In my previous post, I wrote about ModSecurity book that will be published by Packt Publishing. In November 24, 2009, I received the book in PDF format.
The book is titled “ModSecurity 2.5:Securing your Apache installation and web applications” and authored by Magnus Mischel. It contains nine chapters and covers the topic from the installation to deployment of ModSecurity.
You need to be comfortable working with Linux commands and know basic knowledge in web application programming to be able to follow the book although you don’t need to be an expert on those fields.
In 280 pages, this book is concise and give enough knowledge in applying ModSecurity to the real-life web applications.
I will briefly give an overview of each chapter. Please bear with me.
The title is clear although the subtitle is not very correct in describing the book content. IMHO, the ubtitle should be just “Securing your web applications” instead of “Securing your Apache installation and web applications”.
In this chapter, the author gives :
- An introduction to ModSecurity and the reason to use ModSecurity
- An overview of the book content, and several information regarding the book (convention, target audience, etc.)
I prefer that the introduction to ModSecurity become its own chapter. In addition, the author may be able to give an explanation of the deployment of ModSecurity :
- As an Apache module
- As a reverse proxy
This chapter explain the ModSecurity versions, installation, basic configuration, and testing the configuration. The requirements for the installation are also explained. You need to be proficient in using Linux command line to donwload and compile ModSecurity source code.
Fortunately, the author give a great detail on the installation process.
It’s better to describe the general ModSecurity features instead of giving features of each ModSecurity versions. Also it’s better to use the template configuration included in the ModSecurity distribution tarball first, before creating one’s own configuration file. We can test the ModSecurity configuration using “blocking access to a file” rule only, because the other method (Change Server Banner) is explained in chapter 6.
This chapter will teach you how to write ModSecurity rules. It began with the theory of rule writing and then move on to how to use those theories in practise, such as to block uncommon HTTP request methods, locating visitor from geographical database, execute shell script when the rule match,etc.
I like this chapter because it is easy to follow and shed light to writing rules.
But I noticed several things that can make the chapter more complete :
- Before going to describe how to write your own rules, the author should give an overview of several ModSecurity rules project such as ModSecurity CRS (Core Rule Set). We should use the existing public rules to the fullest before writing our own rules. The current CRS can be downloaded from : http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/. This project is established in July 2009. So the author might not have the time to update the book content.
- For the Rules ID, the author forgot to mention the rule ID range that can be use in user-defined rule.
This chapter look at the performance impact of ModSecurity to the Apache webserver. It tests the performance (response time, memory usage, CPU usage) of Apache with no ModSecurity, with ModSecurity but no rule, and with ModSecurity core rule set. Loading the core rule set (120 rules) cause the decrease in the number of connections that can be handled by the server. But the chapter give several tips to ease the impact.
It’s interesting to see if the test is using the latest ModSecurity Core Rule Set.
This chapter explains about the ModSecurity logging. First, it describe how to configure ModSecurity logging (type,what to log,and format).
Next, it continues with how to read your audit log files easily using ModSecurity Console. It is a Java-based application that can be accessed using web browser. But before you are able to use ModSecurity Console, you need to forward all your audit logs to ModSecurity Console using an small application called mlogc provided in the ModSecurity package tarball.
Logging is very indispenable for security. If you have and able to review your log files regularly, you may be able to stop it before the attack take place. And during the attack, you will be able to handle the attack approriately.
There are several other tools that can be used to manage ModSecurity log :
- AuditConsole : to receive, store and view ModSecurity audit data
- AuditViewer : to review audit log data
Usually if we want to fix software vulnerabilities we do it by patching the code. But with ModSecurity we can do patch the web application vulnerabilities without touching the code, we call it virtual patching. We just write ModSecurity rules to block the malicious request.
This chapter will describe the reason to use virtual patching and how to create virtual patch with ModSecurity. In the last section of the chapter, the author gives real-life examples of virtual patching SQL Injection vulnerability in Geeklog version 1.5.2 or earlier and CSS vulnerability in Twitter.
This chapter looks at several common attacks that can be carried out to web applications. It also give explanation how to use ModSecurity to block those common attacks.
I prefer chapter 5 and 6 to be merged because they are very related.
The chapter is about creating chroot jail for Apache with the help of ModSecurity. It explains about the chroot jail, the reason to use it, and the steps needed to create the chroot jail for Apache. At the end of the chapter, the author gives several caveats in creating chroot.
This chapter look at Remo, a web-based application to help creating positive ModSecurity security rule. It starts with the Remo installation then explaining how to create rule with Remo to secure a sample web application.
Beside Remo, there are other tools that can also be used to help in creating ModSecurity rules, such as Web Policy Editor and ModProfiler. It will be useful, if the author can also give explanation of these tools.
This chapter look at protecting real-life web application called YaBB using positive security model rule. First, it gives overview of positive security model. Then it describe the process of implementing security model. The web application process is also explained and followed by the development of positive security rule by hand.
The discussion of positive security model is better moved to chapter 8.
The author mentioned that Ethereal (now is known as Wireshark) can be used as web debugging proxy in Linux, but the author didn’t explain how to do that. IMHO, the WebScarab tool or something similar is more appropriate to do the job.
Although this chapter cover how to secure real-life web application, but the author did it using the manual approach, not using Remo. It would be better if the author also explaining how to use Remo (as explained in the previous chapter) to secure the mentioned web application too, so the reader will notice the differences.
Overall I like this book. It is easy to follow, concice and practical. Although you might need to be familiar with Linux commands and web application programming to get the full knowledge.
If you want to learn about ModSecurity in a practical way and you already have background in Linux administration, then you should buy this book.
There are several things that can be improved to make this book more useful, as mentioned in my review above.