Thursday, January 29, 2009

the quest for web security

For a while now, I've often wondered just how secure my home stuff is. One area I've been wanting to tinker with is web traffic. The idea is, how difficult would it be to find and secure at least some of the content.

Idea 1: DNS

There are plenty of ways to prevent malware and adverts. If the dns resolves to localhost, or, say - your own internal web server for logging purposes... Kinda cool, but it seems as though this is not really being maintained anymore - not sure why, will have to research this one more.

Idea 2: Firefox plugins

NoScript is really cool. NoScript in combination with adblock and a few list subscriptions is fairly effective.

... todo, more content ...

Idea 3: Content filtering

For a while now I've protected my external apache instances with mod_security. I wondered though - could I apply mod_security within a virtual server and mod_proxy in combination?

If interested, this is how you could do it:

---- begin config block ----
LoadFile /usr/lib/libxml2.so.2
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
Include rules.d/modsecurity_crs_10_config.conf

Listen 3129

#ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/var/www/html"
ServerName someServer.somewhere
ErrorLog logs/proxy-error_log
CustomLog logs/proxy-access_log common

ProxyRequests On
ProxyVia On


Order deny,allow
Deny from all
Allow from 192.168.1.0/24

# Example configuration file for the mod_security Apache module

# This is the ModSecurity Core Rules Set.

Include rules.d/modsecurity_crs_20_protocol_violations.conf
Include rules.d/modsecurity_crs_21_protocol_anomalies.conf
Include rules.d/modsecurity_crs_23_request_limits.conf
Include rules.d/modsecurity_crs_30_http_policy.conf
Include rules.d/modsecurity_crs_35_bad_robots.conf
Include rules.d/modsecurity_crs_40_generic_attacks.conf
Include rules.d/modsecurity_crs_45_trojans.conf
Include rules.d/modsecurity_crs_50_outbound.conf

#Include rules.d/optional_rules/modsecurity_crs_20_protocol_violations.conf
Include rules.d/optional_rules/modsecurity_crs_40_generic_attacks.conf
#Include rules.d/optional_rules/modsecurity_crs_42_tight_security.conf
#Include rules.d/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
Include rules.d/optional_rules/modsecurity_crs_42_comment_spam.conf
Include rules.d/optional_rules/modsecurity_crs_55_marketing.conf



---- end config block ----

Well, yes - it works quite nicely. The funny thing is, I started blocking all kinds of traffic. I thought it interesting to play around with their console application so I went to download it.

What do I notice while loading the page?

==> proxy-access_log <==
192.168.1.103 - - [29/Jan/2009:22:50:08 -0500] "CONNECT bsn.breach.com:443 HTTP/1.1" 200 -

==> modsec_audit.log <==
--fecc3827-A--
[29/Jan/2009:22:50:14 --0500] GeYs9MCoAZIAADzjiu0AAAAJ 192.168.1.103 53990 192.168.1.146 3129
--fecc3827-B--
CONNECT bsn.breach.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2 Ubiquity/0.1.5
Proxy-Connection: keep-alive
Host: bsn.breach.com

--fecc3827-F--
HTTP/1.1 200 OK

--fecc3827-H--
Message: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/rules.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"]
Message: Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/etc/httpd/rules.d/modsecurity_crs_30_http_policy.conf"] [line "37"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"]
Apache-Handler: proxy-server
Stopwatch: 1233287408659700 5664183 (266 3214 -)
Producer: ModSecurity for Apache/2.5.2 (http://www.modsecurity.org/); core ruleset/1.6.0.
Server: Apache/2.2.3 (CentOS)

--fecc3827-K--
SecRule "&REQUEST_HEADERS:Accept" "@eq 0" "phase:2,chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header',severity:2,id:960015,tag:PROTOCOL_VIOLATION/MISSING_HEADER"
SecRule "REQUEST_METHOD" "!@rx ^OPTIONS$" "phase:2,log,pass,t:none"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4"
SecRule "REQUEST_METHOD" "!@rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" "pass,status:501,phase:2,log,auditlog,msg:'Method is not allowed by policy',severity:2,id:960032,tag:POLICY/METHOD_NOT_ALLOWED"

--fecc3827-Z--

Yep, the mod_security ruleset is cutting some of the traffic from Breach Security - the makers of mod_security :-> Too funny!

It also handily blocks some other stuff. Since I configured my mac to use the proxy, it blocks apple's auth servers, mobile me ( which I am tinkering with as well - interesting but probably won't stick with it ), a whole bunch of odd stuff while downloading web pages and a few other things.

Oh, and if you throw in the in-memory caching on the proxy content the over-head of the mod_security is very nicely realized. I noticed response/load times improved a good bit.

This goes into the virtual server def:


CacheEnable mem /
MCacheSize 1024
MCacheMaxObjectCount 100
MCacheMinObjectSize 1
MCacheMaxObjectSize 2048


Funny thing, I had to turn off the proxy so I could publish the post. Guess I won't be leaving this on until I can debug it more. Still pretty cool!
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)