I love OpenBSD focused security in many areas, and in the ones not included in base there are always options in packages.
However specifically speaking about the options to complement as an application level firewall seems it is truly underestimated the way I see it: What is the option for a web based IDS/IPS in OBSD? ModSecurity dated 2006 What rules could be applied for this? Same year outdated rules from gotroot (not supported) because modsecurity.org doesnt even have an old copy. Could I install from source the newest ModSecurity 2.5 with the ModSecurity Core Rules v2.0 ? No, because its not compatible with apache1, unless you want to be more unsecure with apache2 from ports. Reading this thread: http://www.mail-archive.com/[email protected]/msg24615.html It seems the conclusion is "The only way that modsecurity increases security is if your web applications where already insecure so the first step would be to secure the web application then modsecurity would not be needed". Saying that to my opinion is the same as saying "Why configure packet filter to close incoming ports on the firewall if one could just correctly configure the respective daemons to listen to certain ports and only to certain IPs". Scenarios of importance for a WAF: -- 10 programmers 10 modules --- a.) Why assume that the sysadmin is the programmer, and why assume there is just one knowledgeable programmer when there might be 10 programmers each coding a seperate module of a project which will get uploaded? A code audit can only conclude (best effort) that the code is secure in a specific time in history. --- statistics of alerts ---- b.) Why assume that a thread is just one threat part of a massive effort for million of IPs, a thread can have a hacker behind it who if he did not succeed one way will continue to work in other methods. Having statistical information per day of threats categorized by a level of risk will give a sysadmin leads to who he is, what he is after, and any other pattern that will give time to act accordingly for a future event targeted differently. The newest modsecurity does this. -- DoS to an application -- c.) Even if I trust every day the programmers, there is still the risk of a application level DoS. PF can put a limit of maximum requests per minute for an IP... but a DoS these days can be done with dozens of thousands of different IPs each doing making a single burst POST to a search form that will hog down the database. A WAF can examine the payload of that and a custom rule can be set if one regex a pattern. -- Information Leakage--- Lets just assume that a user is able to exploit a script... sure I can block all ports on the server so he cannot scp or transfer data out, but what if he tried to request the data from port 80... old mod-security does inspect outgoing data for credit card information but why stay there when the new modsecurity uses improved methods block this? I also tried looking at SNORT, but i dont think a sniffer would be oriented in looking specifically at payloads of web requests based on what I see, or one would have to be very creative of signatures. Also: creating a reverse proxy in OBSD with Apache2 would be similar to running windows virtually on top of OpenBSD. Apache2 port patches are non priority and may take a while to be pushed. Forcing me to compile from source and thus be on top of bleeding edge versions. Do I have an alternative? --David P.D Iam not running a shared webhosting service.
