"ModSecurity 2.5" by Magnus Mischel
Skip introduction and just directly to book review.
Web sites and applications become more and more important in our daily life. We use social networks, news sites, online banking, blogs, time tracking sites, e–mail, calendars and lots of other services available on the Internet. When we use these sites we hope they will keep our information safe. We hope it will not disappear and will not become accessible to any person, who should not have access to such information.
There are lots of people, who want to access our data or destroy it. This can be for fun, or to prove capable, or for gain. More and more web application vulnerabilities are uncovered daily. Fixing these issues takes time but data can be lots or stollen before the vulnerability is fixed.
Responsible web site owners think ahead. They take preventing measures to block common types of attacks or quickly block newly discovered vulnerabilities. Often such system are in hardware (in particular, Cisco is known by its solutions). However not everybody can afford an extra piece of costly hardware. This is where solutions come in.
A couple of years ago I was seriously troubled because I had to block an attack on multiple sites. It used a vulnerability in the code and I have to patch lots of files. I thought of a different solution and I found one. It was mod_security.
mod_security
mod_security is a web application firewall. It is similar to hardware firewalls but runs inside Apache web server. There are advantages and disadvantages of this approach. We will not discuss them here because it is a large separate topic. I only want to emphasize that mod_security would be useful for those who has and for those who does not have hardware firewall solutions.
mod_security is very powerful. It comes with a set of “core” rules (written in a simple but powerful mod_security rule language). These rules block known attacks and usually can prevent many new attacks.
Installing mod_security is relatively easy but configuring it requires knowledge. Here is where “ModSecurity 2.5” book from Packt Pubishing comes to help.
Packt's ModSecurity book
Packt released ModSecurity book in November 2009. I got it directly from Packt (btw, free shipping in Europe!).
The book is written by Magnus Mischel. He is the founder and director if Mischel Internet Security. He was born in Hamburg but now lives in London.
The book consists from nine chapters and two appendixes.
The first chapter is about installation of mod_security. While installing Apache modules can be a well–known task for many system administrators, it can be a tricky thing for less experienced users. Magnus gently walks the reader through the installation process. He mentions all prerequisites and gives valuable advices on avoiding common problems with installation. After installation he shows how to perform simple tasks with mod_security. For example, it shows how to make scanning tools to believe that the site runs Microsoft IIS instead of Apache. This is a very good example, because it will force hacking software to try IIS vulnerabilities, which do not present on Apache. So even the first chapter already increases security of your web sites.
The heart of the mod_security is rules. Rules define what mod_security catches and how it is processed. Therefore understanding rules and writing them properly is essential for using mod_security. Chapter 2 of the book deals with rules. While you can read mod_security user guide and start writing rules, the book gives you more. Mod_security user guide is more like a reference, this book is like a learning course. It explains rules, collections and operators with lots of examples.
Chapter 2 also has a short but clear introduction to regular expressions. This will be very useful for those who did not work with regular expressions before.
Next chapter 2 talks about actions: how to block or allow requests, how to log them or how to execute external scripts for requests. Here you need to watch out: mod_security changes sometimes and some of examples in the book are version dependent. For example, example with calling external scripts and supplying unique ID to them did not work in my version (2.5.1). Nevertheless I got loads of useful details that I did not find in the official user manual. This is one of the good sides of the book: it does not tell you only what you can get from the official manual, it goes beyond and tells you what book's author has learned.
One of the most interesting parts in chapter 2 is about blocking requests using geographical data. For example, I block certain countries on my servers because number of legitimate requests from those countries is close to zero but these countries give almost 100% of all hack and spam requests. Mod_security help you to block them all with one rule. Read chapter 2 for more details!
When it comes to a real life web projects, one thing you have to care is performance. Chapter 3 of the book addresses this question. Mod_security adds additional processing to the request and impacts performance. Chapter 3 provides figures, numbers and graphs that help you decide what exactly you want to use in mod_security and how. This is a “pro” area.
Chapter 4 is dedicated to logging. Logging is important because attack rejection is good but attack prevention is far better. Imagine that a new vulnerability is discovered in the product you use on the web site. You do not know about it yet. But you start seeing strange requests in the audit log of mod_security. (Remember: mod_security may prevent unknown attacks too by watching suspicious requests!). When you see such requests, you are on alert. You add extra rules to protect your web server from attacks. This happens because you set up audit logging properly as this book taught you.
In chapter 4 you will also learn about setting up a mod_security console: a tool for monitoring several servers from a central place.
Adding those extra rules that you add is called “virtual patching”. You do not patch the application (vendor does) but you “patch” your server to prevent attacks. Virtual patching is described in chapter 5. It also provides two real life example: for Geeklog (SQL injection) and Twitter worm (XSS).
After seeing these two highly practical examples, chapter 6 talks about blocking common attacks in general. Again, it is not the information you get from the manual, it is author's experience together with his knowledge of mod_security. When you are done with this chapter, you are ready to protect your server from not yet discovered vulnerabilities.
Chapter 7 will be interesting for web server administrators. It talks about running Apache in the chroot jail. Chroot jails are good because you can put a very limited set of software there. If an attacker gets control of a web server or installs a remote management tool to it, he will be able to see only jail, not other important system files.
Setting up chroot jails is tricky. Mod_security can take part of this tricky work to itself. The chapter provides information about preparing the jail.
Chapter 8 talks about REMO: rule editor for mod_security. I did not look at that chapter much because I prefer to write rules manually. But it can be useful for beginners.
Chapter 9 is yet another theory and practice part of the book. It describes how to protect a web application. It uses YaBB (Yet Another Bulletin Board) as an example.
Appendix A includes reference information about mod_security. Thus if you work with mod_security a lot, this book because your only reference to mod_security.
Appendix B provides more information about regular expressions.
Conclusion
So, this is it. Did I like the book? Yes, I did! I like it very much. Some books are difficult to read but this one is written with a very clear and simple language. Concepts are not that simple but they are explained very well and in full. The book is really a “must have” for those who work with mod_security or care about security of their web site.
You can get the book from Packt Publishing store. The book costs $49.99 (or £30.99) with free shipping in Europe. Packt Publishing often offers discounts, so have a look to the books page for discounts. Even if there is no discount, you will get a book, which is worth paying for.