I’ll go through a false positive example I found on my blog. False positives are inevitable, so it’s not a bad idea to run mod_security for a few weeks on detect only. Here’s the url that was raising the alarm. The trigger was in the url. http://chesterton.id.au/blog/2007/11/20/blue-tongue-harmonica-talk-cd/ Here’s what modsec_audit.log looked like –f8a03521-A– [21/Mar/2011:07:54:47 +1100] [...]
In my previous post I didn’t mention how to turn on the audit log, so without explanation, you put the following in your config. SecAuditEngine RelevantOnly SecAuditLogType serial SecAuditLogParts ABCFHZ We already set SecAuditLog to /var/log/modsecurity/SecAuditLog/modsec_audit.log in the previous post, which has to be writable by the web server user, www-data for ubuntu/debian. So after [...]
Some time ago, I changed my setup from nginx + spawn-fcgi to nginx + apache so I could play with mod_security. Well, one of my clients got pwned by some sql injection vulnerability, so I finally got to put it in practice. In a nut shell, mod_security is an apache module that scans http(s) traffic [...]
October 14, 2010 – 12:13 am
I’ve reinstalled apache and I’m in the process of cutting over my sites. Not completely, just for non static files, mainly php. Nginx is infront of apache serving static content and is a reverse proxy to apache which runs on 127.0.0.1:81 The reason? I want to give mod_security a spin. It’s loaded now, but it [...]
October 4, 2010 – 12:45 pm
Sheesh, I write one post on security, mention a security expert in it, and he tries to exploit my server. It’s not an original idea, but if you want to test your server for vulnerabilities, come out and say you’re a security expert. Anyway, I finished Cyber War, feeling very satisfied since it’s been a [...]
October 2, 2010 – 1:13 pm
I’ve recently become more interested in security. I always had an interest in it, locking down linux servers and firewalls, trying to avoid common sql injection and XSS bugs while coding. But I guess that’s more of a passive interest or approach, I’m now interested in a more active way, deep packet inspection, etc. In [...]