logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Requesting ModSecurity 2.9.0

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
marineserver



Joined: 02 Feb 2014
Posts: 5
Location: indian,tamilnadu

PostPosted: Tue 05 May '15 11:57    Post subject: Requesting ModSecurity 2.9.0 Reply with quote

Hai module makers please can any one build the latest mod security 2.9.0 for apache 2.2 & 2.4 Embarassed
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2747
Location: Hilversum, NL, EU

PostPosted: Fri 08 May '15 9:47    Post subject: Reply with quote

We and AH skip 2.9.0, no critical changes over 2.8.0.

Or you may have a reason to want it ?
Back to top
coronad0



Joined: 12 May 2015
Posts: 3
Location: CO

PostPosted: Tue 12 May '15 17:47    Post subject: Reply with quote

Biggest change was @ipMatchFromFile added capability to pull white/black lists via https. Would be huge.

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ipMatchFromFile
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2747
Location: Hilversum, NL, EU

PostPosted: Tue 12 May '15 19:29    Post subject: Reply with quote

That is the area we (Gregg and me) had quite some discussions with the mod_securuty team. All about the new SecRemoteRules, this is an optional directive that allow the user to load rules from a remote server

It introduces extra dependencies Curl and Crypto. And first they used Openssl that was not running with all Apache builds. OpenSSL dependency is now removed on MS Windows builds, ModSecurity is now using the Windows certificate storage. Proposed them to use the Apache-https , but they are not willing.

There are still some quirks in this area and is not yet proven. E.g in the next build they fix an invalid storage reference by apr_psprintf.

So better to wait for 2.9.1.

How urgent do you need this ?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2198
Location: Sun Diego, USA

PostPosted: Wed 13 May '15 1:40    Post subject: Reply with quote

My opinion and that is all it is, an opinion, is that on the surface this sounds great. When you think it through a little, not so much.

1. These will only fire off during the init stage of the module, I was shown nothing different during our discussions nor I do I see any setting to tell me otherwise. How often do you start/restart your Apache? [A]

2. What happens if the server your grabbing the rules/ip list from is not responding at the time? For SecRemoteRules there is SecRemoteRulesFailAction where it can be Aborted or Warn where it shows in Apache's error log. Either way, you end up without the rules/ips and are therefor unprotected. A local copy of rules and/or ip list would never have this problem. [B]

3. How long does it wait for a response? There is no setting for this so it will default to Curl's timeout value (30 seconds as far as I can tell). In theory, it could take minutes for your server to start/restart on a bad day.

4. There is the time it takes to negotiate a HTTPS connection you must think about. The more servers you are connecting to the longer this will take.


At least we got them to allow us to use WinSSL vs. OpenSSL so we get use of the regularly updated Windows Certificate Store instead of Curl's rarely updated, which was quite lame at the time and may still be. We also do not have to worry about matching OpenSSL versions to what Apache may be using.

[A] If you require SSL Session Tickets and expect Perfect Forward Secrecy this should be at least every 24 hours.

[B] You could easily scheduled a batch to file to run, download & check the necessary rules/IP lists before start/restarting Apache. This would move any problems associated with #2, 3 & 4 before start/restarting Apache so it would not affect Apache during start/restart.
Back to top
coronad0



Joined: 12 May 2015
Posts: 3
Location: CO

PostPosted: Fri 22 May '15 17:38    Post subject: Reply with quote

Thanks for the insight and I have a better understanding of this now. There isn't a high priority need for this from my viewpoint, but at least a "nice to have". As it is, I have around 12 remote servers who are NOT allowed to see each other, touch shares, interact in anyway outside of port 443 (and that is the ONLY port they get to talk in/out on); so being able to have a single list & location of say, black listed IPs, would be fantastic to cut down on the manual file updating and copy/pasting I currently do.

The batch file idea is a great one to semi-automate this process. Thanks for that.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1