This two-day course will help you get going with ModSecurity on an Apache webserver. The basics will be made clear with a close look at clean configuration of the webserver and the log files that it writes. We will then look at the ModSecurity installation and rule writing. Afterwards we will install the popular OWASP Core Rule Set (CRS) and look at the handling of false positives that is vital in a web application firewall production setup.
Why This Course is for You
- Don’t spend ages trying to figure out ModSecurity and CRS yourself — learn all the tricks with this practical course from the best known ModSecurity expert
- Everything from how to install the ModSec / CRS web application firewall to how to take security of your applications to a new level
- Gain insight into different rule writing techniques like deny- and allow-lists (aka as whitelisting)
- Learn how to ease into a tight CRS setup with an existing production service so that no customer is biten by a false positive of the WAF
- Learn how to extract the information from the server and analyse it without ever leaving the shell
Testimonials
“Absolutely necessary, if you want to do a ModSecurity / CRS3 project in a serious way.” — Nick, OIZ Zurich, Switzerland
My understanding of ModSecurity now means my workload is reduced 90%!
— Leon, University of Reading, UK
“Trainer is awesome: easy to discuss, helpful, makes sure that everyone is up to speed.” — Karolis, Oracle / Zenedge, Kaunas, Lithuania
Meet the Trainer
Dr. Christian Folini is a partner at netnea. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is no big business anymore and Christian turned to defending web servers which he thinks equally challenging. With his background in humanities, Christian is able to bridge the gap between techies and non-techies. He brings more than 15 years’ experience in this role, specialising in Apache / ModSecurity configuration, DDoS defense and threat modeling.
Christian is the author of the ModSecurity Handbook 2ed, a co-lead of the OWASP ModSecurity Core Rule Set, program chair of the Swiss Cyber Storm conference and generally the best known ModSecurity expert.
Christian’s extensive list of publications can be seen on his personal website.
Course Outline
- Setting up Apache (Core Module)
- Compiling apache yourself
- Minimalistic Apache configuration
- Walk through the configuration
- Extending the logfiles
- IO and performance data
- GeoIP information
- TLS protocol and cipher
- ModSecurity infos
- Data extracting done fast
- Basic statistics on the data
- Setting up ModSecurity (Core Module)
- Compiling ModSecurity yourself
- ModSecurity base configuration
- Rule Engine
- Audit Engine
- Request limits
- First Steps with ModSecurity (Core Module)
- First rules
- Full transaction log
- ModSecurity Deny-Lists (negative security model – Core Module)
- ModSecurity Allow-Lists (positive security model – Core Module)
- Enabling the OWASP Core Rule Set (Core Module)
- Introduction to the Core Rules scoring concept
- A slightly different approach to their base config
- Testing core rules in action (includes attack scanner)
- Tuning the Core Rules (Core Module)
- Identify false positives
- Tune away the false positives
- Calculated approach to setting the scoring limits
- LogFile visualisation (Optional Module)
- Histograms of traffic data
- Bell curve distributions in the shell
- Reverse Proxy setup (Optional Module)
- Setting a standard Reverse Proxy
- Introduction to some ModRewrite Voodoo
- Apache Proxy Balancer
- Combining ModRewrite and Proxy Balancer
- Effective debugging (Optional Module)
- The 4-shell setup
- Config window
- Controlling Apache
- HTTP requests with curl
- Logfile monitor
- Customizing the setup for your environment
- The 4-shell setup
- Open discussion (Optional Module)