Securing APEX with mod_security

March 7, 2008  |  apex, dba, linux, security

SQL Injection is a technique that exploits a vulnerability in the database layer of an application. This usually ocurrs when the user inputs incorrectly filtered for string literal escape characters embedded in SQL statements. This is one of the most common attacks that a site must be prepared to handle.

I usually recommend our customers to install a firewall that locks access to all ports except the HTTP/S and to lockdown the access to the listener besides the localhost.

The problem is that this is not enought! SQL Injection uses an http request to try to access the database. APEX is a wonderful RAD that comes built with lots of security items (checksum url arguments for instance)  that tries to avoid security issues.

I usually don’t expose the Embedded Gateway and I rely on Apache, to reverse proxying the calls from the browsers, and secure it with https and a trusted certificate. As I use Apache as the frontend, I’ve choose for long time the mod_security to security my http servers on centos/redhat/oel. As redhat EL flavours usually come with “old” packages, to install mod_security, I usually do this:

$ rpm --import http://www.jasonlitka.com/media/RPM-GPG-KEY-jlitka
$ yum install mod_security

Now I edit httpd.conf and add the following line in the modules section:

LoadModule security_module modules/mod_security.so

And I fill httpd.conf with md_security rules like these ones:

...

SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterScanPOST On
SecFilterDebugLog /var/log/modsecurity_audit.log
SecFilter "'" redirect: http://server.com/warning.html
SecServerSignature "Microsoft-IIS/5.0" #I LOVE THIS ONE! :)


...

Hope this helps 🙂


Leave a Reply