Open Source Alternative Solutions

Advertising

Apache

Apache Modules

Apache is the de-facto web server on the internet today and with the addition of modules becomes a very versatile server. Modules are usually built to solve a certain problem or to provide a missing functionality. This open source application comes with prebuilt modules which can be reviewed from the apache website. If you wish to search for all modules whether from the 1.x branch or 2.x branch this site offers a search facility which displays all registered modules.

Security

Providing security for the servers and web applications that provide internet users with the flexibility and ease of use that they have come to depend on when doing internet banking or online shopping from spammers and hackers who are always looking to find ways to exploit these interfaces for there own benefit and creating ways for them to either steal your money or worse your identity. Apache modules that can address these security issues are.

Mod_Security is an open source tool used to provide application level filtering.
Mod_evasive is an open source tool that prevents denial of service attacks against the server.
limitipconn is another open source tool tha provides bandwith and denial of service attacks.

Mod Security

Mod Securiy can monitor HTTP traffic in real time in order to detect attacks, thus acting as an application level firewall and intrusion prevention for web applications.

Mod Security has three different models for preventing attacks:

Negative Security model: monitors requests for anomalies, unusual behaviour and common web applications attacks. It keeps anomally scores for each requests, IP adresses, application sesseions and user accounts. Reuests with with high anomally scores are wither logged or rejected altoghether.
Known weaknesses and vulnerability: applications can be patched externally using mod_security as the front end without touching the application source code, this utimately makes your application that much more security.
Positive security model: only requests that are known to be valid are accepted, everything else is rejected.

Deploying Mod Security

Mod Security can be deployed either embedded within apache or deployed on the network within apache in front of all web based applications acting as a web filtering proxy, this has the added benefit of protecting non apache based web servers as well.

Mod Security works on a wide range of operating systems.

FreeBSD
OpenBSD
NetBSD
Linus
Solaris
AIX
HP-UX
Mac OS
Windows

Mod Security Configuration

Mod Security whether embedded or deployed on the network relies on a configuration file. This configuration file can de lengthy and needs to be reviewed before deploying. Mod Security configuration manual can be reviewed from this link.

The following configuration file can be used as a starting point for deploying this open source tool


						
						

						#Enable Mod_security

						SecFilterEngine On



						#Logging

						SecAuditEngine RelevantOnly

						SecAuditLog /var/log/audit_log

						# Logging

						SecFilterDefaultAction "deny,log,status:404"



						#Disable executing Unix commands

						SecFilterSelective ARGS "bin/"



						#Guard against Cross site scripting attacks

						SecFilter "
						SecFilter "<.+>"



						#Guard against directory traversal

						SecFilter "\.\./"



						#Chunked encoding

						SecFilterCheckUnicodeEncoding On

						SecFilterSelective HTTP_Transfer-Encoding "!^$"



						#URL validation

						SecFilterCheckURLEncoding On

						SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$"



						#Post Scanning

						SecFilterScanPOST Off

						SecFilterSelective HTTP_Content-Type \

						"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)"



						# Reject requests with status 403

						SecFilterDefaultAction "deny,log,status:403"

						# By default log and deny suspicious requests

						# with HTTP status 500

						SecFilterDefaultAction "deny,log,status:500"



						#Deny wget worm scripts

						SecFilter cd\x20/tmp

						SecFilter wget\x20



						#Block Sanity Worm

						SecFilterSelective ARG_highlight %27

Mod Evasive

Webmasters have not had the opportunity to stop denial of service attacks on their webserver, blindly beleiving that the network firewall is offering this protection. Most perimeter firewalls don't protect against attacks of requesting one or more pages in rapid succession eventually overloading and bringing the server to it knees (DOS). Mod Evasive and it's old version mod_dosevasive offers real time denial of service protection.

Mod Evasive is configured from a config file once the module is loaded into apache and it's configuration file.

The following configuration file can be used as a starting point.


						<IfModule mod_dosevasive20.c>

						DOSHashTableSize    3097

						DOSPageCount        2

						DOSSiteCount        10

						DOSPageInterval     1

						DOSSiteInterval     1

						DOSBlockingPeriod   60

						DOSLogDir           "/var/lock/mod_dosevasive"

					</IfModule>

If you are running apache 2.x the code above can be placed within a file located within your apache config located within the "Includes" directory

As attacks are blocked you can observe what IP'tried to attack your server, heres an example of the log directory


					ls -la /var/lock/mod_dosevasive/ 

					total 54

					drwxrwxrwx  2 root  wheel  1024 Feb  7 10:20 .

					drwxr-xr-x  3 root  wheel   512 Jan 24 17:40 ..

					-rw-r--r--  1 www   wheel     6 Jan 24 17:42 dos-127.0.0.1

					-rw-r--r--  1 www   wheel     6 Jan 30 15:43 dos-150.135.118.217

					-rw-r--r--  1 www   wheel     6 Feb  7 10:20 dos-192.109.190.88

					-rw-r--r--  1 www   wheel     6 Jan 31 15:24 dos-192.160.124.68

					-rw-r--r--  1 www   wheel     6 Jan 31 16:10 dos-204.146.182.254

					-rw-r--r--  1 www   wheel     6 Jan 31 13:57 dos-206.47.99.133

					-rw-r--r--  1 www   wheel     6 Jan 29 11:40 dos-208.76.74.85

					-rw-r--r--  1 www   wheel     6 Feb  7 05:46 dos-212.244.47.130

					-rw-r--r--  1 www   wheel     6 Jan 30 02:43 dos-213.178.125.41

					-rw-r--r--  1 www   wheel     6 Feb  3 00:51 dos-220.225.82.98

					-rw-r--r--  1 www   wheel     6 Feb  4 04:47 dos-34.253.3.200

					-rw-r--r--  1 www   wheel     6 Jan 25 13:39 dos-63.83.48.10

					-rw-r--r--  1 www   wheel     6 Jan 27 01:19 dos-65.248.100.253

					-rw-r--r--  1 www   wheel     6 Feb  3 14:19 dos-66.30.220.78

					-rw-r--r--  1 www   wheel     6 Jan 29 00:47 dos-66.74.238.233

					-rw-r--r--  1 www   wheel     6 Feb  3 00:28 dos-67.86.26.192

					-rw-r--r--  1 www   wheel     6 Feb  2 16:30 dos-68.105.138.243

					-rw-r--r--  1 www   wheel     6 Feb  3 14:23 dos-69.248.124.178

					-rw-r--r--  1 www   wheel     6 Feb  3 01:38 dos-72.66.25.137

					-rw-r--r--  1 www   wheel     6 Jan 25 18:11 dos-76.160.35.118

					-rw-r--r--  1 www   wheel     6 Jan 24 19:18 dos-81.157.178.67

					-rw-r--r--  1 www   wheel     6 Feb  3 10:43 dos-82.170.63.11

					-rw-r--r--  1 www   wheel     6 Jan 28 12:59 dos-83.40.97.96

					-rw-r--r--  1 www   wheel     6 Feb  4 22:57 dos-99.243.238.139