After I wrote my piece about mod_security, the people at Packt Publishing offered me a copy of their book ModSecurity 2.5, with the proviso that I review it. This sounded like a reasonable idea to me.
Overall, I would recommend the book to people who are running Apache and need to know more about relatively simple ways to add security to their web sites. The book motivates the use of mod_security and convinced me that anyone hosting a web site should have it installed, ready to deal with any problems you encounter. The book goes through common scenarios and what mod_security can do to deal with them, including recent events such as an attack on Twitter in April 2009. All the examples are explained clearly, and the rule configurations will look familiar if you’ve had some practice writing either RewriteEngine directives or httpd.conf vhost configurations. It also shows how to send alert emails or count the number of times a file has been downloaded, which I thought were nice additions.
As is the case with any security systems, there are layers upon layers of things you can do, and the book includes quite a few that I think are overkill unless you suspect you’re being targeted for some reason (such as financial or controversial sites). If you do have one of those sites, the chapter on blocking common attacks alone could save a lot of pain. Many of the common attacks are covered (SQL injection, XSS, etc.), along with ways to combat them.
The book includes instructions on installing a couple of GUI tools to help monitor incidents; I didn’t have time to install all of these given the OpenSolaris/Linux differences and it’s less important for me given the fact I’m not running sites that are likely to be attacked (my high-bandwidth sites are on commercial hosting). If you’re running important web sites, you’d probably want to set up these tools to work properly to save hunting through log files yourself.
I tested a few things out on the OpenSolaris box in the basement; getting it installed was a little different to the book (which is written mostly assuming a Linux web stack).
mod_security is installed with 2009.06 version of the OpenSolaris web stack, but not active. To activate: pfexec cp /etc/apache2/2.2/samples-conf.d/security2.conf /etc/apache2/2.2/conf.d/security2.conf. Restart the server with svcadm restart apache22 and check that mod_security is installed by seeing if the logs are available under /var/apache2/2.2/logs. You can also check if the module is loaded by creating and executing a phpinfo file.