Introduction to Mod Security talk at the Null Monthly March meet.

1. Introduction to Mod Security
-Shruthi Kamath
Null Bangalore Meet - March

2. Who am I
• Co-Founder Infosecgirls (infosecgirls.in)
• Security Consultant at Synopsys
• Active member of Null Bangalore
• Committee member at OWASP Women in Appsec
• Twitter : @ShruthiKamath30

3. Agenda
• What is WAF?
• What is mod security?
• Mod security rules examples
• Setup
• Demo

4. Introduction to WAF
• A web application firewall is used as a security device
protecting the web server from attack.
• Web application firewalls (WAF) are an evolving information
security technology designed to protect web sites from attack.
• WAF solutions are capable of preventing attacks that network
firewalls and intrusion detection systems can't.
• They do not require modification of application source code.

5. Source:
http://searchsecurity.techtarget.com/magazineContent/Comparative-Product-Review-Six-Web-Application-Firewalls

6. Introduction to Mod Security
• ModSecurity is a popular Open-source Web application
firewall (WAF).
• Originally designed as a module for the Apache HTTP
Server.
• Used across a number of different platforms including
Apache HTTP Server, Microsoft IIS and NGINX.

7. • The platform itself provides a rule configuration language
known as 'SecRules' .
• It is used for real-time monitoring, logging, and filtering of
Hypertext Transfer Protocol communications based on user-
defined rules.
• ModSecurity is known to have the following capabilities:
Security monitoring and access control
Full HTTP traffic logging
Security assessment
Web application hardening
Simple request or Regular expression based Filtering
URL Encoding Validation

8. Mod security rules
Rule Example 1 – XSS attack
• SecRule ARGS|REQUEST_HEADERS “@rx <script>” id:101,msg:
‘XSS Attack’,severity:ERROR,deny,status:404
Rule Example 2 – Whitelist IP Address
• SecRule REMOTE_ADDR “@ipMatch 192.168.1.101”
id:102,phase:1,t:none,nolog,pass,ctl:ruleEngine=off

9. mod_security with Apache Set Up
on Ubuntu
• Ubuntu LAMP Server installation
• sudo apt-get install apache2
• sudo apt-get install mysql-server
• sudo apt-get install php5 libapache2-mod-php5
• sudo /etc/init.d/apache2 restart
• apt-get install libapache2-modsecurity
• apachectl -M | grep --color security
• service apache2 reload
• ls -l /var/log/apache2/modsec_audit.log

10. Configuring mod_security
• nano /etc/modsecurity/modsecurity.conf
• SecRuleEngine DetectionOnly
• logs requests and doesn't block anything.
• SecRuleEngine On
• Blocks according to rule match.
• SecResponseBodyAccess On
• Buffer response bodies
• SecRequestBodyLimit 13107200~ 12.5MB
• specifies the maximum POST data size.
• SecRequestBodyNoFilesLimit 131072~128KB
• size of POST data minus file uploads
• SecRequestBodyInMemoryLimit 131072
• maximum request body size that ModSecurity will store in
memory

11. Setting Up Rules
• ls -l /usr/share/modsecurity-crs/
• nano /etc/apache2/mods-enabled/modsecurity.conf
• Add the following directives inside <IfModule
security2_module> </IfModule>:
• Include "/usr/share/modsecurity-crs/*.conf“
• Include "/usr/share/modsecurity-
crs/activated_rules/*.conf"

12. • cd /usr/share/modsecurity-crs/activated_rules/
• ln -s /usr/share/modsecurity-
crs/base_rules/modsecurity_crs_41_xss_attacks.conf
• service apache2 reload

13. Demo Time

14. Useful links
• http://www.modsecurity.org/about.html
• https://github.com/SpiderLabs/ModSecurity/wiki/Reference-
Manual
• https://modsecurity.org/crs/

15. Thank You