SlideShare uma empresa Scribd logo

Optimizing ModSecurity on NGINX and NGINX Plus

C
Christian Folini

Christian Folini gave a presentation on optimizing ModSecurity on NGINX and NGINX Plus. Some key points: - ModSecurity is an open source web application firewall that provides a rule-based system. The OWASP ModSecurity Core Rule Set (CRS) is the default rule set that blocks over 80% of attacks. - To use ModSecurity with NGINX, one must compile ModSecurity 3.0 and the ModSecurity NGINX connector module, then compile NGINX with the connector. Alternatively, precompiled binaries are available with NGINX Plus. - Initial optimization steps include adjusting the anomaly threshold, learning to read logs using aliases, and handling false positives by

Internet
1 de 49
Baixar para ler offline
Optimizing ModSecurity on NGINX and NGINX Plus Christian Folini January 9, 2018
Christian Folini  PhD in Medieval History  Program chair Swiss Cyber Storm Conf  Working with ModSecurity since 2006  Co-Lead of OWASP ModSec Core Rule Set Project  Author of “ModSecurity Handbook” 2ed 2 Replace box with photo then send to back
Program  Introduction to ModSecurity  Introduction to the OWASP ModSec Core Rule Set  How to get this up an running on NGINX  First steps at optimizing your setup 3
Introduction to ModSecurity 4
ModSecurity – Brief History  Started in 2002 by Ivan Ristić  Apache license since 2010  V3.0 in December 2017  Originally: Apache Module  Now: Server independent  Small dev team: Trustwave 5
“ModSecurity is not a high-flying, cloud- enabled, machine-learning mastermind. It is better to think of ModSecurity as of a mechanical watch. ” – Christian Folini 6
ModSecurity – Key Features  Above all: Rule language  XML Schema validation  GeoIP Lookup  Remote Blacklist Support  CSRF Token Injection  ... 7
ModSecurity – Domain Specific Language Over 100 Variables  REQUEST_URI  ARGS_POST  REMOTE_USER  RESPONSE_STATUS  Persistent Session Variables  ... Over 30 Operators  @rx  @eq, @gt, @lt, ...  @containsWord  @ipMatchFromFile  @validateByteRange  ... 8
ModSecurity – Domain Specific Language About 70 Actions  deny  drop  pass  pause  redirect  chain  setenv  setvar  expirevar  skipAfter  multiMatch  ... 9
ModSecurity – Rule Example I 10 Whitelisting rule allowing only parameter “firstname” matching a predefined pattern: SecRule ARGS:firstname "!@rx ^[a-zA-Z-]*$" "id:1000,deny"
ModSecurity – Rule Example II 11 Blacklisting rule making sure parameters are submitted only once per request (HTTP Parameter Pollution): SecRule ARGS_NAMES "@unconditionalMatch" "id:1001,pass, setvar:'TX.counter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/counter_.*/ "@gt 1" "id:1002,deny"
Introduction to the OWASP ModSecurity Core Rule Set 12
13
CRS – Brief History  Started in 2006 by Ofer Shezaf  Apache license  Team of 10 developers  v3.0 / CRS3 in November 2016 14
15
“The OWASP ModSecurity Core Rule Set is the standard rule set used with ModSecurity. It is the 1st line of defense against attacks as those described by the OWASP Top Ten.” – Christian Folini 16
CRS – Key Features  Generic Blacklisting rule set  Scoring Mechanism  Variable Anomaly Thresholds  Paranoia Levels to adjust aggressiveness of rules  Low rate of False Positives per default 17
CRS – Rule Example: SQL Injection  920273 : Invalid character in request (outside of very strict set)  942100 : SQL Injection Attack Detected via libinjection  942130 : SQL Injection Attack: SQL Tautology Detected.  942180 : Detects basic SQL authentication bypass attempts 1/3  942390 : SQL Injection Attack  942432 : Restricted SQL Character Anomaly Detection (args) 18
19 Anomaly Scoring is like challenging attacking Storm Troopers to do a Limbo Dance. CRS – Anomaly Scoring
CRS – Overview Over Rule Groups Incoming Requests  Scanner detection  Protocol enforcement  Local File Inclusion attacks  Remote Command Execution  Cross Site Scripting attacks  SQL Injection attacks  ... Outgoing Responses Not Supported by NGINX  SQL Data leakages  Java data leakages  PHP data leakages  IIS data leakages  … 20
21 Redir.: RFI: LFI: XSS: SQLi: CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100% Research based on 4.5M Burp requests.
CRS – Paranoia Level Overview 22  Paranoia Level 1: Basic security Minimal amount of False Positives  Paranoia Level 2: Elevated security level More rules, fair amount of FPs  Paranoia Level 3: Online banking level security Specialised rules, more FPs  Paranoia Level 4: Nuclear power plant level security Insane rules, lots of FPs
Summary 23  ModSecurity is the ENGINE.  CRS is the default RULE SET that runs on top of the engine. By default, it blocks over 80%.  With 3.0, ModSecurity / NGINX is ready for PRIME TIME.
How to get this up and running on NGINX 24
ModSec on NGINX: Installation 25  ModSecurity 2.x was never really stable on NGINX  ModSecurity 3.0 only came out in December 2017  3.0 is not yet packaged by distributions  Compile it yourself  Get a precompiled binary with your NGINX Plus WAF subscription
ModSec on NGINX: Basic Architecture 26 NGINX Server ModSecurity Connector libModSecurity 3.0 (standalone) API
ModSec on NGINX: Compilation Overview 27  Compile ModSecurity 3.0  Create connector config file  Compile NGINX together with connector module
ModSec on NGINX: Compilation ModSec 3.0 28  Download from https://github.com/SpiderLabs/ModSecurity/ releases/download/v3.0.0/  ./configure --prefix=/opt/modsecurity-3.0.0 --enable-mutex-on-pm  make  make install
ModSec on NGINX: Connector Configuration 29  Download from https://github.com/SpiderLabs/ModSecurity- nginx/releases/download/v1.0.0/  Adopt paths in file “config” Watch out for the following variables: ngx_feature_path ngx_feature_libs
ModSec: Compile NGINX with Connector 30  ./configure --prefix=/opt/nginx-1.13.8 … --add-module=/usr/src/modsecurity/modsecurity- nginx-v1.0.0 ...
ModSec on NGINX: Download Binaries 31  Download and Installation Guides for NGINX Plus at https://www.nginx.com/resources/admin-guide/
ModSec on NGINX: Advantages of NGINX Plus WAF 32  Binaries guaranteed to work with your OS  LoadBalancer included  Content Cache preconfigured (includes Purging API)  Session Persistence  JWT / OpenID Connect authentication  Additional products fitting the environment
ModSec on NGINX: CRS Quick Installation 33 Please follow the INSTALL file or NGINX Admin Guide for proper CRS installation. This here is a quick demo.  Download from https://github.com/SpiderLabs/owasp- modsecurity-crs/releases/tag/v3.0.2  Untar  Copy crs-setup.conf.example to crs-setup.conf
ModSec on NGINX: CRS Inclusion in nginx.conf 34 # Include OWASP ModSec CRS3 Include /path-to-crs/crs-setup.conf Include /path-to-crs/rules/*.conf
ModSec on NGINX: Test Attack 35
First Steps at Optimizing Your Setup 36
Example Rule Alert – Right out of Sysadmin Hell 37 2018/01/09 14:55:50 [info] 1167#1167: *1 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:test' (Value: `/etc/passwd' ) [file "/tmp/nginx-crs/rules/REQUEST-930- APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930120"] [rev "4"] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:test: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "127.0.0.1"] [uri "/index.html"] [unique_id "151550615052.381887"] [ref "o1,10v21,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"], client: 127.0.0.1, server: localhost, request: "GET /index.html?test=/etc/passwd HTTP/1.1", host: "localhost"
Optimization: Learn to read the logs I 38  ModSecurity Alerts very hard to read. Aliases to the rescue!  Go to: https://www.netnea.com/cms/apache-tutorials/  Download .apache-modsec.alias Nevermind this was written for Apache. The aliases work on NGINX too.
Optimization: Learn to read the logs II 39  $> cat error.log | melidmsg 920273 Invalid character in request (outside of very strict set) 942100 SQL Injection Attack Detected via libinjection 942130 SQL Injection Attack: SQL Tautology Detected. 942180 Detects basic SQL authentication bypass attempts 1/3 ...
Optimization: More aliases in the collection 40  meldata  melidmsg  melline  melmsg  meltags  melunique_id  ...  sucs  greppl[1-4]  mappl  pathsegs[1-5]  col[1-20]  Swapcolumns  ...
Let NGINX Amplify help you monitor the logs 41  Visualize Alerts / Logs  Get notified in realtime  Keep an eye on performance
Optimization : Adjust Anomaly Threshold  Always work in Blocking Mode  Start with a high anomaly threshold  Handle False Positives  Lower threshold step by step  Run over 3 – 5 iterations 42
Optimization: Adjust Anomaly Threshold 43 File crs-setup.conf # Uncomment this rule to change the defaults: # SecAction "id:900110, phase:1, nolog, pass, t:none, setvar:tx.inbound_anomaly_score_threshold=1000, setvar:tx.outbound_anomaly_score_threshold=1000"
Optimization : Learn to handle False Positives  Remove Rule at Startup  Remove arg for rule at startup  Remove rule for rule at runtime for given path  Remove arg for rule at runtime for given path 44 Four basic ways to handle a False Positive
Photos and other resources 45  Watch: https://www.flickr.com/photos/billadler/391674817  Limbo: https://www.flickr.com/photos/jdhancock/3605011903  CRS Release Poster: https://coreruleset.org/poster/  ModSecurity Cheatsheet: https://netnea.com/cms/rule-exclusion-cheatsheet-download/  Aliases: https://netnea.com/cms/apache-tutorials/  Tutorials for Handling False Positives: https://netnea.com/cms/apache-tutorials/ All Resources with exception of the Cheatsheet are released under a Creative Commons license.
More from Christian Folini  Follow me on twitter at @ChrFolini  ModSecurity / CRS courses in Frankfurt and Zurich, Switzerland https://www.feistyduck.com  ModSecurity Handbook https://www.feistyduck.com  Blogging at https://netnea.com and https://coreruleset.org 46
Future ModSecurity Course Sites  New York  San Francisco Please get in touch via  Amsterdam folini@netnea.com  Geneva or @ChrFolini on twitter  Barcelona  Milano 47 If there is interest, we will do future courses in:
And now on to the Q & A! 48
Optimizing ModSecurity on NGINX and NGINX Plus

Recomendados

OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
wremes
 
Sızma Testlerinde Fiziksel Güvenlik Riskleri
Sızma Testlerinde Fiziksel Güvenlik RiskleriSızma Testlerinde Fiziksel Güvenlik Riskleri
Sızma Testlerinde Fiziksel Güvenlik Riskleri
BGA Cyber Security
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
FIDO Alliance
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 10, 11, 12
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 10, 11, 12Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 10, 11, 12
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 10, 11, 12
BGA Cyber Security
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
DDoS Engelleme Ürünleri
DDoS Engelleme ÜrünleriDDoS Engelleme Ürünleri
DDoS Engelleme Ürünleri
BGA Cyber Security
 
Kesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaKesif ve Zafiyet Tarama
Kesif ve Zafiyet Tarama
Ferhat Ozgur Catak
 

Recomendados

OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
wremes
 
Sızma Testlerinde Fiziksel Güvenlik Riskleri
Sızma Testlerinde Fiziksel Güvenlik RiskleriSızma Testlerinde Fiziksel Güvenlik Riskleri
Sızma Testlerinde Fiziksel Güvenlik Riskleri
BGA Cyber Security
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
FIDO Alliance
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 10, 11, 12
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 10, 11, 12Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 10, 11, 12
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 10, 11, 12
BGA Cyber Security
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
DDoS Engelleme Ürünleri
DDoS Engelleme ÜrünleriDDoS Engelleme Ürünleri
DDoS Engelleme Ürünleri
BGA Cyber Security
 
Kesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaKesif ve Zafiyet Tarama
Kesif ve Zafiyet Tarama
Ferhat Ozgur Catak
 
Hacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellHacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShell
Adeo Security
 
Introduction a la securité informatique Volume1
Introduction a la securité informatique Volume1Introduction a la securité informatique Volume1
Introduction a la securité informatique Volume1
Sylvain Maret
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
Alfred Ouyang
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
DDoS Saldırıları ve Korunma Yolları
DDoS Saldırıları ve Korunma YollarıDDoS Saldırıları ve Korunma Yolları
DDoS Saldırıları ve Korunma Yolları
BGA Cyber Security
 
Demystifying Initial Access in Azure
Demystifying Initial Access in AzureDemystifying Initial Access in Azure
Demystifying Initial Access in Azure
Gabriel Mathenge
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
BGA Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 19
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 19Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 19
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 19
BGA Cyber Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
암호화 이것만 알면 된다.
암호화 이것만 알면 된다.암호화 이것만 알면 된다.
암호화 이것만 알면 된다.
KwangSeob Jeong
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
Er. Ajay Sirsat
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
BGA Cyber Security
 
Siber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 SorularıSiber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 Soruları
BGA Cyber Security
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
NGINX, Inc.
 

Mais conteúdo relacionado

Mais procurados

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
DDoS Saldırıları ve Korunma Yolları
DDoS Saldırıları ve Korunma YollarıDDoS Saldırıları ve Korunma Yolları
DDoS Saldırıları ve Korunma Yolları
BGA Cyber Security
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
CrowdStrike
 

Mais procurados (20)

Hacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellHacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShell
 
Introduction a la securité informatique Volume1
Introduction a la securité informatique Volume1Introduction a la securité informatique Volume1
Introduction a la securité informatique Volume1
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 
DDoS Saldırıları ve Korunma Yolları
DDoS Saldırıları ve Korunma YollarıDDoS Saldırıları ve Korunma Yolları
DDoS Saldırıları ve Korunma Yolları
 
Demystifying Initial Access in Azure
Demystifying Initial Access in AzureDemystifying Initial Access in Azure
Demystifying Initial Access in Azure
 
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİGÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 19
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 19Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 19
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 19
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
암호화 이것만 알면 된다.
암호화 이것만 알면 된다.암호화 이것만 알면 된다.
암호화 이것만 알면 된다.
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
 
Siber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 SorularıSiber Güvenlik Kış Kampı'18 Soruları
Siber Güvenlik Kış Kampı'18 Soruları
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 

Semelhante a Optimizing ModSecurity on NGINX and NGINX Plus

ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
 

Semelhante a Optimizing ModSecurity on NGINX and NGINX Plus (20)

ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
Windows network
Windows networkWindows network
Windows network
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 

Mais de Christian Folini

Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
Christian Folini
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
Christian Folini
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
Christian Folini
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
Christian Folini
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 

Mais de Christian Folini (18)

OWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy endOWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy end
 
Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP Project
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS project
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in Switzerland
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein Fortsetzungsroman
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
 
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule SetExtensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule Set
 
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für Datenschützer
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der Experten
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dos
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 

Último

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
F
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
F
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
gragchanchal546
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 

Último (20)

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 

Optimizing ModSecurity on NGINX and NGINX Plus

  • 1. Optimizing ModSecurity on NGINX and NGINX Plus Christian Folini January 9, 2018
  • 2. Christian Folini  PhD in Medieval History  Program chair Swiss Cyber Storm Conf  Working with ModSecurity since 2006  Co-Lead of OWASP ModSec Core Rule Set Project  Author of “ModSecurity Handbook” 2ed 2 Replace box with photo then send to back
  • 3. Program  Introduction to ModSecurity  Introduction to the OWASP ModSec Core Rule Set  How to get this up an running on NGINX  First steps at optimizing your setup 3
  • 5. ModSecurity – Brief History  Started in 2002 by Ivan Ristić  Apache license since 2010  V3.0 in December 2017  Originally: Apache Module  Now: Server independent  Small dev team: Trustwave 5
  • 6. “ModSecurity is not a high-flying, cloud- enabled, machine-learning mastermind. It is better to think of ModSecurity as of a mechanical watch. ” – Christian Folini 6
  • 7. ModSecurity – Key Features  Above all: Rule language  XML Schema validation  GeoIP Lookup  Remote Blacklist Support  CSRF Token Injection  ... 7
  • 8. ModSecurity – Domain Specific Language Over 100 Variables  REQUEST_URI  ARGS_POST  REMOTE_USER  RESPONSE_STATUS  Persistent Session Variables  ... Over 30 Operators  @rx  @eq, @gt, @lt, ...  @containsWord  @ipMatchFromFile  @validateByteRange  ... 8
  • 9. ModSecurity – Domain Specific Language About 70 Actions  deny  drop  pass  pause  redirect  chain  setenv  setvar  expirevar  skipAfter  multiMatch  ... 9
  • 10. ModSecurity – Rule Example I 10 Whitelisting rule allowing only parameter “firstname” matching a predefined pattern: SecRule ARGS:firstname "!@rx ^[a-zA-Z-]*$" "id:1000,deny"
  • 11. ModSecurity – Rule Example II 11 Blacklisting rule making sure parameters are submitted only once per request (HTTP Parameter Pollution): SecRule ARGS_NAMES "@unconditionalMatch" "id:1001,pass, setvar:'TX.counter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/counter_.*/ "@gt 1" "id:1002,deny"
  • 12. Introduction to the OWASP ModSecurity Core Rule Set 12
  • 13. 13
  • 14. CRS – Brief History  Started in 2006 by Ofer Shezaf  Apache license  Team of 10 developers  v3.0 / CRS3 in November 2016 14
  • 15. 15
  • 16. “The OWASP ModSecurity Core Rule Set is the standard rule set used with ModSecurity. It is the 1st line of defense against attacks as those described by the OWASP Top Ten.” – Christian Folini 16
  • 17. CRS – Key Features  Generic Blacklisting rule set  Scoring Mechanism  Variable Anomaly Thresholds  Paranoia Levels to adjust aggressiveness of rules  Low rate of False Positives per default 17
  • 18. CRS – Rule Example: SQL Injection  920273 : Invalid character in request (outside of very strict set)  942100 : SQL Injection Attack Detected via libinjection  942130 : SQL Injection Attack: SQL Tautology Detected.  942180 : Detects basic SQL authentication bypass attempts 1/3  942390 : SQL Injection Attack  942432 : Restricted SQL Character Anomaly Detection (args) 18
  • 19. 19 Anomaly Scoring is like challenging attacking Storm Troopers to do a Limbo Dance. CRS – Anomaly Scoring
  • 20. CRS – Overview Over Rule Groups Incoming Requests  Scanner detection  Protocol enforcement  Local File Inclusion attacks  Remote Command Execution  Cross Site Scripting attacks  SQL Injection attacks  ... Outgoing Responses Not Supported by NGINX  SQL Data leakages  Java data leakages  PHP data leakages  IIS data leakages  … 20
  • 22. CRS – Paranoia Level Overview 22  Paranoia Level 1: Basic security Minimal amount of False Positives  Paranoia Level 2: Elevated security level More rules, fair amount of FPs  Paranoia Level 3: Online banking level security Specialised rules, more FPs  Paranoia Level 4: Nuclear power plant level security Insane rules, lots of FPs
  • 23. Summary 23  ModSecurity is the ENGINE.  CRS is the default RULE SET that runs on top of the engine. By default, it blocks over 80%.  With 3.0, ModSecurity / NGINX is ready for PRIME TIME.
  • 24. How to get this up and running on NGINX 24
  • 25. ModSec on NGINX: Installation 25  ModSecurity 2.x was never really stable on NGINX  ModSecurity 3.0 only came out in December 2017  3.0 is not yet packaged by distributions  Compile it yourself  Get a precompiled binary with your NGINX Plus WAF subscription
  • 26. ModSec on NGINX: Basic Architecture 26 NGINX Server ModSecurity Connector libModSecurity 3.0 (standalone) API
  • 27. ModSec on NGINX: Compilation Overview 27  Compile ModSecurity 3.0  Create connector config file  Compile NGINX together with connector module
  • 28. ModSec on NGINX: Compilation ModSec 3.0 28  Download from https://github.com/SpiderLabs/ModSecurity/ releases/download/v3.0.0/  ./configure --prefix=/opt/modsecurity-3.0.0 --enable-mutex-on-pm  make  make install
  • 29. ModSec on NGINX: Connector Configuration 29  Download from https://github.com/SpiderLabs/ModSecurity- nginx/releases/download/v1.0.0/  Adopt paths in file “config” Watch out for the following variables: ngx_feature_path ngx_feature_libs
  • 30. ModSec: Compile NGINX with Connector 30  ./configure --prefix=/opt/nginx-1.13.8 … --add-module=/usr/src/modsecurity/modsecurity- nginx-v1.0.0 ...
  • 31. ModSec on NGINX: Download Binaries 31  Download and Installation Guides for NGINX Plus at https://www.nginx.com/resources/admin-guide/
  • 32. ModSec on NGINX: Advantages of NGINX Plus WAF 32  Binaries guaranteed to work with your OS  LoadBalancer included  Content Cache preconfigured (includes Purging API)  Session Persistence  JWT / OpenID Connect authentication  Additional products fitting the environment
  • 33. ModSec on NGINX: CRS Quick Installation 33 Please follow the INSTALL file or NGINX Admin Guide for proper CRS installation. This here is a quick demo.  Download from https://github.com/SpiderLabs/owasp- modsecurity-crs/releases/tag/v3.0.2  Untar  Copy crs-setup.conf.example to crs-setup.conf
  • 34. ModSec on NGINX: CRS Inclusion in nginx.conf 34 # Include OWASP ModSec CRS3 Include /path-to-crs/crs-setup.conf Include /path-to-crs/rules/*.conf
  • 35. ModSec on NGINX: Test Attack 35
  • 36. First Steps at Optimizing Your Setup 36
  • 37. Example Rule Alert – Right out of Sysadmin Hell 37 2018/01/09 14:55:50 [info] 1167#1167: *1 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:test' (Value: `/etc/passwd' ) [file "/tmp/nginx-crs/rules/REQUEST-930- APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930120"] [rev "4"] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:test: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "127.0.0.1"] [uri "/index.html"] [unique_id "151550615052.381887"] [ref "o1,10v21,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"], client: 127.0.0.1, server: localhost, request: "GET /index.html?test=/etc/passwd HTTP/1.1", host: "localhost"
  • 38. Optimization: Learn to read the logs I 38  ModSecurity Alerts very hard to read. Aliases to the rescue!  Go to: https://www.netnea.com/cms/apache-tutorials/  Download .apache-modsec.alias Nevermind this was written for Apache. The aliases work on NGINX too.
  • 39. Optimization: Learn to read the logs II 39  $> cat error.log | melidmsg 920273 Invalid character in request (outside of very strict set) 942100 SQL Injection Attack Detected via libinjection 942130 SQL Injection Attack: SQL Tautology Detected. 942180 Detects basic SQL authentication bypass attempts 1/3 ...
  • 40. Optimization: More aliases in the collection 40  meldata  melidmsg  melline  melmsg  meltags  melunique_id  ...  sucs  greppl[1-4]  mappl  pathsegs[1-5]  col[1-20]  Swapcolumns  ...
  • 41. Let NGINX Amplify help you monitor the logs 41  Visualize Alerts / Logs  Get notified in realtime  Keep an eye on performance
  • 42. Optimization : Adjust Anomaly Threshold  Always work in Blocking Mode  Start with a high anomaly threshold  Handle False Positives  Lower threshold step by step  Run over 3 – 5 iterations 42
  • 43. Optimization: Adjust Anomaly Threshold 43 File crs-setup.conf # Uncomment this rule to change the defaults: # SecAction "id:900110, phase:1, nolog, pass, t:none, setvar:tx.inbound_anomaly_score_threshold=1000, setvar:tx.outbound_anomaly_score_threshold=1000"
  • 44. Optimization : Learn to handle False Positives  Remove Rule at Startup  Remove arg for rule at startup  Remove rule for rule at runtime for given path  Remove arg for rule at runtime for given path 44 Four basic ways to handle a False Positive
  • 45. Photos and other resources 45  Watch: https://www.flickr.com/photos/billadler/391674817  Limbo: https://www.flickr.com/photos/jdhancock/3605011903  CRS Release Poster: https://coreruleset.org/poster/  ModSecurity Cheatsheet: https://netnea.com/cms/rule-exclusion-cheatsheet-download/  Aliases: https://netnea.com/cms/apache-tutorials/  Tutorials for Handling False Positives: https://netnea.com/cms/apache-tutorials/ All Resources with exception of the Cheatsheet are released under a Creative Commons license.
  • 46. More from Christian Folini  Follow me on twitter at @ChrFolini  ModSecurity / CRS courses in Frankfurt and Zurich, Switzerland https://www.feistyduck.com  ModSecurity Handbook https://www.feistyduck.com  Blogging at https://netnea.com and https://coreruleset.org 46
  • 47. Future ModSecurity Course Sites  New York  San Francisco Please get in touch via  Amsterdam folini@netnea.com  Geneva or @ChrFolini on twitter  Barcelona  Milano 47 If there is interest, we will do future courses in:
  • 48. And now on to the Q & A! 48