ModSecurity for Nginx

简介: Announcing the availability of ModSecurity extension for NginxModSecurity for NginxModSe...

Announcing the availability of ModSecurity extension for Nginx

ModSecurity for Nginx

image from wiki.nginx.orgModSecurity for Nginx is a web server plug-in for the Nginx web server platform. This module was created through a collaboration between Trustwave SpiderLabs Research, Microsoft Security Research Center (MSRC), Yandex and community members. With the addition of the Nginx platform to go along with Apache and Microsoft IIS, ModSecurity is now able to run on ~86% of web server platforms (according to Netcraft).

Development Status: BETA

We are actively seeking community testers. If you would like to help with testing, please follow the steps listed here and use the Developer mail-list for discussions.

Downloading

The porting effort to migrate the ModSecurity code to non-Apache platforms required the creation of "standalone" version which includes the Apache Runtime (APR) environment. So, in order to use ModSecurity on Nginx, you must first create the standalone ModSecurity version. You can download the full ModSecurity source code (which includes the Nginx code) from SVN trunk here:

Compiling

The extensibility model of the nginx server does not include dynamically loaded modules, thus ModSecurity must be compiled with the source code of the main server. Since nginx is available on multiple Unix-based platforms (and also on Windows), for now the recommended way of obtaining ModSecurity for nginx is compilation in the designated environment.

The first step in obtaining nginx server with built-in ModSecurity module is building of standalone library containing full ModSecurity with a set of intermediate API (this layer is a common base for IIS version, nginx version, and server-less command line version of ModSecurity). It is recommended to follow the general steps of preparing build environment for ModSecurity and then follow with two simple commands:

~/mod_security$ ./configure --enable-standalone-module
~/mod_security$ make
Once the standalone library is built successfully, one can follow with building the nginx server, following the steps from the nginx build tutorial:
~/nginx-1.2.0$ ./configure --add-module=../mod_security/nginx/modsecurity
~/nginx-1.2.0$ make
~/nginx-1.2.0$ sudo make install

The last command performs server installation on the local machine, which can be either customized or omitted with built binaries packaged or moved to alternative server.

Configuring

The ModSecurity configuration file must be linked in nginx.conf file using the following directives defined by nginx’s ModSecurity extension module:

   server {
        listen       80;
        server_name  localhost;

           location / {
                ModSecurityEnabled on;
                ModSecurityConfig modsecurity.conf;
                ModSecurityPass @backend;
           }

           location @backend {
                proxy_pass http://localhost:8011;
                proxy_read_timeout 180s;
          }
} 
This configures ModSecurity as an Nginx request handler. The updated request flow is now:
request -> modsecurity handler -> backend

You will need to modify the @backend definition to point to your correct back-end web application that Nginx is proxying to. The ModSecurityConfig modsecurity.conf directive lists the configuration file that contains all of your configurations and rules. Important - as opposed to the Apache version where you can dynamically specify multiple ModSecurity config/rule files using Includes, the current Nginx version requires you to put all data into a single file. This is easily accomplished by concatenating the following files into the modsecurity.conf file:

  • ModSecurity modsecurity.conf-recommended file which specifies the recommended default configurations
  • OWASP ModSecurity CRS modsecurity_crs_10_setup.conf file which specifies the main configurations for the CRS
  • OWASP ModSecurity CRS base_rules conf files

After you have concatenated these files into the modsecurity.conf file, you should also copy the OWASP ModSecurity base_rules/*.data files into the same directory so that any @pmFromFile operators can use them. In my initial configuration, I have the SecRuleEngine set to "DetectionOnly" mode.

Starting Nginx with ModSecurity

Once you start Nginx with ModSecurity, you will see the following data in the logs directory:

[root@localhost logs]# pwd
/usr/local/nginx/logs
[root@localhost logs]# ls -l
total 4
-rw-r--r--. 1 root root 0 Sep 28 17:05 access.log
-rw-r--r--. 1 root root 0 Sep 28 17:05 error.log
-rw-r-----. 1 root root 0 Sep 28 17:05 modsec_audit.log
-rw-r-----. 1 root root 0 Sep 28 17:05 modsec_debug.log
-rw-r--r--. 1 root root 6 Sep 28 17:05 nginx.pid

You can monitor the error.log file for any new ModSecurity events.

Testing

In order to test that the Nginx port is working with the OWASP ModSecurity CRS, I sent the following Cross-site Scripting test request:

http://192.168.1.106/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E

I then reviewed the Nginx error.log file and found many CRS alerts:

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\balert\\b\\W*?\\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2047"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\< ?script\\b" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2095"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\balert\\b\\W*?\\(" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2292"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\< ?script\\b" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2356"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2455"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(fromcharcode|alert|eval)\\s*\\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2545"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2656"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960024-WEB_ATTACK/RESTRICTED_SQL_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: ')</"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>alert('foo')</script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-REQUEST_FILENAME. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958052-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958051-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958120-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958119-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973300-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973307-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:0. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973331-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

I then ran a test to use blocking mode by changing the SecRuleEngine to On, restarted Nginx and resent the request. This time I received the following alert:

2012/09/28 20:43:49 [info] 26259#0: [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 58, SQLi=4, XSS=40): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert(%27foo%27)%3C%2Fscript%3E"] [unique_id "12345"]

As you can see, the request was denied with a 403 HTTP status code due to a high anomaly score.

Outstanding Development Items

As you can see, we have made a tremendous amount of progress on the Nginx port of ModSecurity. That being said, there is still work to be done. One area that is not yet implemented is inspection of outbound response data. We also need help with load testing for performance and validating that all ModSecurity features work as expected.

Please help us by downloading and testing!

目录
相关文章
|
1月前
|
负载均衡 应用服务中间件 nginx
|
20天前
|
缓存 Unix 应用服务中间件
|
8月前
|
应用服务中间件 Linux nginx
nginx + geoip2简明配置
有时候需要nginx结合IP地址库做一些事情,比如过滤掉某个国家的IP,该如何做呢?
352 0
|
1月前
|
应用服务中间件 nginx C++
nginx: [emerg] unknown directive “rtmp“ in ./../conf/nginx.conf:16
nginx: [emerg] unknown directive “rtmp“ in ./../conf/nginx.conf:16
|
1月前
|
前端开发 安全 应用服务中间件
|
10月前
|
负载均衡 应用服务中间件 nginx
|
12月前
|
缓存 负载均衡 算法
Nginx介绍
Nginx介绍
115 0
|
网络协议 应用服务中间件 网络安全
Nginx 实现OCSP Stapling
详解Nginx 如何实现OCSP Stapling
843 0
|
缓存 负载均衡 算法
Nginx服务详细介绍
Nginx是lgor Sysoev为俄罗斯访问量第二的rambler.ru站点设计开发的。从2004年发布至今,凭借开源的力量,已经接近成熟与完善。Nginx功能丰富,可作为HTTP服务器,也可作为反向代理服务器,邮件服务器。
|
应用服务中间件 数据库 nginx
Nginx之14斗转星移 - (GeoIP)
Nginx从入门到深入之GeoIP
2158 0

热门文章

最新文章