[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: ModSecurity v2 Apache rules for directory servers

Florian Reitmeir wrote:

>>> "Please don't do stuff like this."
>> Why not?  I don't see any problem in validating/checking the behavior
>> or request/fingerprints of incoming connections to Tor, so long as it
>> doesn't break Tor (hence QA testing after R&D).  Why would checking
>> input be a bad thing?
> because they make no sense.
> Why do you want such a thin? i believe to prevent "attacks"?

Yes. To reduce the likelyhood of my system being compromised due to flaws in Tor such as the recent currently undisclosed exploit that allows people to, basically, turn others machines into open relays.

> - if the rules are correct, they allow "attacks" too

The point is to reduce the possible attacks, not stop them outright.

> - the rules add complexity and make it hard to debug

Rubbish. ModSecurity has excellent logging. It doesn't make things more difficult to debug.

> - Tor is an open source software which isn't broken by design, so if
> there are any security problems, just upgrade
> mod_security can be used in some cases like:
> - you have to run old buggy software because the vendor...
> - you have to run unknown user installed software (like PHP..) and you are an
>     ISP, ..

It's good for applying temporary protection against flaws before they're patched. I *have* done this before. It also supplies certain protection against 0 day attacks.

> but Tor is an "alive" project, and there is security support for
> nearly all platforms, so any attempt to "fix" holes by adding a layer,
> may create new holes, or even completely new attacks possible.

Sorry, I don't buy it. I'll stick with ModSec and tweak my rules as necessary.

I think I was a little overly keen about my original rules and posted them before I'd had time to test them properly, and yes they have thrown up a few false positives so I've been tweaking them. I'll bed them in, and then go looking through the source code to try and spot stuff I've missed. I'm personally going to continue to use them, and people are free to contact me if they want to use them.