David ROBERT wrote:
> Hi,
>
> I'm interested in mod_security concept. I would like to use a positive security model.
> I've heard about mod_eaccess and mod_parmguard for this model (anyone has experience with this two modules ?).
This is a provocation, right?
(I am just kidding :)
I've never used either in production. I did inspect the source code of
mod_parmguard when I was researching this module for my book and I
wasn't convinced it would work in production. (I informed the author
about my findings.)
mod_security can be used for a positive security model as well. For
example:
<Location /user_view.php>
# This script only accepts GET
SecFilterSelective REQUEST_METHOD !^GET$
# Accept only one parameter: id
SecFilterSelective ARGS_NAMES !^id$
# Parameter id is mandatory, and it must be
# a number, 4-14 digits long
SecFilterSelective ARG_id !^[[:digit:]]{4,14}$
</Location>
<Location /user_add.php>
# This script only accepts POST
SecFilterSelective REQUEST_METHOD !^POST$
# Accept three parameters: firstname, lastname, and email
SecFilterSelective ARGS_NAMES !^(firstname|lastname|email)$
# Parameter firstname is mandatory, and it must
# contain text 1-64 characters long
SecFilterSelective ARG_firstname !^[[:alnum:][:space:]]{1,64}$
# Parameter lastname is mandatory, and it must
# contain text 1-64 characters long
SecFilterSelective ARG_lastname !^[ [:alnum:][:space:]]{1,64}$
# Parameter email is optional, but if it is present
# it must consist only of characters that are
# allowed in an email address
SecFilterSelective ARG_email !(^$|^[[:alnum:].@]{1,64}$)
</Location>
If the product you want to protect is not changing much then you may
be able to write a set of rules once and use them for ever. But it is
very difficult to maintain a set of positive security rules for
a changing product. Some sort of real-time engine is needed to make
this task easier.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
