[AusNOG] Protecting Web Hosting environments - was Re: DDOS mitigation

Tim March march.tim at gmail.com
Mon May 13 17:59:48 EST 2013 

Both Citrix and F5 have WAF products you can bolt in front of your 
environment if you're running them. The Cisco AIP-SSM does look for a 
bunch of HTTP type signatures but it's certainly not complete.

Mod_security is a great piece of software that is infinitely 
configurable and has has a number of up-to-date ruleset implementations 
available. It runs on top of cPanel and can be configured to 
autonomously block the source IP of HTTP based attacks (signature 
matches) it sees.

The problem with running WAF in a shared environment is the one size 
doesn't fit all rule. Where you're configuring a WAF ruleset for a 
specific web application (eg. one specific app) you'd generally run it 
in detection/alert only for a period to tune the ruleset before turning 
on active blocking.

If you've got a known code delivery pipeline and can test application 
changes against the ruleset pre-production it's pretty easy to keep it 
up to date. Conversely, if you've got any one of a bazillion developers 
pushing unknown code to your host you generally find they periodically 
trigger rules with valid workflows that you'll have to fix.

Obviously you can get around this somewhat by tuning the ruleset back to 
a reasonable baseline that's gonna pick up /obvious/ attack strings like 
../../../../, <script> tags or UNION statements in POST data, yadda 
yadda yadda. This provides you with a reasonable level of protection 
against really brute force type stuff.

WAF is a hugely useful security tool when it's implemented and 
administered correctly, which is why it's such a shame that 95% of the 
time it's not =)



T.

On 13/05/13 12:34 PM, Peter Tonoli wrote:
>> Rather than scanning for known vulnerabilities, does anyone know if
>> there's anything out there in the network security space which can
>> detect the various exploit / scan attempts to an old WordPress /
>> Joomla
>> / Drupal /etc site, and block them?
>
> Whether or not you consider this 'carrier grade',' there's ModSecurity <http://www.modsecurity.org/>, which does what you want either on your reverse proxy, or the web server.
>

More information about the AusNOG mailing list