Re: mod_security for Apache -- WEB400

Since I kicked this baby off, perhaps I chime in here.

I don't wish to debate the merits of what IBM supports vs open source
etc,.
All I am interested in is to find what could be perceived as a standard
robust set of install instructions for Apache mod_security on system-i.
Like, "We have it installed, works well and you can find the
instructions here".

I began simply by starting Apache with the option to only return a list
of installed modules which obviously come with the build as shipped.
Next, since we have aleady added extra modules relating SSL and proxy by
inserting config directives that map to IBM supplied *SRVPGMs then it
next proved informative to examine all the *SRVPGMs in QHTTPSVR for
potential candidates.
I have not had feedback from our contacts with IBM so next I came
fishing on this list.

A solution via IBM would of course be prefered since there is a support
agreement backed by the years of confidence one has already experienced
in their reliable system-i products.
There are, of course, features that can be found in the open-source
community which can be demonstrated to run on system-I in the absence of
IBM providing such a feature.
Indeed PHP was just such a beast. Back on V5R2 I spent many weeks
downloading and compiling things in PASE and eventually succeeded in
serving some web pages via PHP (but not in a production environment).
It's great to hear that IBM will now ship Zend with V6.

But the instructions for installing such things are often arcane, and
often provided by some guy in isolation and suffer from the pitfalls of
missing dependencies that must be downloaded and installed as
pre-requisites. This is not how I wish to proceed when installing a
global security mechanism.

I should make it clear that there is a PCI compliance hurdle that is
only an issue if one provides the ability to capture credit card info.
To boast PCI compliance one must prove that the PCI tests cannot expose
a weakness with regard to script injection in particular.
It is possible to begin rolling your own solution, perhaps starting with
specific services, and this may be the initial route taken.
My desire is to expedite a non-complex solution and move on.

Cheers, Peter

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Pete Helgren
Sent: Thursday, 12 February 2009 6:01 a.m.
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] mod_security for Apache

"I often wish IBM would build in a Linux server as part of every system"

They did, but it is AIX rather than Linux but it can do the same things.
You can drop RPM's into PASE and many other *NIX applications.
It is really no more complicated than Linux.

I haven't looked into compiling the module but I would guess that it
would be straightforward.

There is a bunch of AIX/PASE related tools and utilities at the
http://www.youngiprofessionals.com site. Click on Wiki and then PASE.
Great stuff and plenty of help from IBM in getting them installed and
helping out with compilation issues with other AIX binaries.

Pete Helgren

franz400@xxxxxxxxxxxx wrote:

Perhaps I did not understand the issue.. it sounded to me like IBM's
providing a version of Apache, installed with a RSTLICPGM, that
contains "most" of what is in a standard Apache install on other
platforms, plus extensions for the i.
Is the mod_security part of an official Apache release? If IBM says we

are compatible with that release, but missing that feature, that is my

problem...(and pardon me if I don't understand the issue fully).
<my rant>
I am not up on what is in or not in the i Apache release, but in all
the ip related parts of the i, it seems we often hit the "not

supported" issue.

I often wish IBM would build in a Linux server as part of every system

to cover these missing pieces, because my customers just don't get
"you need to buy more" or"do more" or "put in another server" to do

something.

This was not my issue, I was merely commenting on someone else's

problem.

My problem lately is to support authenticated smtp to php running on
the i...
</rant>
Jim Franz

---- "Haas wrote:

<rant>
One thing I don't understand is why there is so much reliance on IBM

to do *everything* for the i. The whole reason this is available on
Windows and *nix platforms is because someone took the time to develop
it in the first place and port it to the platforms it has binaries for.
This doesn't appear to be vendor driven at all.

It seems to me like a lot of the i's image problems are caused by

people's unwillingness to do things for themselves. It's great when IBM
delivers things but the basic building blocks to do pretty much anything
are already there and IBM provides guides (and even help in some cases)
on porting software from other platforms so why not give it a try and
see what happens? Worst case is it doesn't work and you'll have to find
another solution.

</rant>

Matt

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Jim Franz
Sent: Tuesday, February 10, 2009 9:37 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] mod_security for Apache

perhaps this should be raised with IBM at Common during soundoff.
There have been times when IBM offers more security in the win/unix
versions than in the similar "i" offering - and then says we should
put that win/x stuff in front of our i for secure web serving.
It would truly s*** if a "i" web solution can't pass PCI compliance!
(unless the industry standard best practices PCI way of doing this is

the external appliance?)

Jim Franz

----- Original Message -----
From: "Peter Connell" <Peter.Connell@xxxxxxxxxxxxxxxxx>
To: "Web Enabling the AS400 / iSeries" <web400@xxxxxxxxxxxx>
Sent: Tuesday, February 10, 2009 3:31 PM
Subject: Re: [WEB400] mod_security for Apache

It may come that if mod_security is the most expedient and viable
option but when it comes to a global security solution I prefer to
have someone to follow, not lead.

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Haas, Matt (CL Tech Sv)
Sent: Wednesday, 11 February 2009 9:02 a.m.
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] mod_security for Apache

But isn't that exactly what you're being asked to do?

Matt

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Peter Connell
Sent: Tuesday, February 10, 2009 1:27 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] mod_security for Apache

Yes, one would hope that if was all so easy to take advantage of
such a frequently suggested security module then someone in the
OS400 community would have broken this ground some time ago. There
is always some apprehension in attempting to explain that the most
significant gateway for the enterprise is protected because I
downloaded something from the web.

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Haas, Matt (CL Tech Sv)
Sent: Wednesday, 11 February 2009 0:01
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] mod_security for Apache

You could also download and compile the module. I took a look at the

install documentation and they do not say you have to re-build

Apache.

You could also likely use AIX binaries of this module (and its
dependencies). The InfoCenter has information on building additional

modules for the HTTP server.

Matt

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx
[mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Nathan Andelin
Sent: Tuesday, February 10, 2009 6:53 AM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] mod_security for Apache

From: Peter Connell
If IBM fail to provide a way to implement mod_security then the
other options are installing an application firewall in front ...

Well, at least you have that option.

One other thought that occurred to me was to try running an
open-source version of Apache under PASE - a version that has
mod_security built-in, as a proxy in front of the IBM i HTTP server.

But I know little about getting software to run under PASE.

Does Zend Core come with mod_security?

Nathan.

--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To

post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/web400.

--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or
change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.

#####################################################################################
This correspondence is for the named person's use only. It may contain confidential or legally privileged information, or both. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this correspondence in error, please immediately delete it from your system and notify the sender. You must not disclose, copy or rely on any part of this correspondence if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of Veda Advantage. If you need assistance, please contact Veda Advantage on either :- Australia 133124 or New Zealand +64 9 367 6200