Search

Subscribe

Enter your email address below to subscribe to our privacy and security newsletter.

Menu

• Home
• Business/Corporate
• Computer Security
• Digital Signatures
• Encryption
• Firewalls
• Intrusion Detection
• Just Plain Silly
• Personal Security
• Privacy
• Residential Security
• Security Blogs
• Security Consultants
• Spam/Anti-Spam
• Training
• Uncategorized
• Viruses
• Wireless Security

A Web App Server Firewall In Five Minutes

By Ian Scott

So you have spent some time building your firewall, but attacks on your webserver continue and you don’t find out about them until later? Maybe you never find out about them as the attacks use SSL - encrypted traffic which your firewall is not able to inspect.

What to do? Well, using ‘ModSecurity’, a module for the Apache webserver, you can have a firewall for your webserver set up in five minutes or less.

ModSecurity is very easy to install as well. All I had to do was download the package - wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz (be sure to check for the latest release from the ModSecurity Download page), and decompress. Then, after ensuring the development package for Apache (httpd-devel for Redhat packages) was installed, I changed into the apache2 directory and ran this command:

apxs -cia mod_security.c

‘apxs’ is the ‘Apache Extension Tool’ which is used to build extension modules for the Apache server. More information is available in the manual page for apxs, but the -cia switches do the following:

-c This indicates the compilation operation. It first compiles the C source files (.c) of files into corre- sponding object files (.o) and then builds a dynamically shared object in dsofile by linking these object files plus the remaining object files (.o and .a) of files. If no -o option is specified the output file is guessed from the first filename in files and thus usually defaults to mod_name.so.

-i This indicates the installation operation and installs one or more dynamically shared objects into the server’s modules directory.

-a This activates the module by automatically adding a corresponding LoadModule line to Apache’s httpd.conf configuration file, or by enabling it if it already exists.

By using the -a switch, we don’t have to add any lines or edit the httpd.conf file. Of course, I recommend you back up your httpd.conf file before installing ModSecurity.

So now that we’ve got this installed, what’s next? Well, we should add some rules. Thanks to the great folk at Got Root?, the authors of “Troubleshooting Linux Firewalls,” we’ve got some rules for our web application firewall.

The Shinn’s provide a variety of rules - good basic rules for detecting intrustion attempts, preventing MySql injections, PHP based attacks, and even rules for known rooted boxes.

If you host blogs, you’ll definitely be interested in the blacklist rules for fighting against comment spam. I’ve been fighting comment spam for a while - I’ve managed to keep it under control but with the Shinn’s blacklist rules, I’m hoping for even better results.

The Shinn brothers really ought to be thanked for this work and giving away their rules for free. They’ve also provided step by step instructions for setting up your web application firewall in less than five minutes, and include advice on where to keep your rules and using a cronjob to download new rules using a script created by Ole Martin Eide.

As we’ve discussed, security is not a product - this firewall will not keep you 100% secure all on its own. The Shinn’s however have made one job a lot easier.

Read more in: Firewalls |

© SecPriv.com | About/Disclaimer | Privacy Policy