ModSecurity v2 Apache rules for directory servers

Mike Cardwell tor at lists.grepular.com
Tue Aug 14 15:53:06 UTC 2007 

Florian Reitmeir wrote:

 >>> "Please don't do stuff like this."
 >> Why not?  I don't see any problem in validating/checking the behavior
 >> or request/fingerprints of incoming connections to Tor, so long as it
 >> doesn't break Tor (hence QA testing after R&D).  Why would checking
 >> input be a bad thing?
 > because they make no sense.
 >
 > Why do you want such a thin? i believe to prevent "attacks"?

Yes. To reduce the likelyhood of my system being compromised due to 
flaws in Tor such as the recent currently undisclosed exploit that 
allows people to, basically, turn others machines into open relays.

 > - if the rules are correct, they allow "attacks" too

The point is to reduce the possible attacks, not stop them outright.

 > - the rules add complexity and make it hard to debug

Rubbish. ModSecurity has excellent logging. It doesn't make things more 
difficult to debug.

 > - Tor is an open source software which isn't broken by design, so if
 > there are any security problems, just upgrade
 >
 > mod_security can be used in some cases like:
 > - you have to run old buggy software because the vendor...
 > - you have to run unknown user installed software (like PHP..) and 
you are an
 >     ISP, ..

It's good for applying temporary protection against flaws before they're 
  patched. I *have* done this before. It also supplies certain 
protection against 0 day attacks.

 > but Tor is an "alive" project, and there is security support for
 > nearly all platforms, so any attempt to "fix" holes by adding a layer,
 > may create new holes, or even completely new attacks possible.

Sorry, I don't buy it. I'll stick with ModSec and tweak my rules as 
necessary.

I think I was a little overly keen about my original rules and posted 
them before I'd had time to test them properly, and yes they have thrown 
up a few false positives so I've been tweaking them. I'll bed them in, 
and then go looking through the source code to try and spot stuff I've 
missed. I'm personally going to continue to use them, and people are 
free to contact me if they want to use them.

Mike

More information about the tor-talk mailing list