You probably remember that I wrote quite a bit about my use of ModSecurity to handle antispam for the blog’s comments as it allows me to verify the User-Agent header as well as having a few extra tricks up my sleeves without enabling either forced registration, captchas or comment forced moderation. Among the other things, it allowed me to also disable the 60-days limit for comments on posts: now all the posts have free comment enabled.
But I think I already ranted about the lack of good documentation about ModSecurity: while it’s definitely powerful, it also has a few rules that are definitely draconic, and that makes it almost impossible to use it without fiddling for most use cases. Part of this has, in my opinion, to do with the idea ModSecurity was designed for in the first place: putting a stop to vulnerabilities of broken PHP code. I’m not singling out PHP here, they did, more than a couple of rules are designed to workaround common PHP code errors. While this can probably be considered good enough, it shows its problems when used with Rails (for instance the “duplicate parameter” rules break Rails pretty badly). For this reason in Gentoo, by default, I disable some of the worst rules (you can still get the original by using the vanilla USE flag).
Now, earlier this month, before my one-week vacation, Packt Publishing asked me to review a book (that they published last week) on the subject: ModSecurity 2.5 by Magnus Mischel . I’m still reading through it, given my usual time constraint (and a few unusual ones, including my birthday yesterday), but I can say something about it already: give it a read.
It starts from quite some basics in the functioning of ModSecurity, and that is very good, as it’s exactly what the original documentation lacks. At the start I actually had the wrong impression that it was going to take a too “newbie” look to the thing, but indeed there are some very basic tricks that might not be obvious at all even though you’ve been roaming through the ModSecurity documentation for a while before.
You can say that reading this book has been pretty helpful to both me and Gentoo: from one side I’m understanding how to improve the antispam rules so that they can be published and made available for others to use (I’m considering publishing my own rule set, not only for the antispam, but also as a measure of protecting against marketing crawlers that waste everybody’s bandwidth); from the other side, there has been at least one dependency (over mod_unique_id
) that I didn’t know about, but which is now fixed in the ebuild you can find in tree.
Bottom line is, if you’re planning of doing any serious work with ModSecurity, this is definitely a must-read text. Kudos to Magnus, his work is definitely quality work. You can get the book and PDF directly from Packt or get it from Amazon (associate link) if you prefer.
And thanks again to Packt (and Magnus) for the opportunity of improving the Gentoo packaging: I know now of a couple more things I should be looking at to fix in the next future.
User-Agent is evil and should be removed from the spec.
Somebody sooner or later will have to explicit *why* they find User-Agent that bad. Especially those who think it’s “a privacy risk” to provide the correct User-Agent…You know, when you can rely on that to fix a huge range of problems, including, for instance, the antispam solution I talk about here, and the only problem is that one can tell the OS one’s running on…