ModSecurity

I'd been meaning to look into mod_security for use on my weblog and a post by Mir a couple weeks back finally got me going. I still need to look into how it'll work as a front end to web services front end to web services, which sounds like a really useful idea, but on the weblog side, it's worked out quite well.

Getting it up and running (even on the cranky old system I'm using) wasn't a big deal. Mostly just knowing how to use apxs (and I've been down that road often enough) and a small fix for an old compiler and system. Once I had it working without croaking on 'apachectl configtest', it was time to figure out how to use it more effectively.

I wound up using Peter Woods perl module blacklist_to_modsec to create an import black list from the materials I already had at my disposal. The result mostly worked but I had some more work to do. Extra cruft (whitespace) needed to be trimmed and blank lines eliminated (apparently newer version of MTBL do a better job in that area). After making those changes, it worked.

Almost. None of my regular expressions worked. Hmm, there's a function for fixing up regex data, but it doesn't seem to be called (do I need it? it appears to do some interesting things). I hooked that up and it fixed the issues I'd seen.

So what's the difference? Mostly, it was a matter of replacing searches for "\w" (the 'word characters' I believe they are called) with the POSIX equivalent "[:alnum:]". According to Peter, Apache 1.x uses a POSIX-style regex engine internally. It would probably have been just as effective to replace it with [A-Za-z0-9] but that would have likely sacrificed some performance. Having no idea how the Apache regex actually works, I think I'll just leave things alone for now.

The end result has been quite satisfactory. I've turned off my 'after the fact' trackback cleanup script and have gone back to the default trackback implementation. I've also seen a bunch of really weird stuff get blocked in mod_security rather than falling through to Apache (today's example: an attempt to exploit an old fp30reg.dll weakness). By moving the blacklist concept up the stack, MTBL doesn't even play a part in the normal operation of this site. It's now used only as a mechanism to address new problems and scan for (and delete) the comments and pings which leak through (which seems appropriate).