Announcing the availability of ModSecurity extension for Nginx

ModSecurity for Nginx

ModSecurity for Nginx is a web server plug-in for the Nginx web server platform. This module was created through a collaboration between Trustwave SpiderLabs Research, Microsoft Security Research Center (MSRC), Yandex and community members. With the addition of the Nginx platform to go along with Apache and Microsoft IIS, ModSecurity is now able to run on ~86% of web server platforms (according to Netcraft).

Development Status: BETA

We are actively seeking community testers. If you would like to help with testing, please follow the steps listed here and use the Developer mail-list for discussions.

Downloading

The porting effort to migrate the ModSecurity code to non-Apache platforms required the creation of "standalone" version which includes the Apache Runtime (APR) environment. So, in order to use ModSecurity on Nginx, you must first create the standalone ModSecurity version. You can download the full ModSecurity source code (which includes the Nginx code) from SVN trunk here:

Compiling

The extensibility model of the nginx server does not include dynamically loaded modules, thus ModSecurity must be compiled with the source code of the main server. Since nginx is available on multiple Unix-based platforms (and also on Windows), for now the recommended way of obtaining ModSecurity for nginx is compilation in the designated environment.

The first step in obtaining nginx server with built-in ModSecurity module is building of standalone library containing full ModSecurity with a set of intermediate API (this layer is a common base for IIS version, nginx version, and server-less command line version of ModSecurity). It is recommended to follow the general steps of preparing build environment for ModSecurity and then follow with two simple commands:

~/mod_security$ ./configure --enable-standalone-module

~/mod_security$ make

Once the standalone library is built successfully, one can follow with building the nginx server, following the steps from the nginx build tutorial:

~/nginx-1.2.0$ ./configure --add-module=../mod_security/nginx/modsecurity

~/nginx-1.2.0$ make

~/nginx-1.2.0$ sudo make install

The last command performs server installation on the local machine, which can be either customized or omitted with built binaries packaged or moved to alternative server.

Configuring

The ModSecurity configuration file must be linked in nginx.conf file using the following directives defined by nginx’s ModSecurity extension module:

   server {

        listen       80;

        server_name  localhost;

           location / {

                ModSecurityEnabled on;

                ModSecurityConfig modsecurity.conf;

                ModSecurityPass @backend;

           }

           location @backend {

                proxy_pass http://localhost:8011;

                proxy_read_timeout 180s;

          }

}

This configures ModSecurity as an Nginx request handler. The updated request flow is now:

request -> modsecurity handler -> backend

You will need to modify the @backend definition to point to your correct back-end web application that Nginx is proxying to. The ModSecurityConfig modsecurity.conf directive lists the configuration file that contains all of your configurations and rules. Important - as opposed to the Apache version where you can dynamically specify multiple ModSecurity config/rule files using Includes, the current Nginx version requires you to put all data into a single file. This is easily accomplished by concatenating the following files into the modsecurity.conf file:

  • ModSecurity modsecurity.conf-recommended file which specifies the recommended default configurations
  • OWASP ModSecurity CRS modsecurity_crs_10_setup.conf file which specifies the main configurations for the CRS
  • OWASP ModSecurity CRS base_rules conf files

After you have concatenated these files into the modsecurity.conf file, you should also copy the OWASP ModSecurity base_rules/*.data files into the same directory so that any @pmFromFile operators can use them. In my initial configuration, I have the SecRuleEngine set to "DetectionOnly" mode.

Starting Nginx with ModSecurity

Once you start Nginx with ModSecurity, you will see the following data in the logs directory:

[root@localhost logs]# pwd

/usr/local/nginx/logs

[root@localhost logs]# ls -l

total 4

-rw-r--r--. 1 root root 0 Sep 28 17:05 access.log

-rw-r--r--. 1 root root 0 Sep 28 17:05 error.log

-rw-r-----. 1 root root 0 Sep 28 17:05 modsec_audit.log

-rw-r-----. 1 root root 0 Sep 28 17:05 modsec_debug.log

-rw-r--r--. 1 root root 6 Sep 28 17:05 nginx.pid

You can monitor the error.log file for any new ModSecurity events.

Testing

In order to test that the Nginx port is working with the OWASP ModSecurity CRS, I sent the following Cross-site Scripting test request:

http://192.168.1.106/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E

I then reviewed the Nginx error.log file and found many CRS alerts:

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\balert\\b\\W*?\\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2047"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\< ?script\\b" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2095"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\balert\\b\\W*?\\(" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2292"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\< ?script\\b" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2356"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2455"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(fromcharcode|alert|eval)\\s*\\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2545"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2656"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960024-WEB_ATTACK/RESTRICTED_SQL_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: ')</"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>alert('foo')</script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-REQUEST_FILENAME. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958052-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958051-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958120-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958119-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973300-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973307-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:0. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973331-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

I then ran a test to use blocking mode by changing the SecRuleEngine to On, restarted Nginx and resent the request. This time I received the following alert:

2012/09/28 20:43:49 [info] 26259#0: [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 58, SQLi=4, XSS=40): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert(%27foo%27)%3C%2Fscript%3E"] [unique_id "12345"]

As you can see, the request was denied with a 403 HTTP status code due to a high anomaly score.

Outstanding Development Items

As you can see, we have made a tremendous amount of progress on the Nginx port of ModSecurity. That being said, there is still work to be done. One area that is not yet implemented is inspection of outbound response data. We also need help with load testing for performance and validating that all ModSecurity features work as expected.

Please help us by downloading and testing!

ModSecurity for Nginx的更多相关文章

  1. Centos7.4 modsecurity with nginx 安装

    1.准备: 系统环境:Centos7.4 软件及版本: nginx:OpenResty1.13.6.1 ModSecurity:ModSecurity v3.0.0rc1 (Linux) modsec ...

  2. nginx配合modsecurity实现WAF功能

    一.准备工作 系统:centos 7.2 64位.nginx1.10.2, modsecurity2.9.1 owasp3.0 1.nginx:http://nginx.org/download/ng ...

  3. [development][security][modsecurity][nginx] nginx / modsecurity development things

    接续前节:[security][modsecurity][nginx] nginx 与 modsecurity nginx开发手册:https://nginx.org/en/docs/dev/deve ...

  4. [security][modsecurity][nginx] nginx 与 modsecurity

    参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支 ...

  5. ningx配置ModSecurity重启出现兼容性问题:ModSecurity: Loaded PCRE do not match with compiled!的解决方法

    nginx开启错误日志,然后重启nginx,出现如下信息: 2016/12/03 09:40:38 [notice] 18858#0: ModSecurity for nginx (STABLE)/2 ...

  6. Nginx1.14.0+ModSecurity实现简单的WAF

    一.编译安装Nginx 1.安装依赖环境 $ yum -y install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel ...

  7. OWASP ModSecurity Core Rule Set (CRS)的基本使用

    Preface 前述文章开源WAF工具ModSecurity,介绍了ModSecurity作为Nginx的动态加载模块的基本安装和使用. 本篇简单介绍ModSecurity CRS规则集的使用. # ...

  8. ModSecurity:一款优秀的开源WAF

    一.ModSecurity3.0介绍 ModSecurity是一个开源的跨平台Web应用程序防火墙(WAF)引擎,用于Apache,IIS和Nginx,由Trustwave的SpiderLabs开发. ...

  9. [security] security engine things

    1. luarock luarock 之于 lua,就好比 pip 之于 python https://luarocks.org/ 2.  lua的库 [root@base package]# ls ...

随机推荐

  1. POJ3295——Tautology

    Tautology Description WFF 'N PROOF is a logic game played with dice. Each die has six faces represen ...

  2. poj3034Whac-a-Mole(dp)

    链接 状态转移好想 不过有坑 大家都犯的错误 我也会犯 很正常 就是锤子可以移到n*n以外  要命的是我只加了5 以为最多不会超过5  WA了N久  才想到 上下两方向都可以到5 所以最多加10 以时 ...

  3. sencha touch2 动画问题

    最近在review一个项目的代码, 发现返回操作比较乱,很多"从哪里来,到哪里去的操作"被写的一塌糊涂; 按照ios系统的进场出场动画(人家的体验还是很好的,必须借鉴)为标准,使用 ...

  4. 算法的时间复杂度(大O表示法)

    定义:如果一个问题的规模是n,解这一问题的某一算法所需要的时间为T(n),它是n的某一函数 T(n)称为这一算法的“时间复杂性”. 当输入量n逐渐加大时,时间复杂性的极限情形称为算法的“渐近时间复杂性 ...

  5. Java [leetcode 13] Roman to Integer

    问题描述: Given a roman numeral, convert it to an integer. Input is guaranteed to be within the range fr ...

  6. oracle导入到Excel

    一.从oracle到处数据到excel文件方法一.直接从PL/SQL中,全选数据,然后复制粘贴到excel中: 方法二.同样是通过PL/SQL,在数据列中,点击右键-->导出结果-->选择 ...

  7. GRIB格式转换心得(转自博客:http://windforestwing.blog.163.com/blog/static/19545412007103084743804/)

    1.wgrib的使用 在cmd命令行下键入wgrib后即可察看wgrib相关命令参数,简要介绍如下: l        Inventory/diagnostic–output selections 详 ...

  8. CSS布局中——导航是非常常见的

    导航绝对是页面布局中最常见的,为了不用每次去写,稍微贴个简单的导航模版出来,方便以后使用. <title>CSS菜单</title> <style type=" ...

  9. 说下 winOS / IOS / android /Linux 视频、音频 编码解码问题

    最近有朋友遇到一个问题, ios 上传视频文件,想在本地压缩下,然后再上传到服务器. 问有没有什么 视频处理的库, 最近Khronos的webgl 支持HTML5 ,(原理 WebGL 是openGL ...

  10. Java was started but returned exit code=13 C:\ProgramData\Oracle\Java\javapath\javaw.exe

    ---------------------------Eclipse---------------------------Java was started but returned exit code ...