This document is available on the Internet at:

ModSecurity: Web Server Defences

Date:  1st February, 2005


ModSecurity Illustration

I can't believe I've been ignorant of this module until today.

ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as an Apache web-server module, the purpose of ModSecurity is to increase web application security, protecting those applications from known and unknown attacks.

It's particularly useful to webloggers...

“ModSecurity's flexibility is derived from its built-in regular expression parser”

I first learnt of ModSecurity via a link from 456 Berea Street to Johan Svensson's, "An introduction to mod_security." As Johan points out, ModSecurity has very definite advantages over mod_rewrite in the context of preventing comment and referrer spam. mod_rewrite can prevent referrer spam quite easily - but it's almost useless when it comes to comment spam. ModSecurity wins here because it has a unique capability - it can scan POST data!

That's worth writing again: ModSecurity can scan POST data. POST data is that which is received from web forms when users click "submit". It is that same data which contains links to websites touting Viagra, "Texas Hold'em Poker", penis enlargement and "get rich quick" schemes. So the ability to scan that data is an empowering one for the beleaguered webmaster. I suggest you read Svensson's essay right now to appreciate the utility of ModSecurity.

Website spam in extremely annoying, we all know that. Website/web-server hacking is far worse. One can delete spam comments quite easily but recovering from a defaced website or a deliberately corrupted database is a lot more complicated. Far better to prevent an attack than to have to recover from one. It's here where ModSecurity really shines.

The module is able to defend against:

  • Command execution attacks
  • Directory Traversal Attacks
  • XSS Attacks
  • SQL (and MS SQL specific) SQL Injection Attacks
  • FormMail Attacks
  • Information Leak

Note, the above isn't an exhaustive list. ModSecurity's flexibility is derived from its built-in regular expression parser - a parser than can be used to describe almost any conceivable attack scenario.

Of course, ModSecurity should never be used to excuse vulnerable application code, but it's a useful weapon for the webmaster's arsenal and one that I shall certainly be investigating further.

Further Reading

See Also