After I wrote my piece about mod_security, the people at Packt Publishing offered me a copy of their book ModSecurity 2.5, with the proviso that I review it. This sounded like a reasonable idea to me.
Overall, I would recommend the book to people who are running Apache and need to know more about relatively simple ways to add security to their web sites. The book motivates the use of mod_security and convinced me that anyone hosting a web site should have it installed, ready to deal with any problems you encounter. The book goes through common scenarios and what mod_security can do to deal with them, including recent events such as an attack on Twitter in April 2009. All the examples are explained clearly, and the rule configurations will look familiar if you’ve had some practice writing either RewriteEngine directives or httpd.conf vhost configurations. It also shows how to send alert emails or count the number of times a file has been downloaded, which I thought were nice additions.
As is the case with any security systems, there are layers upon layers of things you can do, and the book includes quite a few that I think are overkill unless you suspect you’re being targeted for some reason (such as financial or controversial sites). If you do have one of those sites, the chapter on blocking common attacks alone could save a lot of pain. Many of the common attacks are covered (SQL injection, XSS, etc.), along with ways to combat them.
The book includes instructions on installing a couple of GUI tools to help monitor incidents; I didn’t have time to install all of these given the OpenSolaris/Linux differences and it’s less important for me given the fact I’m not running sites that are likely to be attacked (my high-bandwidth sites are on commercial hosting). If you’re running important web sites, you’d probably want to set up these tools to work properly to save hunting through log files yourself.
I tested a few things out on the OpenSolaris box in the basement; getting it installed was a little different to the book (which is written mostly assuming a Linux web stack).
mod_security is installed with 2009.06 version of the OpenSolaris web stack, but not active. To activate: pfexec cp /etc/apache2/2.2/samples-conf.d/security2.conf /etc/apache2/2.2/conf.d/security2.conf. Restart the server with svcadm restart apache22 and check that mod_security is installed by seeing if the logs are available under /var/apache2/2.2/logs. You can also check if the module is loaded by creating and executing a phpinfo file.
The people at gotroot.com publish a very comprehensive list of rules in (close to) real time for the extremely paranoid, or a delayed list at no charge. mod_sec plus bad behavior keeps things pretty quiet on our xen farm, full of WordPress blogs. Take care to go through them prior to using them, many of them really don’t apply to typical WordPress sites.
I also love lynx, in fact I don’t use it just as a usability checker, I often browse with it. As far as I know, it handles all of the required headers that plugins like bad behavior check.
People who want to do bad things are usually going to use curl or something else and masquerade perfectly as a modern browser.
The mod_sec + bad behavior 1–2 combo works really, really well when you add WordPress to an existing (mostly static) site and bring those pages into the WP loop. Typically, whatever your mod_sec rules don’t catch, bad behavior does and you have the convenience of reviewing the logs from the WP admin interface.
Just be careful with Bad Behavior’s blacklist option, it can be a little over zealous 🙂