[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: ModSecurity v2 Apache rules for directory servers

To: or-talk@xxxxxxxxxxxxx
Subject: Re: ModSecurity v2 Apache rules for directory servers
From: Mike Cardwell <tor@xxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Aug 2007 16:53:06 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 14 Aug 2007 11:53:24 -0400
In-reply-to: <20070814095203.GV1221@xxxxxxxxxxxxxxx>
References: <20070811190523.GA26757@xxxxxxxxx> <21f144250708140110p64b4b1aetf3a82f4e11b545a2@xxxxxxxxxxxxxx> <20070814082455.GF28743@xxxxxxxxxxxxxxxxxxx> <21f144250708140216x13313234k936a82e46124f0cc@xxxxxxxxxxxxxx> <20070814095203.GV1221@xxxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

Florian Reitmeir wrote:

>>> "Please don't do stuff like this."
>> Why not?  I don't see any problem in validating/checking the behavior
>> or request/fingerprints of incoming connections to Tor, so long as it
>> doesn't break Tor (hence QA testing after R&D).  Why would checking
>> input be a bad thing?
> because they make no sense.
>
> Why do you want such a thin? i believe to prevent "attacks"?

Yes. To reduce the likelyhood of my system being compromised due toflaws in Tor such as the recent currently undisclosed exploit thatallows people to, basically, turn others machines into open relays.


> - if the rules are correct, they allow "attacks" too

The point is to reduce the possible attacks, not stop them outright.

> - the rules add complexity and make it hard to debug

Rubbish. ModSecurity has excellent logging. It doesn't make things moredifficult to debug.


> - Tor is an open source software which isn't broken by design, so if
> there are any security problems, just upgrade
>
> mod_security can be used in some cases like:
> - you have to run old buggy software because the vendor...

> - you have to run unknown user installed software (like PHP..) andyou are an

>     ISP, ..

It's good for applying temporary protection against flaws before they'repatched. I *have* done this before. It also supplies certainprotection against 0 day attacks.


> but Tor is an "alive" project, and there is security support for
> nearly all platforms, so any attempt to "fix" holes by adding a layer,
> may create new holes, or even completely new attacks possible.

Sorry, I don't buy it. I'll stick with ModSec and tweak my rules asnecessary.

I think I was a little overly keen about my original rules and postedthem before I'd had time to test them properly, and yes they have thrownup a few false positives so I've been tweaking them. I'll bed them in,and then go looking through the source code to try and spot stuff I'vemissed. I'm personally going to continue to use them, and people arefree to contact me if they want to use them.


Mike

References:
- ModSecurity v2 Apache rules for directory servers
  - From: Mike Cardwell
- Re: ModSecurity v2 Apache rules for directory servers
  - From: Kyle Williams
- Re: ModSecurity v2 Apache rules for directory servers
  - From: Peter Palfrader
- Re: ModSecurity v2 Apache rules for directory servers
  - From: Kyle Williams
- Re: ModSecurity v2 Apache rules for directory servers
  - From: Florian Reitmeir

Prev by Author: Re: Directory issues
Next by Author: Re: Privoxy usage?
Previous by thread: Re: ModSecurity v2 Apache rules for directory servers
Next by thread: New Hidden Wiki
Index(es):
- Author
- Thread