Re: [mod-security-users] IS this firewall code bullet proof
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] IS this firewall code bullet proof
|
From: joe b. <joe...@ya...> - 2006-04-15 19:39:03
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0089) -->
<HTML><HEAD><TITLE>ModSecurity for Apache User Guide</TITLE>
<META http-equiv=Content-Type content="text/html; charset=ISO-8859-1"><LINK
href="ModSecurity for Apache User Guide_files/modsecurity-manual.css"
type=text/css rel=stylesheet>
<META content="Microsoft FrontPage 5.0" name=GENERATOR><LINK
title="ModSecurity for Apache User Guide" href="#N10001" rel=start><LINK
title=Introduction href="#01-introduction" rel=next></HEAD>
<BODY text=black vLink=#840084 aLink=#0000ff link=#0000ff bgColor=white>
<DIV
style="BORDER-TOP: #dddddd 1px solid; BACKGROUND: #f5f5f5; WIDTH: 100%; BORDER-BOTTOM: #dddddd 1px solid">
<DIV class=toc>
<P><B>Table of Contents</B></P>
<DL>
<DT><SPAN class=section><A
href="#01-introduction">Introduction</A></SPAN>
<DD>
<DL>
<DT><SPAN class=section><A
href="#N10034">Licensing</A></SPAN>
<DT><SPAN class=section><A
href="#N1004C">Acknowledgements</A></SPAN>
<DT><SPAN class=section><A
href="#N10051">Contact</A></SPAN></DT></DL>
<DT><SPAN class=section><A
href="#02-installation">Installation</A></SPAN>
<DD>
<DL>
<DT><SPAN class=section><A
href="#N10064">CVS
Access</A></SPAN>
<DT><SPAN class=section><A
href="#N10078">Nightly
Snapshot Download</A></SPAN>
<DT><SPAN class=section><A
href="#N10083">Stable
Release Download</A></SPAN>
<DT><SPAN class=section><A
href="#N1008C">Installing
from source</A></SPAN>
<DT><SPAN class=section><A
href="#N100EB">Installing
from binary</A></SPAN></DT></DL>
<DT><SPAN class=section><A
href="#wa-firewall">Web Application Firewall</A></SPAN>
<DD>
<DL>
<DT><SPAN class=section><A
href="#waf-bps">Bullet proof strategy</A></SPAN>
<DT><SPAN class=section><A
href="#waf-rt">Rules Template</A></SPAN>
<DT><SPAN class=section><A
href="#waf-rcn">Rule coding notes</A></SPAN>
</DT></DL>
</DL>
<DIV class=section lang=en>
<DIV class=section lang=en>
<PRE class=programlisting> </PRE></DIV></DIV></DIV>
<DIV class=section lang=en>
<DIV class=titlepage>
<DIV>
<DIV>
<H2 class=title style="CLEAR: both"><A
name=wa-firewall></A>Web Application Firewall</H2></DIV></DIV>
<DIV></DIV></DIV>
<P>ModSecurity default usage strategy has been to define the signatures of all
the known insert attack strings and then use that to scan all remote browser web
server requests for those signatures. The problem with this strategy is that
there are all ways new attack strings being developed by un-scrupulous people.
If an attacker selected an particular web site to study for weakness that
was already using all the published signature files provided on the
mod_security web site home page, this would not be sufficient to deny the attacker
from penetrating the target web application. For this signature strategy to be
successfully, mod_security would need a dedicated team of full time employees to
handle the coding deny rules for the new attack strings. In the MS/Windows world this would be
like what Norton Software does with their customer paid for virus signature
update service. Mod_security being an open source software product makes a
virus signature update service unfeasible. </p>
<P>An addition problem with this strategy is it takes a very knowledgeable
person in the inter-workings of HTTP requests to code an deny rules for new
signatures. This in most
cases precludes the majority of the home computer hobbyists and professional web
server administrators from being able to use this software.</p>
<P>ModSecurity does contain the capabilities for building rules which can bullet
proof an web application. To accomplish this an different strategy is
used. </p>
<P>The author of mod_security comes from the Apache security environment and as such
uses the Apache nomenclatures in the other sections of this manual. The
word 'Directives' is used in Apache documentation and the word 'Rules' is
commonly used in Unix firewall documentation. In this section the words 'rules'
& 'directives' are both used and represent the same thing.</p>
<DIV class=section lang=en>
<DIV class=titlepage>
<DIV>
<DIV>
<H3 class=title><A name=waf-bps></A>Bullet proof strategy</H3></DIV></DIV>
<DIV></DIV></DIV>
<P>This strategy is targeted at providing the home computer hobbyists and
professional web server administrators with an rule template which demonstrates
a standard way of coding rules to protect the 4 common types of web server
requests. This strategy is independent of the programming language used to
create the web application.</p>
<P>All browser requests contain the file name containing the HTML code and/or the
dynamic content programming language code to be executed by the server.
<span style="background-color: #00FFFF">The key to the Bullet proof strategy is
based on the user only having to code rules for each file which gets exchanged
between the host web server and the remote browser.</span> Any files which are
included into other files and/or other files which get processed by the logic
of the web application are excluded from needing mod_security rules. Protection from all malice code insert attempts is achieved by defining what is normally exchanged between the server and the remote browser
thus closeing the places where malice code can be inserted. This results in any
request not meeting the mod_secureity enforced standards per the users
coded rules being denied by default. This
strategy completely negates the need for using the known insert attack string
signatures files provided on the mod_security web site.</p>
<P>From the sample code provided even an novice with no programming knowledge
should be able to cut and past the rules to suit their web application.</p>
<P>The template starts with the mandatory directives section. This section
specifies the default rule values necessary for this template to function. The
user should have no need to change these rules and should use then as is.</p>
<P>After the mandatory directives section are the rules to protect the standard
4 HTTP request types. All the user has to do is copy the sample rule and modify
it to meet their needs. Basically that means changing the request file names to
ones in his web application and the post argument names to their own.</p>
<P>Type 1. is the most commonly used request type. This covers the normal
vanilla HTML display static content on the users remote browser.</p>
<P>Type 2. covers the use of HTML forms being processed by the very popular php
programming language. Using a different programming language for dynamic content
would only affect the file suffix. (i.e. .php to .pl for perl, ect). </p>
<P>Type 3. covers string parameter content attached to the requested file.</p>
<P>Type 4. covers the use of cookies </p>
<DIV class=section lang=en>
<DIV class=titlepage>
<DIV>
<DIV>
<H3 class=title><A name=waf-rt></A>Rules Template</H3></DIV></DIV>
<DIV></DIV></DIV>
<P>############# Start of mandatory directives ###################<br>
# Turn the filtering engine on or off<br>
secfilterengine on<br>
<br>
# Normalize cookie support<br>
SecFilterNormalizeCookies On<br>
<br>
# Enable version 1 (RFC 2965) cookies<br>
SecFilterCookieFormat 1<br>
<br>
# Check that url encoding is valid<br>
secfiltercheckurlencoding on<br>
<br>
# Unicode encoding check<br>
secfiltercheckunicodeencoding off<br>
<br>
# Only allow bytes from this range<br>
secfilterforcebyterange 1 255<br>
<br>
# Should forms post payloads be inspected<br>
secfilterscanpost on<br>
<br>
# The default setting sends the most important messages <br>
# (errors and warnings) to the Apache /var/log/httpd-error.log<br>
# only if there is no debug or custom log specified.<br>
SecFilterDefaultAction deny,log,status:404<br>
<br>
############# End of mandatory directives ###################<br>
<br>
# This is just for use during development to observe what happens.<br>
# In production the following 2 rules should be commented out.<br>
# You can change the unix path and log name to anything you want<br>
SecFilterDebugLog /var/log/modsec_debug_log<br>
SecFilterDebugLevel 9<br>
<br>
<br>
# Rule type 1.<br>
# Most heavily used files go first<br>
SecFilterSelective REQUEST_URI "^/web_style_sheet.css$" allow<br>
<br>
<br>
# Rule type 1.<br>
# This services the sample application frame home page<br>
SecFilterSelective REQUEST_URI "^/index.htm$"
allow<br>
SecFilterSelective REQUEST_URI "^/Header.htm$"
allow<br>
SecFilterSelective REQUEST_URI "^/home_page.php$"
allow<br>
SecFilterSelective REQUEST_URI "^/products.htm$" allow <br>
SecFilterSelective REQUEST_URI "^/powered_by_FreeBSD.gif$" allow<br>
SecFilterSelective REQUEST_URI "^/powered_by_apache.gif$"
allow <br>
<br>
# Rule type 2.<br>
# The logon membership process<br>
# Here the show form and process form functions are in separate files.<br>
# Need one rule to allow the show form function<br>
# The process form function file needs 2 rules, 1 for the file name & <br>
# 1 for the POST_PAYLOAD rule. <br>
<br>
SecFilterSelective REQUEST_URI "^/logon_showform.php$" allow<br>
<br>
SecFilterSelective REQUEST_URI "^/logon_processform.php$"
chain<br>
SecFilterSelective POST_PAYLOAD
\<br>
"^id=[0-9a-z]{15,}$ \<br>
&pw=[0-9a-z]{15,}$ \<br>
&submit=Submit$"
allow</p>
<br>
# This could also be coded this way<br>
SecFilterSelective REQUEST_URI "^/logon_processform.php$" chain<br>
SecFilterSelective POST_PAYLOAD
"^id=[0-9a-z]{15,}$&pw=[0-9a-z]{15,}$&submit=Submit$" allow<br>
<br>
<br>
# Rule type 2.<br>
# The sign up membership process<br>
# This single script contains both the show form and process form functions.<br>
# Need one rule to allow the show form function<br>
# and second rule chained to the POST_PAYLOAD rule for<br>
# the process form function. <br>
<br>
SecFilterSelective REQUEST_URI "^/signup.php$" allow<br>
<br>
SecFilterSelective REQUEST_URI "^/signup.php$" chain<br>
SecFilterSelective POST_PAYLOAD
\<br>
"^id=[0-9a-z]{15,}$
\<br>
&pw=[0-9a-z]{15,}$
\<br>
&pw2=[0-9a-z]{15,}$
\<br>
&email=[0-9a-zA-Z\.-_]{45,}$ \<br>
firstname=[a-zA-Z]{30,}$
\<br>
&lastname=[a-zA-Z]{30,}$
\<br>
&add1=[a-zA-Z -]{30,}$
\<br>
&add2=[a-zA-Z -]{30,}$
\<br>
&city=[a-zA-Z -]{20,}$
\<br>
&state=[a-zA-Z -]{20,}$
\<br>
&zip=[0-9-]{15,}$
\<br>
&phone_home=[0-9-]{15,}$
\<br>
&phone_office=[0-9-]{15,}$
\<br>
&phone_cell=[0-9-]{15,}$
\<br>
mothers_maiden_name=[a-zA-Z]{30,}$
\<br>
&userdigit=[0-9a-z]{5,}$
\<br>
&submit=Submit$" allow<br>
<br>
<br>
# Rule type 1. & Rule type 4.<br>
# After user logs in php session control is started so now cookies are passed
around<br>
# The membership menu process<br>
SecFilterSelective REQUEST_URI "^/menu.php$" chain<br>
SecFilterSelective COOKIE_PHPSESSID "^[0-9a-fA-F]{32}$" allow<br>
SecFilterSelective REQUEST_URI "^/terminate_member.php$" chain<br>
SecFilterSelective COOKIE_PHPSESSID "^[0-9a-fA-F]{32}$" allow<br>
SecFilterSelective REQUEST_URI "^/std_exit.php$" chain<br>
SecFilterSelective COOKIE_PHPSESSID "^[0-9a-fA-F]{32}$" allow<br>
<br>
<br>
# Rule type 3.<br>
# Handles this kind of request string<br>
# /mls_verifyemail.php?hash=content<br>
SecFilterSelective REQUEST_URI "^/verifyemail.php" chain<br>
SecFilterSelective ARG_hash "^[0-9a-zA-Z=]+$" allow<br>
<br>
# The catch-all deny rule to block all requests except <br>
# those above with allow option. <br>
SecFilter "."<br>
</p>
<DIV class=section lang=en>
<DIV class=titlepage>
<DIV>
<DIV>
<H3 class=title><A name=waf-rcn></A>Rule codings notes</H3></DIV></DIV>
<DIV></DIV></DIV>
<DL>
Mod_security rules selection is coded using regexp notation. If your regexp is as bad as
mine then the following will be helpfull.<br>
1. The $ is an anchor. Appending a $ to the end of the file name or a regexp notation as in [0-9a-z]{15,}$<br>
means no arguments are allowed to follow. This denies all malice code insert attempts a location<br>
in the string arguments to insert their code into.<br>
2. [0-9a-fA-F]{32} means upper & lower case Alpha-Numeric characters are tested for and may <br>
occur multiple times in the 32 character field size.<br>
3. [0-9a-zA-Z\.-_]{45,} this also allows a period, a dash, and a underscore <br>
4. [a-zA-Z -]{30,} this also allows a blank, and a dash<br>
5. [0-9-]{15,} this allows all digits and a dash<br>
6. [0-9a-zA-Z] here the field size is unknown, means only accept 1 char in this list (0-9a-zA-Z)<br>
7. [0-9a-zA-Z]? means accept blank or 1 char in this list (0-9a-zA-Z) <br>
8. [0-9a-zA-Z]+ means accept 1 or more char(s) in this list (0-9a-zA-Z)<br>
9. [0-9a-zA-Z]* means accept 0 or more chars in this list (0-9a-zA-Z) meaning empty is ok.<br>
10. Long regexp notation can be continued to the next line using the \ char<br>
11. COOKIE_PHPSESSID "^[0-9a-fA-F]{32}$" protects the default php session cookie.<br>
12. The chain command can be though of like creating a compound IF statement.<br>
13. The use of the "allow" command completely changes the default logic of mod_security.<br>
Allow means if rule is true them let it pass. <br>
14. Use of the debug log function results in a kind of logic trace of the loop processing
of he coded rules.<br>
That will greatly increase your understanding of what is happening.<br>
15. I found it very helpful to view the Apache httpd-access.log after doing a complete test of the web<br>
application to determine what files were being exchanged with the remote browser.<br>
16. Use of the mod...@li... question list is well supported by experienced members.<br>
17. All search engine robots do not issue get requests the same way. So watch the httpd-access.log to see<br>
what that do and add rules to accommodate them if you want to be indexed by<br>
every search engine that finds your site.<br>
18. When you have your rules tested and ready for production you should monitor their effect by changing<br>
SecFilterDefaultAction deny,log,status:404 to<br>
SecFilterDefaultAction pass,log,status:404<br>
</p>
</DIV>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</dl>
</DIV>
</dl>
</BODY></HTML> |
