Parkside Web Development

Recently I had a friend who’s server was compromised. Although I haven’t had trouble with my server, I thought that I’d see if there were any security issues I had overlooked. That’s when I came across mod security. I hadn’t used it before and so the first thing I looked for was some documentation. The official documentation is located at: http://www.modsecurity.org/ and had this to say about it’s purpose:

ModSecurity is a web application firewall (WAF). With over 70% of attacks now carried out over the web application level, organisations need all the help they can get in making their systems secure. WAFs are deployed to establish an increased external security layer to detect and/or prevent attacks before they reach web applications. ModSecurity provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

I figured that with the most recent fedora core that I’d be able to install it via yum. So at the command line I ran “yum install mod_security” command (your distribution may use apt-get instead). Mod Security installs a set of default rules that seem setup to catch most common Apache attacks. The rule definition files are located in the /etc/httpd/modsecurity.d folder. The default rules can catch many web based attacks without interrupting normal website behavior. Even most PHP applications are unaffected.

The exception to this is phpMyAdmin. Many parts of this very useful application get blocked by Mod Security. Many of the requests that phpMyAdmin makes appear to be SQL injection attacks. I eventually turned Mod Security off on that single directory. The way I did this is by adding the “SecRuleEngine Off” command to the directory block in my httpd.conf file. This disables Mod Security entirely for that directory. This may be overkill, but until I have the time to research the specific rules that need to be turned off for the application to work, it’ll have to do. I do have the directory password protected which should be enough for the short term.