Christian Folini gave a presentation on optimizing ModSecurity on NGINX and NGINX Plus. Some key points:
- ModSecurity is an open source web application firewall that provides a rule-based system. The OWASP ModSecurity Core Rule Set (CRS) is the default rule set that blocks over 80% of attacks.
- To use ModSecurity with NGINX, one must compile ModSecurity 3.0 and the ModSecurity NGINX connector module, then compile NGINX with the connector. Alternatively, precompiled binaries are available with NGINX Plus.
- Initial optimization steps include adjusting the anomaly threshold, learning to read logs using aliases, and handling false positives by
2. Christian Folini
PhD in Medieval History
Program chair Swiss Cyber Storm Conf
Working with ModSecurity since 2006
Co-Lead of
OWASP ModSec Core Rule Set Project
Author of “ModSecurity Handbook” 2ed
2
Replace box with
photo then send to
back
3. Program
Introduction to ModSecurity
Introduction to the OWASP ModSec Core Rule Set
How to get this up an running on NGINX
First steps at optimizing your setup
3
5. ModSecurity – Brief History
Started in 2002 by Ivan Ristić
Apache license since 2010
V3.0 in December 2017
Originally: Apache Module
Now: Server independent
Small dev team: Trustwave
5
6. “ModSecurity is not a high-flying, cloud-
enabled, machine-learning mastermind.
It is better to think of ModSecurity as of a
mechanical watch. ”
– Christian Folini
6
7. ModSecurity – Key Features
Above all: Rule language
XML Schema validation
GeoIP Lookup
Remote Blacklist Support
CSRF Token Injection
...
7
9. ModSecurity – Domain Specific Language
About 70 Actions
deny
drop
pass
pause
redirect
chain
setenv
setvar
expirevar
skipAfter
multiMatch
...
9
10. ModSecurity – Rule Example I
10
Whitelisting rule allowing only parameter “firstname” matching a
predefined pattern:
SecRule ARGS:firstname "!@rx ^[a-zA-Z-]*$" "id:1000,deny"
11. ModSecurity – Rule Example II
11
Blacklisting rule making sure parameters are submitted only once
per request (HTTP Parameter Pollution):
SecRule ARGS_NAMES "@unconditionalMatch" "id:1001,pass,
setvar:'TX.counter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/counter_.*/ "@gt 1" "id:1002,deny"
16. “The OWASP ModSecurity Core Rule Set is the
standard rule set used with ModSecurity.
It is the 1st
line of defense against attacks as
those described by the OWASP Top Ten.”
– Christian Folini
16
17. CRS – Key Features
Generic Blacklisting rule set
Scoring Mechanism
Variable Anomaly Thresholds
Paranoia Levels to adjust
aggressiveness of rules
Low rate of False Positives per
default
17
22. CRS – Paranoia Level Overview
22
Paranoia Level 1: Basic security
Minimal amount of False Positives
Paranoia Level 2: Elevated security level
More rules, fair amount of FPs
Paranoia Level 3: Online banking level security
Specialised rules, more FPs
Paranoia Level 4: Nuclear power plant level security
Insane rules, lots of FPs
23. Summary
23
ModSecurity is the ENGINE.
CRS is the default RULE SET that runs on top
of the engine. By default, it blocks over 80%.
With 3.0, ModSecurity / NGINX is ready for PRIME TIME.
25. ModSec on NGINX: Installation
25
ModSecurity 2.x was never really stable on NGINX
ModSecurity 3.0 only came out in December 2017
3.0 is not yet packaged by distributions
Compile it yourself
Get a precompiled binary with your
NGINX Plus WAF subscription
26. ModSec on NGINX: Basic Architecture
26
NGINX Server
ModSecurity Connector
libModSecurity 3.0
(standalone)
API
27. ModSec on NGINX: Compilation Overview
27
Compile ModSecurity 3.0
Create connector config file
Compile NGINX together with connector module
28. ModSec on NGINX: Compilation ModSec 3.0
28
Download from
https://github.com/SpiderLabs/ModSecurity/
releases/download/v3.0.0/
./configure --prefix=/opt/modsecurity-3.0.0
--enable-mutex-on-pm
make
make install
29. ModSec on NGINX: Connector Configuration
29
Download from
https://github.com/SpiderLabs/ModSecurity-
nginx/releases/download/v1.0.0/
Adopt paths in file “config”
Watch out for the following variables:
ngx_feature_path
ngx_feature_libs
31. ModSec on NGINX: Download Binaries
31
Download and Installation Guides for NGINX Plus at
https://www.nginx.com/resources/admin-guide/
32. ModSec on NGINX: Advantages of NGINX Plus WAF
32
Binaries guaranteed to work with your OS
LoadBalancer included
Content Cache preconfigured (includes Purging API)
Session Persistence
JWT / OpenID Connect authentication
Additional products fitting the environment
33. ModSec on NGINX: CRS Quick Installation
33
Please follow the INSTALL file or NGINX Admin Guide
for proper CRS installation. This here is a quick demo.
Download from
https://github.com/SpiderLabs/owasp-
modsecurity-crs/releases/tag/v3.0.2
Untar
Copy crs-setup.conf.example to crs-setup.conf
34. ModSec on NGINX: CRS Inclusion in nginx.conf
34
# Include OWASP ModSec CRS3
Include /path-to-crs/crs-setup.conf
Include /path-to-crs/rules/*.conf
38. Optimization: Learn to read the logs I
38
ModSecurity Alerts very hard to read. Aliases to the rescue!
Go to: https://www.netnea.com/cms/apache-tutorials/
Download .apache-modsec.alias
Nevermind this was written for Apache.
The aliases work on NGINX too.
39. Optimization: Learn to read the logs II
39
$> cat error.log | melidmsg
920273 Invalid character in request (outside of very strict set)
942100 SQL Injection Attack Detected via libinjection
942130 SQL Injection Attack: SQL Tautology Detected.
942180 Detects basic SQL authentication bypass attempts 1/3
...
41. Let NGINX Amplify help you monitor the logs
41
Visualize Alerts / Logs
Get notified in realtime
Keep an eye on performance
42. Optimization : Adjust Anomaly Threshold
Always work in Blocking Mode
Start with a high anomaly
threshold
Handle False Positives
Lower threshold step by step
Run over 3 – 5 iterations
42
43. Optimization: Adjust Anomaly Threshold
43
File crs-setup.conf
# Uncomment this rule to change the defaults:
#
SecAction
"id:900110,
phase:1,
nolog,
pass,
t:none,
setvar:tx.inbound_anomaly_score_threshold=1000,
setvar:tx.outbound_anomaly_score_threshold=1000"
44. Optimization : Learn to handle False Positives
Remove Rule at Startup
Remove arg for rule at startup
Remove rule for rule at
runtime for given path
Remove arg for rule at
runtime for given path 44
Four basic ways to handle a
False Positive
45. Photos and other resources
45
Watch: https://www.flickr.com/photos/billadler/391674817
Limbo: https://www.flickr.com/photos/jdhancock/3605011903
CRS Release Poster: https://coreruleset.org/poster/
ModSecurity Cheatsheet:
https://netnea.com/cms/rule-exclusion-cheatsheet-download/
Aliases: https://netnea.com/cms/apache-tutorials/
Tutorials for Handling False Positives:
https://netnea.com/cms/apache-tutorials/
All Resources with exception of the Cheatsheet are released under a
Creative Commons license.
46. More from Christian Folini
Follow me on twitter at @ChrFolini
ModSecurity / CRS courses
in Frankfurt and Zurich, Switzerland
https://www.feistyduck.com
ModSecurity Handbook
https://www.feistyduck.com
Blogging at https://netnea.com and
https://coreruleset.org
46
47. Future ModSecurity Course Sites
New York
San Francisco Please get in touch via
Amsterdam folini@netnea.com
Geneva or @ChrFolini on twitter
Barcelona
Milano
47
If there is interest, we will do future
courses in: