viperSuite – The Random Mind of a Web Developer

Install / Configure mod_security

Posted on November 30, 2010

Security, one of the most important aspects of a web server. After a few days of google'n I have decided to use mod_security.

"ModSecurity is an open source web application firewall (WAF) engine for Apache that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence." - http://www.modsecurity.org/

There are many free packages out there with precompiled rules and such.

  1. Install mod_security: "yum install mod_security"(If you are on Plesk/CentOS) "cd /etc/httpd/conf.d/modsecurity.d/"
  2. Download HyperOIS.com's rules: "wget http://hyperois.com/files/modsec2_rules.tar.gz"
  3. Uncompress: "tar -xzvf modsec2_rules.tar.gz"
  4. "cd /etc/httpd/conf.d/"
  5. Open/edit mod_security.conf: "vi mod_security.conf"
    Many OS/Control Panels are different, so replace the IfModule part only with the following code:


    <IfModule mod_security2.c>
    SecRuleEngine On
    # "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
    SecServerSignature "Rules Powered By HyperOIS.com"
    #First, add in your exclusion rules:
    #These MUST come first!
    Include /path/to/config/files/exclude.conf
    #Application protection rules
    Include /path/to/config/files/rules.conf
    #Just in Time Patches for Vulnerable Applications
    Include /path/to/config/files/jitp.conf
    #Comment spam rules
    Include /path/to/config/files/blacklist.conf
    #Bad hosts, bad proxies and other bad players
    Include /path/to/config/files/blacklist2.conf
    #Bad clients, known bogus useragents and other signs of malware
    Include /path/to/config/files/useragents.conf
    #Known bad software, rootkits and other malware
    Include /path/to/config/files/rootkits.conf
    #Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
    Include /path/to/config/files/apache2-rules.conf
    </IfModule>

  6. You will want to replace "/path/to/config/files" to the destination you have selected for your rule configs.
  7. Save your file: ":wq"
  8. Let's make sure there is no errors: "cd /etc/init.d/" "./httpd configtest"
  9. If everything is okay, reboot apache! "./httpd restart"

You have just installed and configured mod_security! Congrats!

Hope this helps someone.

Filed under: PHP Dev, Technology No Comments

Introduction of the web developer: Steven Podlecki

Posted on November 30, 2010

I started programming when I was 14 years old. I started in qBasic which was fun. Simple yes/no programs with loops and such. After qBasic, I started to develop software in Visual Basic. VB was a great introduction to programming and allowed me to quickly learn the dynamics of programming. Developing software to make “life a bit easier” when doing repetitive tasks at work.

One of my favorite programs developed was a .CSV creator for eBay's “Turbo Lister.” It would create dynamic eBay Product Descriptions with different information on one template. It really helped out when you had to develop the design then input 50-100 products each with their own file… after doing the different designs, you would have to make a list of titles… not fun when the lists were a couple thousand items. Normally it would take about 2-4 full business days to complete this task. After the program was designed and working, this task turned into about 1-2 hours total. Not too shabby if you ask me.

While I was happy with VB, I wanted to touch base into PHP. Why PHP? It is open source, extremely dynamic, ever changing, and very powerful. My PHP career started out with just having some fun with different pre-made systems such as osCommerce.

I am a fully self-taught web developer. I started in PHP and XHTML (non-tabless)… after a couple years of getting comfortable with PHP, I learned CSS very quickly. The cross-browser tricks is probably the most fun I've had in the development side. CSS was very easy to learn in my opinion. As of late, I have been having fun with jQuery animations and AJAX. jQuery seems to be very powerful and very much supported cross-browser.

My Tools:
Dreamweaver MX, Flash MX, Adobe Suite CS3, Notepad, putty, Linux, Apache, mod_*, MySQL, oh… and google!

My Expert Knowledge:
PHP, CSS, CSS3, XHTML, Cross-Browser Compatibility, Server maintenance, Online Marketing Solutions, MySQL DB Design/Raw Queries, Windows (ya ya, I know… FAILGA!), jQuery, Free Search Engine Optimization

Stuff I have been google'n on:
jQuery, HTML 5, WordPress, PHP5 OOP

Filed under: Introductions No Comments
   

Pages

Categories

Blogroll

Archive

Meta