Monday, August 3, 2009

Securing Apache Web Server with mod_security

he Internet has its share of packet filters and proxy servers in order to increase the security for clients and servers alike. Filtering network traffic is never a bad idea since it provides a basic level of protection. When it comes down to protecting web servers your packet filter will most probably allow HTTP and HTTPS traffic to your server application. Unless you deploy an application proxy that inspects HTTP you can't do more. But you can equip your Apache web server with mod_security which in turns helps you to analyse any request thrown at it.
Application Layer Inspection

When you do any network traffic filtering or inspection you have to keep in mind that usually nothing understand the things that should be inspected better than the application in question. This is one of the reasons why proxy filters are "better" suited for this job. They know the protocol and can normalise fancily encoded requests. mod_security is in a very similar position. It sits right inside the Appache httpd process and inspects the HTTP requests. This is an important advantage over proxies since it can also see compressed or even encrypted content without difficulties.

So, what needs to be inspected? Apache's httpd surely does inspect HTTP requests. What do I need more? Well, there are some things mod_security can do for you.

* Better logging
The module can log the content of HTTP POST requests. Apache usually doesn't log that. Furthermore you can log complete HTTP transactions. This makes the job of a potential attacker harder. In addition to that you have a very fine control on what and when to log.
* Real time operation
mod_security sees the requests directly and can act immediately.
* Anomalies
The security module can act on anomalies in the web server operation by looking at request rates, IP addresses, HTTP sessions and user account.
* Black-/whitelisting
You can use a signature-based approach and define what you want to allow and what you want to block.
* Protects other web servers
You can even protect other web server software by combining it with mod_proxy. The Apache server can act as reverse proxy thus seeing all HTTP requests and applying rule sets.

nak lebih lanjut layari : http://linuxgazette.net/143/pfeiffer.html

No comments: