[mod-security-users] inclusive filter rule set "default deny all mode"
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] inclusive filter rule set "default deny all mode"
|
From: joe b. <joe...@ya...> - 2006-04-08 11:43:15
|
My Apache server came under attack starting April fools day. I first noticed my ipfilter inclusive firewall logging outbound packets on the the default deny all rule. Checking the http-access.log I saw these requests being serviced by my server. 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:25 -0400] "\x04\x01" 200 0 "-" "-" 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400] "\x05\x01" 200 0 "-" "-" 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 -0400] "CONNECT 4.79.181.15:25 HTTP/1.1" 200 7014 "-" "-" 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:46 -0400] "GET http://www.ebay.com/ HTTP/1.1" 200 7014 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)" I posted a msg on the freebsd questions list and someone suggest I look at mod_security. At first review I was interested enough to install the freebsd port of the software. As I read the manual, slowly I began to realize something was absent. The mod_security home page calls mod_security a web application firewall. In software firewalls there are 2 different types of filter rule sets. The exclusive firewall and the inclusive firewall. An exclusive firewall allows all services through except for those matching a set of rules that block certain services. An inclusive firewall does the reverse. It only allows services matching the rules through and blocks everything else. Inclusive firewalls are much, much safer than exclusive firewalls. Now applying that to the mod_security filter rules I see explained in the manual and the examples provided at the mod_security home page it becomes very obvious that all the mod_security filter rules are of the exclusive type. My web application is very vanilla. It uses hmtl and php for a counter of page hits. It has no upload function, but does have a download function launched from a link. No url's have any embedded tags. So I am interested in writing mod_security filter rules in reverse. Basically I want to say deny everything except the get requests for the files.htm or files.php names I see in the HTTP-access log for normal valid usage of my web application. This sure would be a shorter filter include file than including all the includes necessary to specify all the different variations of attack request strings. Is there any example of how to accomplish building a inclusive mod_security filter rules file. Maybe the next question should be is this even possible? And if not, then why not, and can it be changed to take the inclusive approach as well as the current exclusive approach? If mod_security is going to be called a web application firewall then it needs to be able to do both inclusive and exclusive filter rule configurations. If it's indeed possible to build an inclusive filter rule set, I have a workbench development website that I can use to be the test vehicle. Would need the filter rules to specify deny everything and one filter rule for accepting the get file.html request. Thanks for your help Joe --------------------------------- How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates. --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min. |
