Apache :: Requesting ModSecurity 2.9.0

marineserver · Joined: 02 Feb 2014 Posts: 5 Location: indian,tamilnadu

Hai module makers please can any one build the latest mod security 2.9.0 for apache 2.2 & 2.4 Embarassed

Steffen

We and AH skip 2.9.0, no critical changes over 2.8.0.

Or you may have a reason to want it ?

coronad0 · Joined: 12 May 2015 Posts: 3 Location: CO

Biggest change was @ipMatchFromFile added capability to pull white/black lists via https. Would be huge.

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ipMatchFromFile

Steffen

That is the area we (Gregg and me) had quite some discussions with the mod_securuty team. All about the new SecRemoteRules, this is an optional directive that allow the user to load rules from a remote server

It introduces extra dependencies Curl and Crypto. And first they used Openssl that was not running with all Apache builds. OpenSSL dependency is now removed on MS Windows builds, ModSecurity is now using the Windows certificate storage. Proposed them to use the Apache-https , but they are not willing.

There are still some quirks in this area and is not yet proven. E.g in the next build they fix an invalid storage reference by apr_psprintf.

So better to wait for 2.9.1.

How urgent do you need this ?

glsmith

My opinion and that is all it is, an opinion, is that on the surface this sounds great. When you think it through a little, not so much.

1. These will only fire off during the init stage of the module, I was shown nothing different during our discussions nor I do I see any setting to tell me otherwise. How often do you start/restart your Apache? [A]

2. What happens if the server your grabbing the rules/ip list from is not responding at the time? For SecRemoteRules there is SecRemoteRulesFailAction where it can be Aborted or Warn where it shows in Apache's error log. Either way, you end up without the rules/ips and are therefor unprotected. A local copy of rules and/or ip list would never have this problem. [B]

3. How long does it wait for a response? There is no setting for this so it will default to Curl's timeout value (30 seconds as far as I can tell). In theory, it could take minutes for your server to start/restart on a bad day.

4. There is the time it takes to negotiate a HTTPS connection you must think about. The more servers you are connecting to the longer this will take.

At least we got them to allow us to use WinSSL vs. OpenSSL so we get use of the regularly updated Windows Certificate Store instead of Curl's rarely updated, which was quite lame at the time and may still be. We also do not have to worry about matching OpenSSL versions to what Apache may be using.

[A] If you require SSL Session Tickets and expect Perfect Forward Secrecy this should be at least every 24 hours.

[B] You could easily scheduled a batch to file to run, download & check the necessary rules/IP lists before start/restarting Apache. This would move any problems associated with #2, 3 & 4 before start/restarting Apache so it would not affect Apache during start/restart.

coronad0 · Joined: 12 May 2015 Posts: 3 Location: CO

Thanks for the insight and I have a better understanding of this now. There isn't a high priority need for this from my viewpoint, but at least a "nice to have". As it is, I have around 12 remote servers who are NOT allowed to see each other, touch shares, interact in anyway outside of port 443 (and that is the ONLY port they get to talk in/out on); so being able to have a single list & location of say, black listed IPs, would be fantastic to cut down on the manual file updating and copy/pasting I currently do.

The batch file idea is a great one to semi-automate this process. Thanks for that.