WEBVTT 1 00:00:00.040 --> 00:00:02.560 All right, ready to jump into mod security. 2 00:00:02.640 --> 00:00:03.279 Let's do it. 3 00:00:03.680 --> 00:00:06.280 You guys give us a ton on this open source 4 00:00:06.559 --> 00:00:08.679 web application firewall, so. 5 00:00:08.800 --> 00:00:10.119 Uh yeah, a lot to cover. 6 00:00:10.240 --> 00:00:12.279 We're going to figure out how mod security does its 7 00:00:12.279 --> 00:00:14.560 thing and more importantly, why you should care. 8 00:00:14.839 --> 00:00:16.960 I think what's really cool here is that we're not 9 00:00:17.120 --> 00:00:22.480 just looking at like a technical manual, we're also seeing philosophy, right, yeah, 10 00:00:22.480 --> 00:00:24.719 and that's really key to how mod security works. 11 00:00:24.839 --> 00:00:26.640 Is like a behind the scenes look. Yeah. And the 12 00:00:26.679 --> 00:00:31.519 Mond Security handbook itself feels like the like the ultimate guide, 13 00:00:31.600 --> 00:00:33.399 you know, And I was just looking through it and 14 00:00:33.399 --> 00:00:35.799 there's some really cool stuff like did you know mod 15 00:00:35.840 --> 00:00:39.719 security can rewrite website traffic like live Yeah? 16 00:00:39.799 --> 00:00:42.880 Yeah, yeah, it's a really powerful trick. It allows you 17 00:00:42.960 --> 00:00:47.719 to essentially adjust traffic on the fly to protect your applications. 18 00:00:47.799 --> 00:00:50.039 We'll definitely get into how that works and why it's 19 00:00:50.079 --> 00:00:51.119 so valuable, and we're going. 20 00:00:51.079 --> 00:00:55.200 To meet the creator and uncover his unique philosophy, which hint, 21 00:00:55.520 --> 00:00:57.600 he doesn't even trust automated tools. 22 00:00:57.920 --> 00:01:01.039 Yeah, that's a really interesting philosophy and kind of sets 23 00:01:01.079 --> 00:01:04.560 mod security apart. It's all about keeping the human in control, 24 00:01:04.760 --> 00:01:07.000 not relying on blind automation. 25 00:01:07.359 --> 00:01:10.640 So not replacing human judgment, yeah, just giving us better 26 00:01:10.680 --> 00:01:12.359 tools to make judgment precisely. 27 00:01:12.439 --> 00:01:15.599 And that's why mod security focuses on detection and blocking, 28 00:01:15.799 --> 00:01:20.480 not data sanitization. Risti sees that as kind of inherently risky. 29 00:01:20.840 --> 00:01:23.319 So it's like a really smart security guard, Yeah, who 30 00:01:23.840 --> 00:01:26.120 will point out things that are suspicious, but lets you 31 00:01:26.159 --> 00:01:27.239 make the call on what to do. 32 00:01:27.439 --> 00:01:31.120 That's a great analogy, and that approach has really kind 33 00:01:31.159 --> 00:01:34.400 of been central to mod security's evolution. You know, from 34 00:01:34.400 --> 00:01:37.560 the early days when it was tough to integrate it 35 00:01:37.560 --> 00:01:40.519 with apatche to the complete rewrite with version two point zero, 36 00:01:40.879 --> 00:01:43.000 it's all been about giving users control. 37 00:01:43.159 --> 00:01:45.879 The speaking of big wins, the handbook mentions that mod 38 00:01:45.920 --> 00:01:50.840 security was actually compared to other web application firewalls. Oh yeah, 39 00:01:50.840 --> 00:01:54.680 forced to research evaluation and mod security came out on top. 40 00:01:54.879 --> 00:01:57.480 That was a big moment for mod security. Yeah, it 41 00:01:57.519 --> 00:01:59.319 really proved that it could go head to head with 42 00:01:59.719 --> 00:02:02.439 the with the big players and really hold its own. 43 00:02:02.599 --> 00:02:05.159 All Right, so we've got this powerful tool built on 44 00:02:05.200 --> 00:02:10.599 this idea that humans are still in charge. But how 45 00:02:10.599 --> 00:02:13.520 does that fit into a web server environment? What is 46 00:02:13.560 --> 00:02:14.560 it actually doing? 47 00:02:14.919 --> 00:02:17.800 So mod security is what's called a hybrid we mess 48 00:02:17.840 --> 00:02:21.280 of it needs the host web server, in this case 49 00:02:21.319 --> 00:02:24.840 Apache to do some of its work. Works really well 50 00:02:24.879 --> 00:02:27.599 with a patchy, but it could technically work with other 51 00:02:27.599 --> 00:02:30.360 web servers as long as they have the right APIs. 52 00:02:30.439 --> 00:02:33.400 So it's like a dynamic duo with a patches. Yeah, exactly, 53 00:02:33.400 --> 00:02:34.560 it could team up with others. 54 00:02:34.680 --> 00:02:37.639 That's right. And remember mod security is all about detection 55 00:02:37.840 --> 00:02:41.120 and blocking. It's constantly looking at incoming and outgoing web 56 00:02:41.159 --> 00:02:45.599 traffic looking for patterns that match the rules you set up. 57 00:02:45.680 --> 00:02:48.560 So like a security checkpoint scrutinizing every single piece of 58 00:02:48.639 --> 00:02:50.360 data coming in and going out. 59 00:02:50.599 --> 00:02:53.560 That's exactly right. And it does this in five phases. First, 60 00:02:53.680 --> 00:02:56.919 it checks the request headers before even looking at the 61 00:02:57.439 --> 00:03:01.360 content of the request. Then it analyzes the request body, 62 00:03:01.400 --> 00:03:03.199 which is the data being sent to the server. 63 00:03:03.439 --> 00:03:06.240 So it's like a multi step inspection process. Yeah, what 64 00:03:06.280 --> 00:03:08.159 happens after the request is processed. 65 00:03:08.360 --> 00:03:12.080 After that, it goes on to the response headers, checking 66 00:03:12.080 --> 00:03:15.280 the server's initial response. Then it looks at the content 67 00:03:15.360 --> 00:03:18.400 being sent back to the user. This is the response 68 00:03:18.439 --> 00:03:22.319 body phase. And finally it records everything in the logging phase. 69 00:03:22.360 --> 00:03:25.039 Wow, really breaking down that whole request and response cycle. 70 00:03:25.080 --> 00:03:27.719 Right, that's right. It's a systematic way to make sure 71 00:03:27.800 --> 00:03:29.919 nothing slips through the cracks when it comes to web 72 00:03:29.960 --> 00:03:30.960 application security. 73 00:03:31.520 --> 00:03:33.960 So all this analysis in work that's going on, doesn't 74 00:03:34.000 --> 00:03:35.120 that affect performance? 75 00:03:35.719 --> 00:03:40.039 Well, yeah, there's no denying that. Mod security uses more resources, 76 00:03:40.360 --> 00:03:45.039 you know, both CPU and RAM. You know, it's parsing data, 77 00:03:45.120 --> 00:03:48.599 it's handling complex information, it's constantly checking those rules. 78 00:03:48.960 --> 00:03:52.879 So there is like a trade off between security. 79 00:03:52.360 --> 00:03:56.800 And speed to some degree. Yeah, but the handbook emphasizes 80 00:03:56.919 --> 00:03:59.680 that this is manageable. Okay, if you set your servers 81 00:03:59.719 --> 00:04:04.080 up directly and importantly, mod security is highly configurable, so 82 00:04:04.120 --> 00:04:06.960 you can fine tune it to you know, strike the 83 00:04:07.000 --> 00:04:09.080 right balance between security and performance. 84 00:04:09.319 --> 00:04:11.599 That's good to hear. Yeah, not one size fits all. 85 00:04:11.879 --> 00:04:14.159 You can customize it for your environment precisely. 86 00:04:14.520 --> 00:04:18.480 You're in control. You know what gets analyzed, how deeply 87 00:04:18.560 --> 00:04:21.319 it gets analyzed, and what happens when when a rule 88 00:04:21.399 --> 00:04:21.920 is triggered. 89 00:04:22.279 --> 00:04:25.519 Right, this brings us to the fun part diving into 90 00:04:25.560 --> 00:04:30.240 mod security's unique features. Let's start with how it handles 91 00:04:30.560 --> 00:04:32.720 you know, file uploads. Yeah, I know those can be 92 00:04:32.759 --> 00:04:34.040 a real security headache. 93 00:04:34.199 --> 00:04:37.279 Oh for sure. File uploads are a you know, a 94 00:04:37.319 --> 00:04:40.800 favorite target for attackers, and that's why mod security takes 95 00:04:40.800 --> 00:04:44.519 a very cautious approach. Instead of processing them directly in memory, 96 00:04:45.000 --> 00:04:47.439 it creates temporary files on the disc. 97 00:04:47.879 --> 00:04:50.120 Ah, So it isolates those files. 98 00:04:49.920 --> 00:04:53.720 Right, Yeah, it's isolating those those potentially dangerous files from 99 00:04:53.759 --> 00:04:56.800 the server's memory. And it actually goes even further. It 100 00:04:57.120 --> 00:05:01.439 carefully adjusts the permissions of these temporary files to prevent 101 00:05:01.680 --> 00:05:03.120 you know, unauthorized access. 102 00:05:03.319 --> 00:05:06.279 So it creates it locks it down. Yeah, and then 103 00:05:06.319 --> 00:05:08.920 what like does it analyze the contents or store it 104 00:05:09.120 --> 00:05:10.480 or like what happens? Then? 105 00:05:10.600 --> 00:05:13.160 It depends on how you've configured it. Right. You can 106 00:05:13.279 --> 00:05:17.120 have mod security scan the file for malicious patterns. You 107 00:05:17.160 --> 00:05:19.399 can even run it through an anti virus engine like 108 00:05:19.480 --> 00:05:22.680 clam ab, or you could just store it for review later. 109 00:05:22.839 --> 00:05:26.160 So there's flexibility, that's right. But these files they don't 110 00:05:26.160 --> 00:05:27.680 stick around forever, do they No? 111 00:05:27.879 --> 00:05:31.120 No, mod security automatically cleans them up, okay, when they're 112 00:05:31.120 --> 00:05:32.000 not needed anymore. 113 00:05:32.120 --> 00:05:35.720 That's good. Wouldn't want a bunch of temporary files clogging things. 114 00:05:35.560 --> 00:05:40.040 Up, exactly. And mod security is also designed to handle 115 00:05:40.079 --> 00:05:43.680 those really large file uploads. If a file is too big, 116 00:05:44.000 --> 00:05:47.279 it automatically switches from using memory to storing it on 117 00:05:47.360 --> 00:05:47.800 a disc. 118 00:05:48.079 --> 00:05:49.600 So it adapts to the file size. 119 00:05:49.720 --> 00:05:51.560 Yeah, it adapts to the size of the file to 120 00:05:51.600 --> 00:05:54.199 prevent the server from being overwhelmed. 121 00:05:54.279 --> 00:05:55.319 Yeah, that's pretty smart. 122 00:05:55.439 --> 00:05:57.879 And to really get a sense of this process, the 123 00:05:57.920 --> 00:06:03.519 handbook actually include us excerpts from mod Security's debuglog. We 124 00:06:03.560 --> 00:06:07.680 can actually see it creating the temporary file, setting permissions 125 00:06:08.160 --> 00:06:11.279 and even you know, the exact size limits that trigger 126 00:06:11.399 --> 00:06:12.959 that switch to disk storage. 127 00:06:13.240 --> 00:06:16.360 So those debug logs, it sounds like they're really valuable 128 00:06:16.439 --> 00:06:19.040 for us. Oh yeah, understanding what's happening under the hood. 129 00:06:18.839 --> 00:06:21.720 Right absolutely. And speaking of logs, that brings us to 130 00:06:21.759 --> 00:06:23.480 another really important feature. 131 00:06:23.759 --> 00:06:26.199 Right, the logging system. Yes, it seems like it's not 132 00:06:26.279 --> 00:06:28.959 just about you know, catching the bad guys, but also 133 00:06:29.160 --> 00:06:32.920 keeping these detailed records of everything that's happening. 134 00:06:32.560 --> 00:06:35.800 You got it. So mod security has two main types 135 00:06:35.839 --> 00:06:39.000 of logs, the debug log and the audit log. The 136 00:06:39.040 --> 00:06:42.920 debuglog is, you know, it's your best friend for figuring 137 00:06:42.920 --> 00:06:46.759 out how mod security is handling requests and troubleshooting any issues. 138 00:06:46.839 --> 00:06:49.439 And the handbook recommends using debug level three right. 139 00:06:49.720 --> 00:06:52.759 Yeah, for for live websites, that's kind of the sweet spot. 140 00:06:53.000 --> 00:06:56.199 It gives you the essential information without without overwhelming you 141 00:06:56.240 --> 00:06:58.519 with details. But if you need to dig really deep, 142 00:06:58.680 --> 00:07:00.800 you can you know, crank it up to level nine 143 00:07:01.079 --> 00:07:04.079 and that'll give you the most detailed output possible. 144 00:07:04.199 --> 00:07:06.800 It's like adjusting the focus on a microscope. 145 00:07:06.920 --> 00:07:07.959 Right, That's a great way to put it. 146 00:07:08.040 --> 00:07:09.639 Yeah, Like you can zoom in as much as you 147 00:07:09.720 --> 00:07:10.639 need exactly. 148 00:07:10.879 --> 00:07:13.160 And then there's the audit log, which is all about 149 00:07:13.279 --> 00:07:16.360 you know, keeping a comprehensive record of all the HTTP 150 00:07:16.519 --> 00:07:20.600 traffic that passes through mod security. It's your security journal. 151 00:07:21.160 --> 00:07:24.319 So this seems like where the idea of like human 152 00:07:24.360 --> 00:07:27.240 oversight really comes into play. Right, you can go back 153 00:07:27.560 --> 00:07:30.120 analyze these logs and then making a formed. 154 00:07:29.920 --> 00:07:33.480 Decision precisely, and you have options for how those logs 155 00:07:33.480 --> 00:07:37.199 are stored. You can have everything appended to a single file, 156 00:07:37.600 --> 00:07:40.480 or you can create you know, a separate file for 157 00:07:40.519 --> 00:07:42.759 each entry, Okay, so you can tailor it to how 158 00:07:42.800 --> 00:07:46.480 you like to manage data. That's right, And each log 159 00:07:46.639 --> 00:07:49.319 entry is structured in a consistent way, you know, breaking 160 00:07:49.360 --> 00:07:52.199 down the details of the request and response into you know, 161 00:07:52.279 --> 00:07:53.240 manageable parts. 162 00:07:53.759 --> 00:07:56.399 It's like taking this complex event and turning it into 163 00:07:56.439 --> 00:07:57.480 these bite sized. 164 00:07:57.240 --> 00:07:59.319 Pieces that's a good way to think about it. And 165 00:07:59.360 --> 00:08:02.120 to help you this, the handbook actually gives you clear 166 00:08:02.160 --> 00:08:05.240 examples of these audit log entries. You know, it even 167 00:08:05.279 --> 00:08:08.560 shows you how to pull out specific pieces of information 168 00:08:08.720 --> 00:08:10.759 like what browser someone is using. 169 00:08:10.879 --> 00:08:13.519 It's like a detective's toolkit for web traffic. 170 00:08:13.720 --> 00:08:19.079 Yeah, exactly. And to make managing all those logs easier, 171 00:08:19.439 --> 00:08:22.240 mod Security has a tool called MOG. 172 00:08:22.560 --> 00:08:25.360 Okay, So that's like a dedicated tool for those logs. 173 00:08:25.480 --> 00:08:29.800 Yes, MOG stands for mod Security Log Collector okay, and 174 00:08:29.800 --> 00:08:32.840 it allows you to centralize your logs, you know, instead 175 00:08:32.840 --> 00:08:35.000 of having them scattered across all your web servers, you 176 00:08:35.000 --> 00:08:36.399 can collect them all in one place. 177 00:08:36.559 --> 00:08:38.600 I could see how that would be a huge time saver. 178 00:08:38.840 --> 00:08:42.639 Oh absolutely. And the handbook actually walks you through setting 179 00:08:42.720 --> 00:08:45.879 up MOG, you know, from choosing where to store your 180 00:08:45.919 --> 00:08:48.960 logs to troubleshooting any common problems you might run into. 181 00:08:49.159 --> 00:08:50.759 It's really a step by step guide. 182 00:08:50.840 --> 00:08:51.159 Yeah. 183 00:08:51.200 --> 00:08:54.200 So now we have a good handle on how mod 184 00:08:54.240 --> 00:08:57.200 security is capturing all this information, But what about the 185 00:08:57.279 --> 00:08:59.679 rules themselves? You know, how do you actually tell it 186 00:08:59.759 --> 00:09:01.000 what to look for and what to do. 187 00:09:01.440 --> 00:09:06.519 That's where the magic of mod Security's rule language comes in. Okay, 188 00:09:06.519 --> 00:09:10.159 it's incredibly flexible. It lets you create very very specific 189 00:09:10.240 --> 00:09:14.200 and complex rules to detect all sorts of security threats. 190 00:09:14.480 --> 00:09:16.960 So before we get into the specifics of how to 191 00:09:17.000 --> 00:09:19.360 actually write that language, can you just give me like 192 00:09:19.600 --> 00:09:22.559 a basic overview of how these rules work. 193 00:09:22.799 --> 00:09:28.960 Sure? At their core, mod security rules have three main parts, variables, operators, 194 00:09:28.960 --> 00:09:29.600 and actions. 195 00:09:29.679 --> 00:09:29.960 Okay. 196 00:09:30.080 --> 00:09:32.919 Variables represent the data you want to examine, like request 197 00:09:32.960 --> 00:09:35.559 headers or the content of a form submission. 198 00:09:35.639 --> 00:09:38.000 So variables are like the ingredients exactly. 199 00:09:38.440 --> 00:09:40.440 Then you have operators, which are the tools you use 200 00:09:40.519 --> 00:09:43.320 to examine those ingredients. They let you compare, search for patterns, 201 00:09:43.440 --> 00:09:45.919 analyze the data you know to see if a rule 202 00:09:46.000 --> 00:09:46.759 should be triggered. 203 00:09:46.960 --> 00:09:49.320 So the operators are like the verbs precisely. 204 00:09:49.360 --> 00:09:52.600 And finally, actions define what happens when a rule is triggered. 205 00:09:52.639 --> 00:09:56.159 You know, they determine the consequences like blocking the request, 206 00:09:56.279 --> 00:09:59.000 logging the event, or doing something else entirely. 207 00:09:59.159 --> 00:10:01.559 So the actions are the outcome you got it. 208 00:10:02.120 --> 00:10:05.240 To illustrate this, let's look at some simple examples. 209 00:10:04.759 --> 00:10:07.679 Perfect show me like how this actually works in practice. 210 00:10:07.759 --> 00:10:12.000 Okay, Let's say you want to protect against a very 211 00:10:12.000 --> 00:10:16.559 common attack called SQL injection, where hackers try to sneak 212 00:10:16.679 --> 00:10:20.720 malicious code into web requests. You could write a rule 213 00:10:20.759 --> 00:10:24.080 that looks for specific patterns in the data being submitted. 214 00:10:24.679 --> 00:10:26.879 What would that look like, Well, it could look something 215 00:10:26.919 --> 00:10:31.600 like this. Secral ARGs at rx select dot plus from. 216 00:10:31.799 --> 00:10:35.000 Okay, break that down for me. Secruel tells mod security 217 00:10:35.000 --> 00:10:38.039 it's a rule. ARGs means we're looking at the data 218 00:10:38.039 --> 00:10:40.879 being submitted, But what about that att rx and the 219 00:10:40.919 --> 00:10:41.639 rest of that stuff? 220 00:10:41.720 --> 00:10:44.440 Right, So that's where the operator and pattern matching come in. 221 00:10:45.240 --> 00:10:48.039 At rx means we're using regular expressions. Those let you 222 00:10:48.080 --> 00:10:52.279 define those complex patterns, and the pattern select dot plus 223 00:10:52.360 --> 00:10:55.039 from looks for any text that starts with select, has 224 00:10:55.039 --> 00:10:57.600 some other characters in between, and ends with from. This 225 00:10:57.679 --> 00:11:00.000 is a common structure used in SQL queries. 226 00:11:00.080 --> 00:11:02.679 Looking for the fingerprints of that attack rank Exactly. 227 00:11:02.960 --> 00:11:05.679 If it finds that pattern, boom, the rule is triggered. 228 00:11:05.759 --> 00:11:07.600 And then what what action would you take? 229 00:11:07.879 --> 00:11:09.879 Well, that's up to you. You could just log the 230 00:11:09.919 --> 00:11:14.320 event and let the request continue, or you could take 231 00:11:14.320 --> 00:11:16.600 a stronger action and block the request altogether. 232 00:11:16.919 --> 00:11:18.639 So again that flexibility is there. 233 00:11:18.759 --> 00:11:21.879 You got it, And you can actually chain multiple rules 234 00:11:21.879 --> 00:11:25.519 together to create even more complex logic. So, for example, 235 00:11:25.960 --> 00:11:29.279 you could have one rule that checks for certain keywords, 236 00:11:29.559 --> 00:11:32.320 and then another rule that analyzes the structure of the 237 00:11:32.399 --> 00:11:33.960 request based on those keywords. 238 00:11:34.080 --> 00:11:36.519 It's like a security system with multiple layers. 239 00:11:36.240 --> 00:11:40.960 Precisely, And as we explore mod security further, you'll see 240 00:11:41.000 --> 00:11:44.159 just how powerful and granular this rule language can be. 241 00:11:44.440 --> 00:11:46.480 This is really cool. I'm starting to see how you 242 00:11:46.480 --> 00:11:48.879 can really build like a strong defense. 243 00:11:49.120 --> 00:11:52.000 Yeah, for web applications, and we've only just scratched the surface. 244 00:11:52.039 --> 00:11:55.000 There are so many more features. For example, we haven't 245 00:11:55.000 --> 00:11:58.120 even talked about persistent storage. Okay, that allows you to 246 00:11:58.159 --> 00:12:01.320 actually track data across multiple requests. 247 00:12:01.679 --> 00:12:04.000 Persistent storage, what's that all about? 248 00:12:04.360 --> 00:12:08.399 So imagine being able to remember details about a user's 249 00:12:08.399 --> 00:12:12.000 behavior over time. Did they try to log in multiple 250 00:12:12.039 --> 00:12:15.240 times with the wrong password? Have they been submitting spam 251 00:12:15.279 --> 00:12:18.840 comments repeatedly? Right, persistent storage, let's you keep track of 252 00:12:18.879 --> 00:12:19.960 that information. 253 00:12:19.799 --> 00:12:23.240 So you're not just looking at each request in isolation. Right, 254 00:12:23.360 --> 00:12:24.559 You're building this history. 255 00:12:24.720 --> 00:12:28.159 That's right. It's like having a security system that learns 256 00:12:28.200 --> 00:12:30.200 and adapts based on past events. 257 00:12:30.399 --> 00:12:32.279 I'm definitely eager to learn more about that. 258 00:12:32.399 --> 00:12:36.639 Yeah, we'll definitely explore that, we'll see how to create, manage, 259 00:12:36.679 --> 00:12:39.080 and delete these records, and we'll look at some real 260 00:12:39.120 --> 00:12:43.159 world examples of how persistent storage is used for some 261 00:12:43.200 --> 00:12:45.039 pretty advanced security features. 262 00:12:44.759 --> 00:12:47.240 Exloaded, Blowing my mind. I can't wait to see what 263 00:12:47.279 --> 00:12:50.799 else mod security can do. All right, welcome back. Last 264 00:12:50.840 --> 00:12:54.320 time we kind of laid the foundation, you know, explored 265 00:12:54.360 --> 00:12:57.600 mod securities origins, some of those core concepts. Right now, 266 00:12:57.639 --> 00:12:59.320 we're going to get into persistent storage. 267 00:12:59.679 --> 00:13:04.039 Yeah, fun stuff. Persistent storage is where mod security really shines. 268 00:13:04.879 --> 00:13:08.679 Remember how we talked about tracking data across multiple requests. 269 00:13:09.279 --> 00:13:12.480 Let's imagine you're dealing with oh, I don't know, comment spam, right, 270 00:13:12.919 --> 00:13:14.080 flooding your website. 271 00:13:14.519 --> 00:13:17.679 Comments spam the bane of my existence exactly. 272 00:13:18.440 --> 00:13:21.759 But with mod security's persistent storage, you can actually create 273 00:13:21.799 --> 00:13:24.360 a system that keeps track of how often each IP 274 00:13:24.519 --> 00:13:26.679 address is posting comments. 275 00:13:26.919 --> 00:13:30.840 Wait, so each IP address gets its own little like record. Yeah, 276 00:13:30.960 --> 00:13:32.360 that seems like a lot to manage. 277 00:13:32.480 --> 00:13:35.600 It can be, but mod security is built to handle 278 00:13:35.639 --> 00:13:39.960 that efficiently. So let's call this record a comment spam collection. 279 00:13:40.399 --> 00:13:42.759 Every time someone tries to post a comment, mod security 280 00:13:42.759 --> 00:13:44.759 can check their IP address against this collection. 281 00:13:44.840 --> 00:13:46.799 Okay, so it's like a like a running tallly of 282 00:13:46.840 --> 00:13:49.679 comments from each IP exact way, what happens if someone 283 00:13:49.679 --> 00:13:52.200 gets a little too excited about commenting. 284 00:13:52.240 --> 00:13:54.960 Well, that's where you can start setting some some boundaries, right. 285 00:13:55.039 --> 00:13:57.600 You could create a rule that says, hey, if this 286 00:13:57.679 --> 00:14:00.759 IP address has posted more than say, ten comments in 287 00:14:00.799 --> 00:14:04.000 the last hour, block any further comments from that IP. 288 00:14:04.360 --> 00:14:07.440 So it's like a speed limit on comments exactly. 289 00:14:07.840 --> 00:14:11.480 You've created a dynamic rate limiting system using mod securities 290 00:14:11.559 --> 00:14:16.080 persistent storage, and this is incredibly powerful for dealing with 291 00:14:16.159 --> 00:14:17.879 all sorts of abuse scenarios. 292 00:14:17.960 --> 00:14:19.600 This makes a lot of sense, But how do you 293 00:14:19.639 --> 00:14:22.039 actually like set these up and manage them? 294 00:14:22.080 --> 00:14:22.120 Like? 295 00:14:22.159 --> 00:14:24.159 What kind of information can you even store? 296 00:14:24.759 --> 00:14:28.159 Creating a collection is actually pretty straightforward. You just use 297 00:14:28.279 --> 00:14:31.840 the the in a call action within a rule. So 298 00:14:32.159 --> 00:14:35.960 to start tracking an IP address in our comment spam collection, 299 00:14:36.519 --> 00:14:39.120 the action would look something like this in it call 300 00:14:39.200 --> 00:14:41.240 dot comment spam percent remote. 301 00:14:40.960 --> 00:14:44.120 Address, so percent remote adder that represents the IP address. 302 00:14:44.200 --> 00:14:47.840 That's right. It dynamically grabs that information. Okay, but what 303 00:14:47.879 --> 00:14:50.159 about the actual data itself. You can actually store a 304 00:14:50.240 --> 00:14:54.480 variety of different data types, numbers, text strings, even timestamps. 305 00:14:54.320 --> 00:14:58.120 It's like creating you know, custom variables within each record 306 00:14:58.159 --> 00:14:59.399 to track exactly what you need. 307 00:14:59.679 --> 00:15:02.879 So for our comment span example, what kinds of variables 308 00:15:02.960 --> 00:15:03.879 might we actually store? 309 00:15:04.120 --> 00:15:06.799 So we've already talked about the counter variable, right to 310 00:15:06.879 --> 00:15:10.159 keep track of how many comments have been posted, but 311 00:15:10.200 --> 00:15:13.799 you could also store the time stamp of the last comment, 312 00:15:14.240 --> 00:15:16.480 the content of that comment, or even a flag to 313 00:15:16.559 --> 00:15:18.840 indicate if that IP address has been blocked before. 314 00:15:19.080 --> 00:15:21.759 So it can paignt a pretty detailed picture exactly. 315 00:15:22.120 --> 00:15:24.279 And you have a lot of control over how these 316 00:15:24.320 --> 00:15:27.279 records are managed. You can set them to expire after 317 00:15:27.320 --> 00:15:30.279 a certain period, automatically deleting. 318 00:15:29.879 --> 00:15:32.360 Old data so they don't just grow forever, right, you. 319 00:15:32.360 --> 00:15:35.480 Don't want them to get clogged up without dated information. 320 00:15:36.080 --> 00:15:38.879 And you can actually manually delete records or even entire 321 00:15:38.919 --> 00:15:42.279 collections if you need to. Mod security gives you actions 322 00:15:42.279 --> 00:15:45.240 like setvar and expire VAR to manipulate that data and 323 00:15:45.840 --> 00:15:46.799 how long it's kept. 324 00:15:46.919 --> 00:15:49.200 This is like a whole database built in. 325 00:15:49.519 --> 00:15:52.279 Yeah in a way. Yeah, it's incredibly powerful and it 326 00:15:52.320 --> 00:15:54.399 allows you to do some really really clever things. And 327 00:15:54.440 --> 00:15:59.960 the handbook actually dives into three specific applications of persistent 328 00:16:00.159 --> 00:16:02.399 storage that are worth highlighting. 329 00:16:02.600 --> 00:16:05.080 Okay, let's hear them. Let's hear about these real world uses, 330 00:16:05.279 --> 00:16:05.720 all right. 331 00:16:05.919 --> 00:16:11.080 So the first one, it's called periodic alerting. Imagine you 332 00:16:11.120 --> 00:16:15.200 have a rule that flags a specific type of suspicious activity, 333 00:16:15.639 --> 00:16:18.039 but you don't want to be bombarded with alerts every 334 00:16:18.080 --> 00:16:18.759 single time it. 335 00:16:18.720 --> 00:16:21.039 Happens, right, Sometimes there's only a problem if it happens. 336 00:16:20.840 --> 00:16:24.039 A lot, right exactly. With periodic alerting, you can set 337 00:16:24.080 --> 00:16:27.799 mod security to only you send an alert for that 338 00:16:27.840 --> 00:16:31.759 event once within a specific timeframe, even if the rule 339 00:16:31.799 --> 00:16:33.000 is triggered multiple times. 340 00:16:33.240 --> 00:16:35.679 So how does persistent storage help with that? 341 00:16:36.200 --> 00:16:38.840 So you can set up a rule that checks for 342 00:16:38.879 --> 00:16:41.879 that suspicious event if it happens. The rule can look 343 00:16:41.919 --> 00:16:44.600 for a flag in a global collection that tells you 344 00:16:44.679 --> 00:16:47.759 whether an alert has been sent recently. If the flag 345 00:16:47.799 --> 00:16:50.200 is set, meaning an alert was already sent, it just 346 00:16:50.279 --> 00:16:52.960 increments a counter, okay, and doesn't sound the alarm. 347 00:16:53.120 --> 00:16:56.559 Sure like silencing the alarm, but still keeping track. 348 00:16:56.559 --> 00:16:59.600 Exactly, And that counter is also stored in the global collection. 349 00:17:00.000 --> 00:17:01.879 When you set the flag to expire, let's say after 350 00:17:01.960 --> 00:17:05.920 sixty seconds. Once the flag expires, the next occurrence of 351 00:17:05.960 --> 00:17:07.839 that event will trigger a new alert. 352 00:17:08.119 --> 00:17:10.960 So you're controlling how often you're alerted. 353 00:17:10.680 --> 00:17:13.599 Exactly, and when that next alert is sent, it can 354 00:17:13.640 --> 00:17:16.359 actually include the number of times that event happened while 355 00:17:16.400 --> 00:17:19.720 the alert was suppressed. Oh wow, so you get valuable context. 356 00:17:19.799 --> 00:17:22.559 That's awesome. What else can you do with persistent storage? 357 00:17:22.680 --> 00:17:28.400 Another great application is detecting denial of service attacks. MOD 358 00:17:28.440 --> 00:17:31.920 security can track how many requests are coming from from 359 00:17:31.960 --> 00:17:35.440 specific IP addresses or user agents. That way, you can 360 00:17:35.440 --> 00:17:39.799 spot patterns that might indicate a DOSS attack is underway. 361 00:17:39.839 --> 00:17:42.039 So you can actually set limits, right, Yeah, you can. 362 00:17:41.920 --> 00:17:44.200 Set limits on how many requests are allowed from a 363 00:17:44.240 --> 00:17:48.079 single source within a certain timeframe, and if someone goes 364 00:17:48.119 --> 00:17:52.559 over that limit, boom. Mod security can trigger a rule 365 00:17:52.680 --> 00:17:55.319 to block them. It's like a dynamic shield exactly, a 366 00:17:55.359 --> 00:17:59.200 dynamic shield that protects your server from being overwhelmed. But 367 00:17:59.359 --> 00:18:03.000 the handbook makes a good point that the effectiveness of 368 00:18:03.039 --> 00:18:06.359 this actually depends on how long you keep the records 369 00:18:06.359 --> 00:18:09.599 in your collection. So if you keep records for too long, 370 00:18:10.039 --> 00:18:12.519 a short burst of traffic might not actually stand out 371 00:18:12.599 --> 00:18:15.519 enough to trigger the rule. Right. It's like trying to 372 00:18:15.559 --> 00:18:16.799 find a needle in a haystack. 373 00:18:16.839 --> 00:18:18.720 You gotta find that balance, right exactly. 374 00:18:18.920 --> 00:18:19.680 The last one. 375 00:18:19.559 --> 00:18:20.960 There's a third one, right, right. 376 00:18:21.319 --> 00:18:25.400 The third one is all about stopping those brute force 377 00:18:25.440 --> 00:18:28.839 attacks where hackers are, you know, trying to guess passwords. 378 00:18:29.480 --> 00:18:32.680 Mod security can actually keep track of failed log in 379 00:18:32.720 --> 00:18:36.720 attempts from specific IP addresses or user names. 380 00:18:36.960 --> 00:18:39.720 You can spot accounts or IP addresses that are doing 381 00:18:39.799 --> 00:18:41.200 something shady exactly. 382 00:18:41.279 --> 00:18:43.880 You can set a limit for how many failed logins 383 00:18:43.880 --> 00:18:46.880 are allowed before you take action, and if someone goes 384 00:18:46.960 --> 00:18:50.400 over that limit, mod security can block them from making 385 00:18:50.480 --> 00:18:54.200 further attempts. Like a lockout, Yeah, like a temporary lockout 386 00:18:54.200 --> 00:18:57.160 to protect against those those brute force attacks. And you 387 00:18:57.200 --> 00:18:59.119 can even get fancy with it. You could set it 388 00:18:59.200 --> 00:19:01.880 up so that the lockout time actually gets longer with 389 00:19:01.960 --> 00:19:02.960 each failed attempt. 390 00:19:03.079 --> 00:19:04.920 Oh really, so they have to wait longer and longer. 391 00:19:05.079 --> 00:19:09.160 Yeah, so that'll discourage those really persistent hackers. 392 00:19:09.480 --> 00:19:13.279 Persistent storage is pretty amazing. It's like mod security is 393 00:19:13.319 --> 00:19:15.000 not just watching, but it's remembering. 394 00:19:15.160 --> 00:19:19.079 That's right. By analyzing past events, mod security can actually 395 00:19:19.119 --> 00:19:21.680 make smarter decisions in real time. 396 00:19:22.079 --> 00:19:24.680 That's cool. Yeah. Okay, So now that we've got like 397 00:19:24.799 --> 00:19:28.960 those basics of persistent storage down, what other advanced techniques 398 00:19:29.000 --> 00:19:29.359 are there? 399 00:19:29.480 --> 00:19:32.599 Well, let's get into session management. Okay, mod security can 400 00:19:32.640 --> 00:19:36.559 actually track and manage user sessions, adding a whole other 401 00:19:36.680 --> 00:19:39.559