Idea 1: DNS
There are plenty of ways to prevent malware and adverts. If the dns resolves to localhost, or, say - your own internal web server for logging purposes... Kinda cool, but it seems as though this is not really being maintained anymore - not sure why, will have to research this one more.
Idea 2: Firefox plugins
NoScript is really cool. NoScript in combination with adblock and a few list subscriptions is fairly effective.
... todo, more content ...
Idea 3: Content filtering
For a while now I've protected my external apache instances with mod_security. I wondered though - could I apply mod_security within a virtual server and mod_proxy in combination?
If interested, this is how you could do it:
---- begin config block ----
LoadFile /usr/lib/libxml2.so.2
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
Include rules.d/modsecurity_crs_10_config.conf
Listen 3129
#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html"
ServerName someServer.somewhere
ErrorLog logs/proxy-error_log
CustomLog logs/proxy-access_log common
ProxyRequests On
ProxyVia On
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Example configuration file for the mod_security Apache module
# This is the ModSecurity Core Rules Set.
Include rules.d/modsecurity_crs_20_protocol_violations.conf
Include rules.d/modsecurity_crs_21_protocol_anomalies.conf
Include rules.d/modsecurity_crs_23_request_limits.conf
Include rules.d/modsecurity_crs_30_http_policy.conf
Include rules.d/modsecurity_crs_35_bad_robots.conf
Include rules.d/modsecurity_crs_40_generic_attacks.conf
Include rules.d/modsecurity_crs_45_trojans.conf
Include rules.d/modsecurity_crs_50_outbound.conf
#Include rules.d/optional_rules/modsecurity_crs_20_protocol_violations.conf
Include rules.d/optional_rules/modsecurity_crs_40_generic_attacks.conf
#Include rules.d/optional_rules/modsecurity_crs_42_tight_security.conf
#Include rules.d/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
Include rules.d/optional_rules/modsecurity_crs_42_comment_spam.conf
Include rules.d/optional_rules/modsecurity_crs_55_marketing.conf
---- end config block ----
Well, yes - it works quite nicely. The funny thing is, I started blocking all kinds of traffic. I thought it interesting to play around with their console application so I went to download it.
What do I notice while loading the page?
==> proxy-access_log <==
192.168.1.103 - - [29/Jan/2009:22:50:08 -0500] "CONNECT bsn.breach.com:443 HTTP/1.1" 200 -
==> modsec_audit.log <==
--fecc3827-A--
[29/Jan/2009:22:50:14 --0500] GeYs9MCoAZIAADzjiu0AAAAJ 192.168.1.103 53990 192.168.1.146 3129
--fecc3827-B--
CONNECT bsn.breach.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2 Ubiquity/0.1.5
Proxy-Connection: keep-alive
Host: bsn.breach.com
--fecc3827-F--
HTTP/1.1 200 OK
--fecc3827-H--
Message: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/rules.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
Message: Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/etc/httpd/rules.d/modsecurity_crs_30_http_policy.conf"] [line "37"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]
Apache-Handler: proxy-server
Stopwatch: 1233287408659700 5664183 (266 3214 -)
Producer: ModSecurity for Apache/2.5.2 (http://www.modsecurity.org/); core ruleset/1.6.0.
Server: Apache/2.2.3 (CentOS)
--fecc3827-K--
SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "phase:2,chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADER"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,pass,t:none"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4"
SecRule "REQUEST_METHOD" "!@rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" "pass,status:501,phase:2,log,auditlog,msg:'Method is not allowed by policy',severity:2,id:960032,tag:POLICY/METHOD_NOT_ALLOWED"
--fecc3827-Z--
Yep, the mod_security ruleset is cutting some of the traffic from Breach Security - the makers of mod_security :-> Too funny!
It also handily blocks some other stuff. Since I configured my mac to use the proxy, it blocks apple's auth servers, mobile me ( which I am tinkering with as well - interesting but probably won't stick with it ), a whole bunch of odd stuff while downloading web pages and a few other things.
Oh, and if you throw in the in-memory caching on the proxy content the over-head of the mod_security is very nicely realized. I noticed response/load times improved a good bit.
This goes into the virtual server def:
CacheEnable mem /
MCacheSize 1024
MCacheMaxObjectCount 100
MCacheMinObjectSize 1
MCacheMaxObjectSize 2048
Funny thing, I had to turn off the proxy so I could publish the post. Guess I won't be leaving this on until I can debug it more. Still pretty cool!
