Archive for the ‘ModSecurity’ Category

Newer Entries »

ModSecurity: my first rules

Tuesday, July 11th, 2006

I have been using ModSecurity for quite some time now to protect a webserver, but i never felt the need to write my own rules. Recently though, my site got quite a lot of spam in the comments of my TikiWiki based site. Since i was not willing to disable the anonymous comment posting i decided to see if i could use Mod_Security to block the spam.

The spam all looked alike with the following characteristics. It all contained a list uri’s with a pipe | before them. So decided to try the most easy way, by blocking all posts with this characteristic.

SecFilterSelective REQUEST_URI “\.php” chain

SecFilterSelective POST_PAYLOAD ” \| http\:”

And it works fine:

[Sat Jul 01 12:37:32 2006] [error] [client 211.47.162.225] mod_security: Access denied with code 404. Pattern match ” \\\\| http\\\\:” at POST_PAYLOAD …

Surely the rule can be much refined, but as long as it works as it does, and i see no bad side effects, i’m happy ;-)

Posted in IPS, ModSecurity, Web | No Comments »

Books: Preventing Webattacks with Apache

Monday, July 10th, 2006

I just finished Preventing Webattacks with Apache by Ryan C. Barnett. Even though the title says it is about Apache it is really mostly about Mod_Security, and this is why i really love the book.

Especially cool is the part of the book where the author challenges the user to setup his ‘Buggy Bank’ example application to play with the vulnarebilities and with the possible counter measures.

This book got me even more exited about Mod_Security, which I use already to protect one webserver. I plan to check out setting up a reverse filtering web proxy soon.

Posted in Books, IPS, ModSecurity, Web | No Comments »

Newer Entries »