Secure Web Servers with Mod_Security

Even though the security of a Web server depends largely on the scripts run on it and the programmers who write these scripts, a server can be protected independently of these factors. An excelent solution to dis problem is a free Apache module called mod_security.

 

The mod_security module can be downloaded from the www.modsecurity.org site. Installing the module allows new request-filtering directives to be specified in the httpd.conf file. The most interesting of them are the following:

• SecFilterEngine On — Enables the request filtering mode.
• SecFilterCheckURLEncoding On — Checks the validity of the URL encoding.
• SecFilterForceByteRange 32 126 — Specifies to use characters from the particular range only. There are quite a few control characters (e.g., carriage return and line end) whose codes are less than 32. Most of them are invisible but require the corresponding key presses to be processed. How can such a character be entered into a URL string? This can be done using their codes. For example, the end-of-line character is entered in a URL by typing %13. In this case, a URL cannot contain character codes less than 32 and greater than 126.
• SecAuditLog logs/audit_log — Specifies the log file, in which the audit information is to be stored.
• SecFilterDefaultAction "deny,log,status:406" — Specifies the default action. In this case, it is prohibition.
• SecFilter xxx redirect:http://www.Webcreator.com — Provides for redirection. If the rules have been met, the user is redirected to www.webcreator.com.
• SecFilter yyy log,exec:/home/apache/report-attack.pl — Launches a script. If the filter is triggered, the /home/apache/report-attack.pl script will be executed.
• SecFilter /etc/password — Prohibits referencing the /etc/passwd file in user requests. Referencing the /etc/shadow file can be prohibited in the same way.
• SecFilter /bin/ls — Prohibits users from accessing commands. In this case, access to the ls command is prohibited, which can be used to view contents of directories if a script contains a bug. Access to such commands as cat, rm, cp, and ftp should also be prohibited.
• SecFilter "\.\./" — Prohibits dots in URLs. A classic attack is carried out by placing dot characters in a URL.
• SecFilter "delete [[: space: ]]+from" — Prohibits the delete...s from text, which is most often used in SQL queries to delete data. This string is used frequently in SQL injection-type attacks. In addition, I recommend setting the following three filters:
  • SecFilter "insert [[: space: ]] +into" — Prohibits the string used in SQL queries for adding data.
  • SecFilter "select.+from" — Prohibits the string used in SQL queries for reading data from a database.
  • SecFilter "<(.|\n)+>" and SecFilter "<[[:space:]]*script"— Protects against cross-Site Scripting (XSS) attacks.

The preceding are the main methods that can be used to enhance the security of your Web server. Server networks can also be protected in this way. Additional information can be obtained from the developer's Web site.