I’ll go through a false positive example I found on my blog. False positives are inevitable, so it’s not a bad idea to run mod_security for a few weeks on detect only. Here’s the url that was raising the alarm. The trigger was in the url. http://chesterton.id.au/blog/2007/11/20/blue-tongue-harmonica-talk-cd/ Here’s what modsec_audit.log looked like –f8a03521-A– [21/Mar/2011:07:54:47 +1100] [...]
In my previous post I didn’t mention how to turn on the audit log, so without explanation, you put the following in your config. SecAuditEngine RelevantOnly SecAuditLogType serial SecAuditLogParts ABCFHZ We already set SecAuditLog to /var/log/modsecurity/SecAuditLog/modsec_audit.log in the previous post, which has to be writable by the web server user, www-data for ubuntu/debian. So after [...]
Some time ago, I changed my setup from nginx + spawn-fcgi to nginx + apache so I could play with mod_security. Well, one of my clients got pwned by some sql injection vulnerability, so I finally got to put it in practice. In a nut shell, mod_security is an apache module that scans http(s) traffic [...]
December 17, 2010 – 3:38 am
When watching a TV series on the laptop, I often lose track of what episode I’m up to, especially after a reboot, so I use nautilus emblems to keep track for me. The idea is when I double click a video file, instead of it launching a video player, I configure it to launch a [...]
December 16, 2010 – 12:02 pm
About five years ago, I bought a macbook pro2,2 as my main connection to the internet. It started out with tiger. It was a struggle to get used to the differences from a gnome desktop. But I got there, and started liking it. I tried ubuntu on it when i first got it, and didn’t [...]
October 14, 2010 – 12:13 am
I’ve reinstalled apache and I’m in the process of cutting over my sites. Not completely, just for non static files, mainly php. Nginx is infront of apache serving static content and is a reverse proxy to apache which runs on 127.0.0.1:81 The reason? I want to give mod_security a spin. It’s loaded now, but it [...]
October 4, 2010 – 12:45 pm
Sheesh, I write one post on security, mention a security expert in it, and he tries to exploit my server. It’s not an original idea, but if you want to test your server for vulnerabilities, come out and say you’re a security expert. Anyway, I finished Cyber War, feeling very satisfied since it’s been a [...]
October 2, 2010 – 1:13 pm
I’ve recently become more interested in security. I always had an interest in it, locking down linux servers and firewalls, trying to avoid common sql injection and XSS bugs while coding. But I guess that’s more of a passive interest or approach, I’m now interested in a more active way, deep packet inspection, etc. In [...]
August 16, 2010 – 9:27 pm
I won’t go into too many details, I got everything I learned from google and my customisations aren’t very ground breaking. Jdub tweeted about the wordpress apc object cache being updated. So I (re)installed that. I had it installed a while ago, but a wordpress upgrade broke it. http://wordpress.org/extend/plugins/apc/ Everyone knows about wp-super-cache, and there’s [...]
August 13, 2010 – 8:28 am
Many years ago, I was a rabid (vapid?) PostgreSQL fanboi. I took the time to study how to tune postgres, it was very rewarding to see queries go from taking 30 seconds, to completing in under a second. This involved tuning knobs in the prostres config, to adding indexes. All done manually. If some software [...]