has little protection when port 80 is open.  This is where ModSecurity comes in providing an application firewall to monitor and manage the transactions on port 80.  What follows is a review of one of the best books that I have read in a long time.  A book that will challenge your thinking and provide answers to security issues you may not have realized exist.

First a disclaimer, I am not a programmer, so this review is from the perspective of a more practical nature…how to use ModSecurity to protect your website in everyday practice.  In fact, this is one of the great weaknesses of ModSecurity in the past, not enough illustrations on how to make it work in a real world situation.  The second point is that I am writing the review because I believe in the ModSecurity concepts and would like to see other sites protect themselves as it helps us all.  I did not get paid to write this review…I just like the book.

ModSecurity is not an easy tool to implement, and though trying to employ it for several years, the documentation has been lacking, as the author suggests, “Modsecurity is a fantastic tool, but it is let down by the poor quality of documentation.”, p. xvii. I have found working with web developers that ModSecurity falls into the same category as SELinux for most people, whose advice is just “turn it off and it all works fine”.  In reality, that is lousy advise, especially in today’s Internet world.  This book helps provide a foundation for getting ModSecurity to work.

Because the documentation was so scattered in the past I determined that I would read the book cover-to-cover in order to grasp the full picture of what the author was trying to achieve.  Now reading about ModSecurity configuration and rule implementation is not for the weak minded, at times you have to grit your teeth to keep going.  But the result was what I wanted, an overview of where ModSecurity is now and some juicy details about how to use rules in a practical way.  I found the book very informative and amazingly readable for the subject matter.   The author, Ivan Ristic, does a great job bringing a difficult subject down to an understandable level.

The book basically starts with an Introduction of the history of ModSecurity and what it is all about.  This section is critical for understanding the basic concepts about ModSecurity.On page 4 the author writes, ” ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.” This is the outline of why you would want to use ModSecurity.  It is a real-time web application monitor.  In other words, your web server may have a firewall, but that is not protecting it from the attacks that are occurring on port 80.  ModSecurity provides an application firewall to protect you against those attacks.  Not only that, but it also provides detailed logging about what is happening on your web site.  With ModSecurity you will receive details that apache does not provide you.  Once you review the kinds of things that are going on with your web site, you will recognize that the Internet is a serious place to be, you need better protection.  The other principle that is found in that statement is that you can control the access to your website based on the many rules that are available with ModSecurity.  Certainly when you understand what ModSecurity does, you will be motivated to not only buy the book but work through the book to implement these concepts to protect your website.

Chapters 2 and 3 cover installation and configuration to get you going with ModSecurity.  In the past I have found that even getting started was difficult because depending on which version you were using and what documentation you discovered, there were several differences that could cause you some serious frustration.  These sections clearly lay out what you need to do to get started eliminating the frustrations previously experienced.

The Logging chapter provides you an understandable outline of why and how logs are implemented.  These logs are highly detailed and very revealing.  ModSecurity is worth the install just to review the logs alone.  If you have any reservation  about the importance of an application firewall it will be removed once you begin reviewing your logs.

For me the chapters on Rule Language Review, Rule Language Tutorial and Rule Configuration as well as the chapter on Rule Writing were the heart of the book. This is where the rubber meets the road and you can get some real practical steps to securing your web site with ModSecurity.  You really need to understand how the rules work and Ristic clearly defines the variables, operators and actions for rules in the Rule Language Overview.  Even using ModSecurity for several years, I found that reading this section helped cement my understanding of how these rules work.  The author uses examples throughout these sections to help you grasp the concepts that are introduced.  As I was reading the book I was able to put into action several new concepts by imitating the examples provided, this is exactly what you need for this kind of project.

The discussion on Persistent Storage provides clear ideas on how to store IP address activity, attack activity, anomalies, session activity, user behavior, denial of service attacks, etc.  Though this is more advanced implementation of what ModSecurity can do it opens your eyes to some unique and powerful opportunities.

Practical Rule Writing was another chapter that I spent a lot of time with and will in the future.  Here is a useful example of what is in this chapter.  Recently reviewing logs I see constant attacks from various IP Addresses, some which repeat themselves.  From a web site owner’s perspective I am saying to myself why let these people have access to my site when all they are doing is formulating attacks.  Instead of constantly adding IPs to a firewall Ristic suggests using a “real-time block block list (RBL)”, page 160.  Here is a great option to protect your site and not have to do any maintenance as the list will provide all the work.  These types of practical applications really make sense as you work your way through this chapter.

After this chapter follows tips on Performance, Content Injection, Writing Rules with Lua, Handling XML and Extending Rule Language.  These chapters provide the information you may need to more advanced options so that you can create a solution that works well with your situation and level of expertise.

The final section acts as a reference for Directives, Variables, Transformation Functions, Actions and Operators.  If you are using ModSecurity the book is worth it just as a reference tool.  You will constantly see these terms in logs and as you review the rules you are using you will also need this reference material.

As I stated at the start this material is not for the ‘weak minded”, some background in programming and regular expressions will certainly help you as you work through this book.  In fact the author states on page 174, “Don’t be surprised if you sometimes get overwhelmed working with regular expressions.”  So you may want to pick up an aid for regular expressions to go with the book.    This book is not only valuable as an overview of ModSecurity, it is a great tutorial on how to make rules work for your web site to protect it.  Certainly the book is worth buying just for the reference material it provides. You can purchase the book here:  https://www.feistyduck.com/

Reviewer Mike Weber

Previous post:

Next post: