Announcing the availability of ModSecurity extension for Nginx

ModSecurity for Nginx

ModSecurity for Nginx is a web server plug-in for the Nginx web server platform. This module was created through a collaboration between Trustwave SpiderLabs Research, Microsoft Security Research Center (MSRC), Yandex and community members. With the addition of the Nginx platform to go along with Apache and Microsoft IIS, ModSecurity is now able to run on ~86% of web server platforms (according to Netcraft).

Development Status: BETA

We are actively seeking community testers. If you would like to help with testing, please follow the steps listed here and use the Developer mail-list for discussions.

Downloading

The porting effort to migrate the ModSecurity code to non-Apache platforms required the creation of "standalone" version which includes the Apache Runtime (APR) environment. So, in order to use ModSecurity on Nginx, you must first create the standalone ModSecurity version. You can download the full ModSecurity source code (which includes the Nginx code) from SVN trunk here:

Compiling

The extensibility model of the nginx server does not include dynamically loaded modules, thus ModSecurity must be compiled with the source code of the main server. Since nginx is available on multiple Unix-based platforms (and also on Windows), for now the recommended way of obtaining ModSecurity for nginx is compilation in the designated environment.

The first step in obtaining nginx server with built-in ModSecurity module is building of standalone library containing full ModSecurity with a set of intermediate API (this layer is a common base for IIS version, nginx version, and server-less command line version of ModSecurity). It is recommended to follow the general steps of preparing build environment for ModSecurity and then follow with two simple commands:

~/mod_security$ ./configure --enable-standalone-module

~/mod_security$ make

Once the standalone library is built successfully, one can follow with building the nginx server, following the steps from the nginx build tutorial:

~/nginx-1.2.0$ ./configure --add-module=../mod_security/nginx/modsecurity

~/nginx-1.2.0$ make

~/nginx-1.2.0$ sudo make install

The last command performs server installation on the local machine, which can be either customized or omitted with built binaries packaged or moved to alternative server.

Configuring

The ModSecurity configuration file must be linked in nginx.conf file using the following directives defined by nginx’s ModSecurity extension module:

   server {

        listen       80;

        server_name  localhost;

           location / {

                ModSecurityEnabled on;

                ModSecurityConfig modsecurity.conf;

                ModSecurityPass @backend;

           }

           location @backend {

                proxy_pass http://localhost:8011;

                proxy_read_timeout 180s;

          }

}

This configures ModSecurity as an Nginx request handler. The updated request flow is now:

request -> modsecurity handler -> backend

You will need to modify the @backend definition to point to your correct back-end web application that Nginx is proxying to. The ModSecurityConfig modsecurity.conf directive lists the configuration file that contains all of your configurations and rules. Important - as opposed to the Apache version where you can dynamically specify multiple ModSecurity config/rule files using Includes, the current Nginx version requires you to put all data into a single file. This is easily accomplished by concatenating the following files into the modsecurity.conf file:

  • ModSecurity modsecurity.conf-recommended file which specifies the recommended default configurations
  • OWASP ModSecurity CRS modsecurity_crs_10_setup.conf file which specifies the main configurations for the CRS
  • OWASP ModSecurity CRS base_rules conf files

After you have concatenated these files into the modsecurity.conf file, you should also copy the OWASP ModSecurity base_rules/*.data files into the same directory so that any @pmFromFile operators can use them. In my initial configuration, I have the SecRuleEngine set to "DetectionOnly" mode.

Starting Nginx with ModSecurity

Once you start Nginx with ModSecurity, you will see the following data in the logs directory:

[root@localhost logs]# pwd

/usr/local/nginx/logs

[root@localhost logs]# ls -l

total 4

-rw-r--r--. 1 root root 0 Sep 28 17:05 access.log

-rw-r--r--. 1 root root 0 Sep 28 17:05 error.log

-rw-r-----. 1 root root 0 Sep 28 17:05 modsec_audit.log

-rw-r-----. 1 root root 0 Sep 28 17:05 modsec_debug.log

-rw-r--r--. 1 root root 6 Sep 28 17:05 nginx.pid

You can monitor the error.log file for any new ModSecurity events.

Testing

In order to test that the Nginx port is working with the OWASP ModSecurity CRS, I sent the following Cross-site Scripting test request:

http://192.168.1.106/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E

I then reviewed the Nginx error.log file and found many CRS alerts:

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\balert\\b\\W*?\\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2047"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\< ?script\\b" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2095"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\balert\\b\\W*?\\(" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2292"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\< ?script\\b" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2356"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2455"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(fromcharcode|alert|eval)\\s*\\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2545"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2656"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960024-WEB_ATTACK/RESTRICTED_SQL_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: ')</"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>alert('foo')</script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-REQUEST_FILENAME. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958052-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958051-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958120-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958119-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973300-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973307-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:0. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973331-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

I then ran a test to use blocking mode by changing the SecRuleEngine to On, restarted Nginx and resent the request. This time I received the following alert:

2012/09/28 20:43:49 [info] 26259#0: [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 58, SQLi=4, XSS=40): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert(%27foo%27)%3C%2Fscript%3E"] [unique_id "12345"]

As you can see, the request was denied with a 403 HTTP status code due to a high anomaly score.

Outstanding Development Items

As you can see, we have made a tremendous amount of progress on the Nginx port of ModSecurity. That being said, there is still work to be done. One area that is not yet implemented is inspection of outbound response data. We also need help with load testing for performance and validating that all ModSecurity features work as expected.

Please help us by downloading and testing!

ModSecurity for Nginx的更多相关文章

  1. Centos7.4 modsecurity with nginx 安装

    1.准备: 系统环境:Centos7.4 软件及版本: nginx:OpenResty1.13.6.1 ModSecurity:ModSecurity v3.0.0rc1 (Linux) modsec ...

  2. nginx配合modsecurity实现WAF功能

    一.准备工作 系统:centos 7.2 64位.nginx1.10.2, modsecurity2.9.1 owasp3.0 1.nginx:http://nginx.org/download/ng ...

  3. [development][security][modsecurity][nginx] nginx / modsecurity development things

    接续前节:[security][modsecurity][nginx] nginx 与 modsecurity nginx开发手册:https://nginx.org/en/docs/dev/deve ...

  4. [security][modsecurity][nginx] nginx 与 modsecurity

    参考文档: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx nginx不支 ...

  5. ningx配置ModSecurity重启出现兼容性问题:ModSecurity: Loaded PCRE do not match with compiled!的解决方法

    nginx开启错误日志,然后重启nginx,出现如下信息: 2016/12/03 09:40:38 [notice] 18858#0: ModSecurity for nginx (STABLE)/2 ...

  6. Nginx1.14.0+ModSecurity实现简单的WAF

    一.编译安装Nginx 1.安装依赖环境 $ yum -y install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel ...

  7. OWASP ModSecurity Core Rule Set (CRS)的基本使用

    Preface 前述文章开源WAF工具ModSecurity,介绍了ModSecurity作为Nginx的动态加载模块的基本安装和使用. 本篇简单介绍ModSecurity CRS规则集的使用. # ...

  8. ModSecurity:一款优秀的开源WAF

    一.ModSecurity3.0介绍 ModSecurity是一个开源的跨平台Web应用程序防火墙(WAF)引擎,用于Apache,IIS和Nginx,由Trustwave的SpiderLabs开发. ...

  9. [security] security engine things

    1. luarock luarock 之于 lua,就好比 pip 之于 python https://luarocks.org/ 2.  lua的库 [root@base package]# ls ...

随机推荐

  1. POJ2586——Y2K Accounting Bug

    Y2K Accounting Bug   Description Accounting for Computer Machinists (ACM) has sufferred from the Y2K ...

  2. Android 签名(6)编译时源码的签名

    1,使用源码中的默认签名 在源码中编译一般都使用默认签名的,在某源码目录中用运行下面命令能看到签名命令. $ mm showcommands Android提供了签名的程序signapk.jar,用法 ...

  3. C#.Net 如何动态加载与卸载程序集(.dll或者.exe)5-----Assembly.Unload

    http://www.blogcn.com/user8/flier_lu/index.html?id=2164751&run=.04005F8 CLR 产品单元经理(Unit Manager) ...

  4. js createElement

      http://www.w3schools.com/js/js_htmldom_nodes.asp var child = document.getElementById("p1" ...

  5. 1890. Money out of Thin Air(线段树 dfs转换区间)

    1890 将树的每个节点都转换为区间的形式 然后再利用线段树对结点更新 这题用了延迟标记 相对普通线段树 多了dfs的转换 把所要求的转换为某段区间 RE了N次 最后没办法了 记得有个加栈的语句 拿来 ...

  6. 谈谈Runtime类中的freeMemory,totalMemory,maxMemory等几个方法

    最近在网上看到一些人讨论到java.lang.Runtime类中的freeMemory(),totalMemory(),maxMemory ()这几个方法的一些问题,很多人感到很疑惑,为什么,在jav ...

  7. poj3265

    考状态的dp 我的方法可能比较奇怪 设f[i,j]表示第i个月解决j个问题可以最多解决到第几个问题 容易知道,答案(月份)不会超过2n+1: f[i,j]=max(f[i-1,k]+j) 复杂度为O( ...

  8. 【转】第一个Linux内核驱动程序

    原文网址:http://blog.csdn.net/nexttake/article/details/8181008 刚看 O’REILLY 写的<LINUX 设备驱动程序>时.作者一再强 ...

  9. 【转】Android之NDK开发

    原文网址:http://www.cnblogs.com/devinzhang/archive/2012/02/29/2373729.html 一.NDK产生的背景 Android平台从诞生起,就已经支 ...

  10. kettle作业(job)调用转换,设置变量,写日志到数据库中【转】

    首先建立转换:从数据库表到日志 表输入的设置:   日志设置:   新建job:     转换选择刚才建好的输出日志转换.变量设置如下: 此ID就是转换中的${ID},执行job,可以看到控制台输出日 ...