Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Requesting ModSecurity 2.9.0 |
|
Author |
|
marineserver
Joined: 02 Feb 2014 Posts: 5 Location: indian,tamilnadu
|
Posted: Tue 05 May '15 11:57 Post subject: Requesting ModSecurity 2.9.0 |
|
|
Hai module makers please can any one build the latest mod security 2.9.0 for apache 2.2 & 2.4 |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Fri 08 May '15 9:47 Post subject: |
|
|
We and AH skip 2.9.0, no critical changes over 2.8.0.
Or you may have a reason to want it ? |
|
Back to top |
|
coronad0
Joined: 12 May 2015 Posts: 3 Location: CO
|
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Tue 12 May '15 19:29 Post subject: |
|
|
That is the area we (Gregg and me) had quite some discussions with the mod_securuty team. All about the new SecRemoteRules, this is an optional directive that allow the user to load rules from a remote server
It introduces extra dependencies Curl and Crypto. And first they used Openssl that was not running with all Apache builds. OpenSSL dependency is now removed on MS Windows builds, ModSecurity is now using the Windows certificate storage. Proposed them to use the Apache-https , but they are not willing.
There are still some quirks in this area and is not yet proven. E.g in the next build they fix an invalid storage reference by apr_psprintf.
So better to wait for 2.9.1.
How urgent do you need this ? |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Wed 13 May '15 1:40 Post subject: |
|
|
My opinion and that is all it is, an opinion, is that on the surface this sounds great. When you think it through a little, not so much.
1. These will only fire off during the init stage of the module, I was shown nothing different during our discussions nor I do I see any setting to tell me otherwise. How often do you start/restart your Apache? [A]
2. What happens if the server your grabbing the rules/ip list from is not responding at the time? For SecRemoteRules there is SecRemoteRulesFailAction where it can be Aborted or Warn where it shows in Apache's error log. Either way, you end up without the rules/ips and are therefor unprotected. A local copy of rules and/or ip list would never have this problem. [B]
3. How long does it wait for a response? There is no setting for this so it will default to Curl's timeout value (30 seconds as far as I can tell). In theory, it could take minutes for your server to start/restart on a bad day.
4. There is the time it takes to negotiate a HTTPS connection you must think about. The more servers you are connecting to the longer this will take.
At least we got them to allow us to use WinSSL vs. OpenSSL so we get use of the regularly updated Windows Certificate Store instead of Curl's rarely updated, which was quite lame at the time and may still be. We also do not have to worry about matching OpenSSL versions to what Apache may be using.
[A] If you require SSL Session Tickets and expect Perfect Forward Secrecy this should be at least every 24 hours.
[B] You could easily scheduled a batch to file to run, download & check the necessary rules/IP lists before start/restarting Apache. This would move any problems associated with #2, 3 & 4 before start/restarting Apache so it would not affect Apache during start/restart. |
|
Back to top |
|
coronad0
Joined: 12 May 2015 Posts: 3 Location: CO
|
Posted: Fri 22 May '15 17:38 Post subject: |
|
|
Thanks for the insight and I have a better understanding of this now. There isn't a high priority need for this from my viewpoint, but at least a "nice to have". As it is, I have around 12 remote servers who are NOT allowed to see each other, touch shares, interact in anyway outside of port 443 (and that is the ONLY port they get to talk in/out on); so being able to have a single list & location of say, black listed IPs, would be fantastic to cut down on the manual file updating and copy/pasting I currently do.
The batch file idea is a great one to semi-automate this process. Thanks for that. |
|
Back to top |
|
|
|
|
|
|