Opensvp is a security tool implementing attacks to be able to the resistance of firewall to protocol level attack. It implements classic attacks as well as some new kind of attacks against application layer gateway (called helper in the Netfilter world).

Download and more there.

I found a lot of interest reading it as I was already using ModSecurity – and I think anyone exposing an Apache web server should.
I was actually using it partially. It is not trivial to secure a web application, and the rule engine of ModSecurity is very powerful but it is also quite complex.

So this book was a good opportunity for me to dig into it further.

The book covers all topics : from the set-up to a real use-case.
The author explains how to write rules, how to deal with the performance impact, logging and gives us a range of various core rules to implement to get a good security basis.

The difficulty goes up progressively and the author doesn’t forget the beginners.
The set-up of the module is precisely described. All requirements are also explained and there are some good recalls about regular expressions, common attacks on systems, server and client sides, and other stuff like that.

After reading the book, I could harden my rules, reorganize and optimize them for better performance – something I hadn’t cared about before.

So I have nothing else to say but to recommend this book.
It is definitely a great handbook about ModSecurity that’s worth having next to you. The variety of configuration patterns makes it a reference.

Check it there. I also appreciated the availability of PDF version, so that I can carry it everywhere with my laptop and index it with Beagle.

ModSecurity is essential when it comes to secure any web site.

It will make the work of the attacker much harder and  it may save you even if your favorite dynamic pages have a security hole.
However, it must be configured wisely to be efficient. It is just a firewall that works at the application layer : you need to know the attacker point of view and the basics before writing any mod-security rules, otherwise at best it will useless (and at worst, it will kick legitimate traffic off).

So, stay tuned :  I will talk more about the ModSecurity stuff and publish a review about this book soon.

What I got from my lan :

$ telnet mars 25
Trying 192.168.222.10...
Connected to phocean.net.
Connected to phocean.net.
Escape character is '^]'.
220 phocean.net ESMTP Postfix (Debian/GNU)
220 phocean.net ESMTP Postfix (Debian/GNU)
ehlo phocean.net
ehlo phocean.net
250-phocean.net
250-phocean.net
250-PIPELINING
250-SIZE 200000000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH NTLM DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

I shows well that the TLS handshake is initiated.

But from this outside, I just got this weired thing :

$ telnet phocean.net 25
$ telnet phocean.net 25
Trying 81.64.194.119...
Connected to phocean.net.
Connected to phocean.net.
Escape character is '^]'.
220 **********************************************
ehlo phocean.net
ehlo phocean.net
502 5.5.2 Error: command not recognized
Of course, the firewall, a Cisco Pix one, was properly set to redirect port 25 UDP/TCP to my server.
However, I soon focused my effort on this equipment. I considered a while that the cause could be some filtering from my provider, but most probably, the problem came from the Pix.
That was not difficult to figure out : it had some protocol inspector activated for SMTP :
$ sh ru
[...]
fixup protocol smtp 25
[...]
Just after :
> no fixup protocol smtp 25
… it started to work perfectly well !!!
The engine for the SMTP protocol could not recognize the TLS handshake, considered that the SMTP session as not valid and therefore blocked it !
I can deactivate it without any fear as my Postfix server is already pretty well secured, or at least configured to reject any weired SMTP dialog.
]]>