ModSecurity is a Web Application Firewall that execute as a Module on your Web Server and provides protection against various attacks to our web applications. It monitors HTTP traffic and performs real time analysis. It’s a product developed by Breach Security and is available a free software under the GNU License. It is Available for Apache, Nginx and IIS.
The Module has several features.
- Filtered Request: The incoming HTTP Request or analyzed by the ModSecurity Module before passing it to the Web Service, these request are compared against a group of predefined rules to take the appropriate action.
- Anti-Evasion Techniques: Routes and Parameters are normalized before the analysis to prevent evasion techniques.
- Eliminates multiple bars (//)
- Eliminates directories referenced by itself (./)
- In Windows the \ and / are treated the same
- URL Decoding
- Null Bytes replaced for spaces ()
- HTTP protocol Understanding: by understanding the HTTP Protocol, ModSecurity can perform specific and granular filtering.
- Post Payload Analysis: intercepts and analyse content transmitted using POST.
- Audit Log: It is possible to leave logs for further analysis.
- HTTPS Filtering: since it works as an embedded module, ModSecurity has access to data after it has been decrypted.
- Byte Range Check: it detects and block Shellcodes, limiting the range of bytes.
- Real Time Monitoring: Besides logging all the HTTP Traffic, ModSecurity can monitor traffic in real time to detect attacks, meaning it works as an intrusion detection tool.
From Version 2 ModSecurity added several additional functionality that are:
- Five phases of processing: Request header, Request Body. Response headers. Response Body and Logging
- Rules Transformation options
- Transactional variables
- Persistent Data ( Used of IP follow up, Application Sesions and users)
- XML Support
- IP Blocking
- And More,
ModSecurity can be deployed and integrated in our current Web Servers infrastructure, meaning that we do not have to modify our internal Network, we don’t add any point of failure, we can benefit from load balancing and scalability and we would not have any issues with compress or encrypted Data.
ModSecurity is a valuable security tool and have proven to be effective. If we want to protect our web applications this is a tool the deserves your attention.
How to Install ModSecurity and Get it Running in Linux CentOS/RHEL with Apache
To install ModSecurity in a Linux Server running Centos or RHEL Derivative with the Apache web Service, we follow these steps as the root user.
Step 1: Install the EPEL Repository
Firstly add the EPEL rpm repository in your system using following command.
# rpm –ivh http://fedora.mirror.uber.com.au/epel/6/i386/epel-release-6-7.noarch.rpm
Step 2: Install ModSecurity and Predefined Rules
Let’s install mod_security apache modules with predefined rules of mod_security.
# yum install mod_security mod_security_crs
Step 3: Activate the Module
Edit ModSecurity configuration file /etc/httpd/conf.d/mod_security.conf and look for theSecRuleEngine Directive on the File and configured with the Desired Value.
On – Rules are activated
Off – Rules are Deactivated
DetectionOnly – Only Intercepts and logs Transactions
Since we want to Intercept and Block Attacks we configure it with On.
Step 4: Restart Apache and Check
Now we restart the apache web services
# service httpd restart
To confirm that our web application firewall is working we should see something like this in our Apache error logs.
# tail /var/log/httpd/error_log
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: APR compiled version=”1.3.9″; loaded version=”1.3.9″
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: PCRE compiled version=”7.8 “; loaded version=”7.8 2008-09-05″
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: LUA compiled version=”Lua 5.1″
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: LIBXML compiled version=”2.7.6″
Important files to Remember
Mod Security Config File – /etc/httpd/conf.d/mod_security.conf
Debug Log – /var/log/httpd/modsec_debug.log
Audit log – /var/log/httpd/modsec_audit.log
Rules – /etc/httpd/modsecurity.d/activated_rules