I’ll go through a false positive example I found on my blog. False positives are inevitable, so it’s not a bad idea to run mod_security for a few weeks on detect only. Here’s the url that was raising the alarm. The trigger was in the url. http://chesterton.id.au/blog/2007/11/20/blue-tongue-harmonica-talk-cd/ Here’s what modsec_audit.log looked like –f8a03521-A– [21/Mar/2011:07:54:47 +1100] [...]
In my previous post I didn’t mention how to turn on the audit log, so without explanation, you put the following in your config. SecAuditEngine RelevantOnly SecAuditLogType serial SecAuditLogParts ABCFHZ We already set SecAuditLog to /var/log/modsecurity/SecAuditLog/modsec_audit.log in the previous post, which has to be writable by the web server user, www-data for ubuntu/debian. So after [...]
Some time ago, I changed my setup from nginx + spawn-fcgi to nginx + apache so I could play with mod_security. Well, one of my clients got pwned by some sql injection vulnerability, so I finally got to put it in practice. In a nut shell, mod_security is an apache module that scans http(s) traffic [...]
December 17, 2010 – 3:38 am
When watching a TV series on the laptop, I often lose track of what episode I’m up to, especially after a reboot, so I use nautilus emblems to keep track for me. The idea is when I double click a video file, instead of it launching a video player, I configure it to launch a [...]
December 16, 2010 – 12:02 pm
About five years ago, I bought a macbook pro2,2 as my main connection to the internet. It started out with tiger. It was a struggle to get used to the differences from a gnome desktop. But I got there, and started liking it. I tried ubuntu on it when i first got it, and didn’t [...]
October 14, 2010 – 12:13 am
I’ve reinstalled apache and I’m in the process of cutting over my sites. Not completely, just for non static files, mainly php. Nginx is infront of apache serving static content and is a reverse proxy to apache which runs on 127.0.0.1:81 The reason? I want to give mod_security a spin. It’s loaded now, but it [...]
October 4, 2010 – 12:45 pm
Sheesh, I write one post on security, mention a security expert in it, and he tries to exploit my server. It’s not an original idea, but if you want to test your server for vulnerabilities, come out and say you’re a security expert. Anyway, I finished Cyber War, feeling very satisfied since it’s been a [...]
October 2, 2010 – 1:13 pm
I’ve recently become more interested in security. I always had an interest in it, locking down linux servers and firewalls, trying to avoid common sql injection and XSS bugs while coding. But I guess that’s more of a passive interest or approach, I’m now interested in a more active way, deep packet inspection, etc. In [...]
November 28, 2009 – 5:27 pm
For a while now, I had not being using FreeSWITCH for my VoIP, but just logging into PennyTel directly with my Nokia E65. It worked OK, but the voice quality wasn’t as good as going through FreeSWITCH. A month ago my old ADSL router died, so I bought a Billion 5200N to replace it. Since [...]
November 19, 2009 – 5:57 am
I recently upgraded to snow leopard and noticed some DNS weirdness. I couldn’t ssh to hosts defined in my local DNS, it wouldn’t resolve, but I could resolve them with the host command. Turns out Snow Leopard made quite a few changes to the resolver, it no longer uses /etc/resolv.conf but mDNSResponder, at least for [...]