Last week a user of Vuurmuur let me know he had another security audit at his work, and Vuurmuur passed without any remarks whatsoever. The auditors even said that this was quite unusual.
The user is working in a Dutch company involved in stocktrading, and are forced to have the same level of security as their parent company, which is a bank. After the last time they had an audit, i added the auditlog feature to Vuurmuur, and it seems that has pleased them because unlike last time, they didn’t even complain about Vuurmuur’s beta status 😉
Now, i don’t know any specifics about the audit, so take it for what it’s worth. I still think it is cool to see Vuurmuur pass the security checks of financial institutions though!
Note to self: never assume something works, instead, test it.
Yesterday there was some discussion in the #snort channel over whether or not passing multiple interface to snort works or not. As a reminder, some time ago i noted that passing two interfaces to snort like this: ‘snort -i eth0:eth1’ worked just fine. However, common mentioned in irc that he could not imagine it to be working. Determined to proof him wrong, i decided to run a few test. On my gateway, i ran ‘snort -v -i eth0:eth1 ip proto 1’. This should print all ICMP packets to the screen for both interfaces. The first clue that something wasn’t right was this message:
OpenPcap() device eth0:eth1 network lookup:
eth0:eth1: no IPv4 address assigned
Anyhow, i continued a pinged the gateway from the eth0 network. Worked fine. Then from the eth1 network. No dice. Damn. So i switched the interfaces like this ‘snort -v -i eth1:eth0 ip proto 1’. Guess what? Now eth1 worked and eth0 didn’t.
This was about the time i also remembered that in Sguil i had a few cases where i didn’t get any data in a transscript, although it should have been there. Because i am very busy, i had not yet investigated it.
On #snort a few more people said that it didn’t work for them, but for Joel Esler it still does. Weird. Anyhow, i am now back to running sancp and the full content logger on the ‘any’ pseudo interface, both with a BPF filter excluding local loopback from being recorded. So that look like this ‘snort -v -i any not host 127.0.0.1’.
What remains is the nat issue, but i have decided that i also want the full content logging on the wan side, so i think there is no solution for the double recording of natted connections.
Another nice feature of ModSecurity is rule based redirection. Lets say i want to block visitors of my website from opening the login page of wordpress, /blog/wp-login.php. I could of course just deny access to it, so the visitor gets a 403 error. This works fine, however sometimes you might want to use a more userfriendly message, for example: ‘Due to maintainance logins are currently disabled’.
To do this i first created a very simple html file called nologin.html, and placed it in the webroot of the server. Then i added the following rules to Mod_Security:
# block wp-login.php
SecFilterSelective REMOTE_ADDR “!192.168.1.2” chain
SecFilterSelective REQUEST_URI “/wp-login.php” log,deny,redirect:http://www.inliniac.net/nologin.html
These rules check first if the ipaddress is not 192.168.1.2, then look for /wp-login.php in the URI. If it is found, the request is logged and blocked. The server then sends a redirect 302 response to the client which will open the nologin.html page. Since the original request is blocked, the webserver behind the reverse proxy never sees the request.
Ok, that’s a bit misleading, because i’m not just hiding, but also blocking and logging. What i wanted is this: I’m running awstats on my reverse proxy, but i don’t want anyone to know. So i just made the entire ‘cgi-bin’ part forbidden for everyone, so that covers the script. The fact that my webserver has a cgi-bin directory is nothing special and won’t tell you i’m using awstats. However, awstats also uses icons, and these are by default in /awstats-icon/
Now, i could have made that restricted as well, but that still would give you the information that it exists! ModSecurity to the rescue. I want only access to awstats from my workstation, so i added these rules:
SecFilterSelective REMOTE_ADDR “!192.168.1.2” chain
SecFilterSelective REQUEST_URI “/awstats-icon/” log,deny,status:404
These say: if the ipaddress of the visitor is not 192.168.1.2, and his request contains /awstats-icon/, we log it, block it, and send back a 404 error. This makes the visitor think the directory doesn’t exist on the server.
I’m not sure how easy this can be extended to giving an entire subnet access though, maybe i’ll investigate this later.
A few weeks ago i wrote that i wanted to investigate setting up a reverse web proxy with mod_security. I have now finally found a little time to do so. What surprised me was how easy it actually is!
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.
Allow from all
#Allow from .your_domain.com
# Enable/disable the handling of HTTP/1.1 “Via:” headers.
# (“Full” adds the server version; “Block” removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
# use to disable proxy for a specific subdir
# ProxyPass /blog/wp-admin !
ProxyPass /blog http://internalserver/blog
ProxyPassReverse /blog http://internalserver/blog
# use to disable access to a specific subdir
Deny from all
Allow from 192.168.1.2
# use to force errors by the internal host to look like to be coming from the proxy host.
# disabled because it causes problems with WordPress.
This is the entire config for the proxy part. Next, enable mod_security. As far as i can see there is nothing special about ModSecurity and reverse proxies. So just enable it like you would on a webserver.
Some useful links for setting up reverse proxies using Apache:
Thats all for now!