• ModSecurity for Nginx


    Announcing the availability of ModSecurity extension for Nginx

    ModSecurity for Nginx

    image from wiki.nginx.orgModSecurity for Nginx is a web server plug-in for the Nginx web server platform. This module was created through a collaboration between Trustwave SpiderLabs Research, Microsoft Security Research Center (MSRC), Yandex and community members. With the addition of the Nginx platform to go along with Apache and Microsoft IIS, ModSecurity is now able to run on ~86% of web server platforms (according to Netcraft).

    Development Status: BETA

    We are actively seeking community testers. If you would like to help with testing, please follow the steps listed here and use the Developer mail-list for discussions.

    Downloading

    The porting effort to migrate the ModSecurity code to non-Apache platforms required the creation of "standalone" version which includes the Apache Runtime (APR) environment. So, in order to use ModSecurity on Nginx, you must first create the standalone ModSecurity version. You can download the full ModSecurity source code (which includes the Nginx code) from SVN trunk here:

    Compiling

    The extensibility model of the nginx server does not include dynamically loaded modules, thus ModSecurity must be compiled with the source code of the main server. Since nginx is available on multiple Unix-based platforms (and also on Windows), for now the recommended way of obtaining ModSecurity for nginx is compilation in the designated environment.

    The first step in obtaining nginx server with built-in ModSecurity module is building of standalone library containing full ModSecurity with a set of intermediate API (this layer is a common base for IIS version, nginx version, and server-less command line version of ModSecurity). It is recommended to follow the general steps of preparing build environment for ModSecurity and then follow with two simple commands:

    ~/mod_security$ ./configure --enable-standalone-module
    ~/mod_security$ make
    
    Once the standalone library is built successfully, one can follow with building the nginx server, following the steps from the nginx build tutorial:
    ~/nginx-1.2.0$ ./configure --add-module=../mod_security/nginx/modsecurity
    ~/nginx-1.2.0$ make
    ~/nginx-1.2.0$ sudo make install
    

    The last command performs server installation on the local machine, which can be either customized or omitted with built binaries packaged or moved to alternative server.

    Configuring

    The ModSecurity configuration file must be linked in nginx.conf file using the following directives defined by nginx’s ModSecurity extension module:

       server {
            listen       80;
            server_name  localhost;
    
               location / {
                    ModSecurityEnabled on;
                    ModSecurityConfig modsecurity.conf;
                    ModSecurityPass @backend;
               }
    
               location @backend {
                    proxy_pass http://localhost:8011;
                    proxy_read_timeout 180s;
              }
    } 
    
    This configures ModSecurity as an Nginx request handler. The updated request flow is now:
    request -> modsecurity handler -> backend
    

    You will need to modify the @backend definition to point to your correct back-end web application that Nginx is proxying to. The ModSecurityConfig modsecurity.conf directive lists the configuration file that contains all of your configurations and rules. Important - as opposed to the Apache version where you can dynamically specify multiple ModSecurity config/rule files using Includes, the current Nginx version requires you to put all data into a single file. This is easily accomplished by concatenating the following files into the modsecurity.conf file:

    • ModSecurity modsecurity.conf-recommended file which specifies the recommended default configurations
    • OWASP ModSecurity CRS modsecurity_crs_10_setup.conf file which specifies the main configurations for the CRS
    • OWASP ModSecurity CRS base_rules conf files

    After you have concatenated these files into the modsecurity.conf file, you should also copy the OWASP ModSecurity base_rules/*.data files into the same directory so that any @pmFromFile operators can use them. In my initial configuration, I have the SecRuleEngine set to "DetectionOnly" mode.

    Starting Nginx with ModSecurity

    Once you start Nginx with ModSecurity, you will see the following data in the logs directory:

    [root@localhost logs]# pwd
    /usr/local/nginx/logs
    [root@localhost logs]# ls -l
    total 4
    -rw-r--r--. 1 root root 0 Sep 28 17:05 access.log
    -rw-r--r--. 1 root root 0 Sep 28 17:05 error.log
    -rw-r-----. 1 root root 0 Sep 28 17:05 modsec_audit.log
    -rw-r-----. 1 root root 0 Sep 28 17:05 modsec_debug.log
    -rw-r--r--. 1 root root 6 Sep 28 17:05 nginx.pid
    

    You can monitor the error.log file for any new ModSecurity events.

    Testing

    In order to test that the Nginx port is working with the OWASP ModSecurity CRS, I sent the following Cross-site Scripting test request:

    http://192.168.1.106/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E

    I then reviewed the Nginx error.log file and found many CRS alerts:

    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\balert\b\W*?\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2047"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\< ?script\b" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2095"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\balert\b\W*?\(" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2292"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\< ?script\b" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2356"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2455"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(fromcharcode|alert|eval)\s*\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2545"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2656"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960024-WEB_ATTACK/RESTRICTED_SQL_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: ')</"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>alert('foo')</script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-REQUEST_FILENAME. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958052-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958051-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958120-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958119-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973300-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973307-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:0. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]
    2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973331-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

    I then ran a test to use blocking mode by changing the SecRuleEngine to On, restarted Nginx and resent the request. This time I received the following alert:

    2012/09/28 20:43:49 [info] 26259#0: [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 58, SQLi=4, XSS=40): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert(%27foo%27)%3C%2Fscript%3E"] [unique_id "12345"]
    

    As you can see, the request was denied with a 403 HTTP status code due to a high anomaly score.

    Outstanding Development Items

    As you can see, we have made a tremendous amount of progress on the Nginx port of ModSecurity. That being said, there is still work to be done. One area that is not yet implemented is inspection of outbound response data. We also need help with load testing for performance and validating that all ModSecurity features work as expected.

    Please help us by downloading and testing!

  • 相关阅读:
    apache启用gzip压缩方法--转载自http://www.cnblogs.com/linzhenjie/archive/2013/03/05/2943635.html
    yii 主从数据库分离-转载http://www.yiichina.com/doc/guide/2.0/db-dao
    服装尺寸
    php 同步因子的并发处理
    NFC会员管理-转载自http://technews.cn/2014/09/13/nfc-sticker/
    Redis 利用锁机制来防止缓存过期产生的惊群现象-转载自 http://my.oschina.net/u/1156660/blog/360552
    移动端H5页面的设计稿尺寸大小规范-转载自http://www.chinaz.com/design/2015/1103/465670.shtml
    服饰行业淘宝商城店铺首页设计报告-转载自http://bbs.paidai.com/topic/88363
    网页设计的标准尺寸
    hdu2099
  • 原文地址:https://www.cnblogs.com/fangyuan303687320/p/5810395.html
Copyright © 2020-2023  润新知