[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: ModSecurity v2 Apache rules for directory servers



On Tue, 14 Aug 2007, Kyle Williams wrote:

> "Actually they are horrible."
> 
> Why?
> 
> "They already are out of date and would reject proper directory requests."
> 
> OK, good to know.
> Do you think better rules, or rules that don't break server requests, could
> be achieved?
> 
> "Please don't do stuff like this."
> 
> Why not?  I don't see any problem in validating/checking the behavior or
> request/fingerprints of incoming connections to Tor, so long as it doesn't
> break Tor (hence QA testing after R&D).  Why would checking input be a bad
> thing?

because they make no sense.

Why do you want such a thin? i believe to prevent "attacks"?

- if the rules are correct, they allow "attacks" too
- the rules add complexity and make it hard to debug
- Tor is an open source software which isn't broken by design, so if there
	are any security problems, just upgrade

mod_security can be used in some cases like:
- you have to run old buggy software because the vendor...
- you have to run unknown user installed software (like PHP..) and you are an
	ISP, .. 

but Tor is an "alive" project, and there is security support for nearly all
platforms, so any attempt to "fix" holes by adding a layer, may create new
holes, or even completely new attacks possible.


> On 8/14/07, Peter Palfrader <peter@xxxxxxxxxxxxx> wrote:
> >
> > On Tue, 14 Aug 2007, Kyle Williams wrote:
> >
> > >>   SecRule REQUEST_URI
> > "!^/tor/server/authority$"
> > "chain,msg:'Badly formed uri'"
> > >>   SecRule REQUEST_URI
> > "!^/tor/status/all$"                                             "chain"
> > >>   SecRule REQUEST_URI
> > "!^/tor/running-routers$"                                        "chain"
> > >>   SecRule REQUEST_URI
> > "!^/tor/dir\.z$"                                                 "chain"
> > >>   SecRule REQUEST_URI
> > "!^/tor/server/(?>d|fp)/(?>[A-F0-9]{40})(?>\+[A-F0-9]{40})*\.z$" "chain"
> > >>   SecRule REQUEST_URI
> > "!^/tor/status/fp/[A-F0-9]{40}(?>\+[A-F0-9]{40})*\.z$"
> >
> > > Nice!  Thank you for that helpful information.
> > > I will definitely take note of that with the next version of JanusVM.
> > > Strict rules such as these are a very good idea, because it never hurts
> > to
> > > check your  input  before processing it.
> >
> > Actually they are horrible.  They already are out of date and would
> >
> reject proper directory requests.  Please don't do stuff like this.
> >
> > --
> >                            |  .''`.  ** Debian GNU/Linux **
> >       Peter Palfrader      | : :' :      The  universal
> > http://www.palfrader.org/ | `. `'      Operating System
> >                            |   `-    http://www.debian.org/
> >

-- 
Florian Reitmeir