ModSecurity and Logging
A presentation at DevOpsDays Poznan in in Poznań, Poland by Philipp Krenn
ModSecurity and Logging Philipp Krenn @xeraa @xeraa
Let’s talk about security… @xeraa
@xeraa
@xeraa
A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa
Hello World of SQL Injection $sql = “SELECT * FROM employees WHERE id = ” . trim($_GET[“id”]); error_log(“SQL query [read.php]: ” . $sql . “\n”, 3, “/var/log/app.log”); mysqli_multi_query($link, $sql); if($result = mysqli_use_result($link)){ $row = mysqli_fetch_array($result, MYSQLI_ASSOC); @xeraa
sqlmap —url “https://test.com/bad.php?id=1” @xeraa
@xeraa
Open source Cross-platform web application firewall (WAF) Visibility into HTTP(S) traffic Rules to implement protections @xeraa
Custom Rule SecRule REQUEST_FILENAME “form.php” “id:’400001’,chain,deny,log,msg:’Spam detected’” SecRule REQUEST_METHOD “POST” chain SecRule REQUEST_BODY “@rx (?i:(pills|insurance|rolex))” @xeraa
A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa
Log to JSON SecAuditLogFormat JSON https://www.cryptobells.com/mod_security-json-audit-logs-revisited/ @xeraa
@xeraa
Examples https://github.com/xeraa/mod_security-log @xeraa
ModSecurity Logging @xeraa
This talk combines two of the OWASP top ten security risks: Injections (A1:2017) and Insufficient Logging & Monitoring (A10:2017).
Resources
The following resources were mentioned during the presentation or are useful additional information.
-
GitHub Demo Code
Fighting SQL injections and insufficient logging.
Buzz and feedback
Here’s what was said about this presentation on social media.
