ModSecurity 3.0 and NGINX: Getting Started - EMEA
- 1. NGINX and ModSecurity 3.0: Getting Started Owen Garrett, NGINX November 27, 2017
- 2. Agenda 1. The current security landscape 2. ModSecurity overview 3. How to install with NGINX open source 4. How to install with NGINX Plus 5. Basic configuration and validation
- 3. Akamai State of the Internet, Security report In the last 12 months… Web Application attacks are increasing: … whereas DDoS attacks levels are flat: Source: Q3 2017 Akamai State of the Internet Security report 69% total increase in web application attacks 3% decrease in total DDoS attacks 2% decrease in infrastructure layer attacks 2% decrease in reflection-based attacks
- 4. Akamai State of the Internet, Security report Recent trends (Q2 to Q3 2017)
- 5. What attackers are after 1. High-value personal data • Credit card numbers • Passwords • Email, address, phone numbers, any identity information 2. Ransom and Extortion • Steal, pay not to release • Encrypt, pay to decrypt 3. Botnets and CryptoCurrency mining 4. Political change
- 6. 8 months in 2017 March 2017 • Wonga, UK: 0.25m customer details • Chipolte: Payment card data • Gamestop: 5 months of payment data • HipChat: Cloud Web Tier compromised • AA: 2m customer details April 2017 • Deloitte: Client details, inc. passwords • ABTA: 43,000 customer details • Cellebrite: 900Gb data, inc users and passwords • Debenhams Flowers: 26,000 customer payment details May 2017: • Edmodo: 78m customer details • Bell: 1.9m customer details • Guardian Soulmates: Unspecified customer details • OneLogin: Unspecified database tables June 2017: • Deep Root Analytics: 2m US voter details July 2017 • Equifax: 143m account details • Bithumb: 32,000 users compromised • HBO: 1.5Tb data, GoT scripts, 1,000’s docs • Parity: $32m ethereum August 2017 • Cex: 2m customer details September 2017 • Sonic Drive-In: 5m customer payment details October 2017 • Yahoo: All 3bn accounts • PizzaHut: 60,000 customer payment details
- 7. Enterprises need a multi-faceted approach Web App Firewall: • SQLi, XSS, Misuse, Brute-Force Login Network-Level attack Behavior attack Web. App-level attack Network Firewall: • Whitelist traffic • Protocol Attacks IPS: • Traffic Anomalies • Signatures Cloud DDoS: • Large-Volume network floods Layer 2-4 Layer 4 Layer 7
- 8. Example: Apache Struts (CVE-2017-5638) • Bug in a widely-deployed Java Application Framework • Not an operating-system library, so challenging to replace • https://nvd.nist.gov/vuln/detail/CVE-2017-5638: Incorrect exception handling … allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. ” • Within hours, scanning and attack tools were updated with signatures to identify vulnerable web applications “
- 9. Example: Apache Struts (CVE-2017-5638) • Check vulnerability announcement, determine nature of issue: • “a Content-Type header containing a #cmd= string” • Construct and deploy Web App Firewall rule to block this traffic, monitor for false positives: • Investigate vulnerability further; determine that other headers (Content-Disposition, Content-Length) and other exploits (#cmds=) are possible. Extend Web App Firewall rule as necessary SecRule REQUEST_HEADERS:Content-Type "@contains #cmd=" "id:5638,auditlog,log,deny,status:403"
- 10. Example: Apache Struts (CVE-2017-5638) • Finally, patch applications, verify, decommission WAF rules SecRule REQUEST_HEADERS:Content-Type "@rx #cmds?=" "id:5638,auditlog,log,deny,status:403” SecRule REQUEST_HEADERS:Content-Disposition "@rx #cmds?=" "id:5639,auditlog,log,deny,status:403" SecRule REQUEST_HEADERS:Content-Length "@rx #cmds?=" "id:5640,auditlog,log,deny,status:403"
- 11. Agenda 1. The current security landscape 2. ModSecurity overview 3. How to install with NGINX open source 4. How to install with NGINX Plus 5. Basic configuration and validation
- 12. Brief history of ModSecurity ● 2002: First open source release ● 2004: Commercialized as Thinking Stone ● 2006: Thinking Stone acquired by Breach Security ● 2006: ModSecurity 2.0 released ● 2009: Ivan Ristic, original author, leaves Breach Security ● 2010: Breach Security acquired by TrustWave ● 2017: ModSecurity 3.0 released “... I realized that producing secure web applications is virtually impossible. As a result, I started to fantasize about a tool that would sit in front of web applications and control the flow of data in and out.” - Ivan Ristic, ModSecurity creator
- 13. How ModSecurity works • Dynamic module for NGINX • Sits in front of application servers • Inspects all incoming traffic • Matches traffic against database of rules searching for malicious patterns • Traffic that violates rules are dropped and/or logged
- 14. What you get with ModSecurity • Layer 7 attack protection – SQLi, LFI, RFI, RCE, XSS,CSRF, and more • Project Honeypot IP reputation • Standard PCRE regex rules language • Virtual patching • Audit logs • PCI-DSS 6.6 compliance
- 15. What’s new in ModSecurity 3.0 • Redesigned to work natively with NGINX • Core functionality split off into libmodsecurity • A special NGINX connector integrates libmodsecurity with NGINX -- Connector available for Apache • Previous ModSecurity 2.9 technically worked with NGINX but had poor performance and reliability
- 16. ModSecurity 3.0 Caveats • Not yet at full feature parity with ModSecurity 2.9 • DDoS mitigation rules not supported; use NGINX native functionality • Rules that inspect application responses are not supported • Other miscellaneous directives are yet to be implemented, or will not be carried forward from 2.9 • OWASP CRS and Trustwave Commercial Rules are supported with the above caveats
- 17. Agenda 1. The current security landscape 2. ModSecurity overview 3. How to install with NGINX open source 4. How to install with NGINX Plus 5. Basic configuration and validation
- 18. Install ModSecurity with NGINX open source 1. Install build tools and prerequisites 2. Clone and build libmodsecurity 3. Clone and build NGINX connector and NGINX module
- 19. 1 Prerequisites 1. Install NGINX 1.11.5 or later from our official repository • See: nginx.org/en/linux_packages.html#mainline 2. Install prerequisite packages apt-get install -y apt-utils autoconf automake build- essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
- 20. 2. Download and compile libmodsecurity 1. Clone the GItHub repository 2. Compile the source code $ cd ModSecurity $ git submodule init $ git submodule update $ ./build.sh $ ./configure $ make $ make install $ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
- 21. 3. Download and compile NGINX connector 1. Clone the GitHub repository 2. Determine NGINX version $ nginx -v nginx version: nginx/1.13.7 $ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
- 22. 3. Download and compile NGINX connector 3. Download corresponding NGINX source code 4. Compile the dynamic module and copy it to NGINX directory $ cd nginx-1.13.7 $ ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx $ make modules $ cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules $ wget http://nginx.org/download/nginx-1.13.7.tar.gz $ tar zxvf nginx-1.13.7.tar.gz
- 23. Agenda 1. The current security landscape 2. ModSecurity overview 3. How to install with NGINX open source 4. How to install with NGINX Plus 5. Basic configuration and validation
- 24. Install NGINX WAF module 1. Install directly from NGINX repository
- 25. Install NGINX WAF module 1. Upgrade subscription to include NGINX ModSecurity WAF module 2. Install module: Debian/Ubuntu: $ apt-get install nginx-plus-module-modsecurity RedHat/CentOS: $ yum install nginx-plus-module-modsecurity
- 26. Agenda 1. The current security landscape 2. ModSecurity overview 3. How to install with NGINX open source 4. How to install with NGINX Plus 5. Basic configuration and validation
- 27. Basic Configuration and Validation 1. Load the dynamic module 2. Add basic ModSecurity configuration 3. Add a test rule 4. Verify traffic that matches the rule is dropped
- 28. 1. Load the dynamic module 1. Add the load_module directive in the main (top-level) context in /etc/nginx/nginx.conf user nginx; worker_processes auto; load_module "modules/ngx_http_modsecurity_module.so"; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid;
- 29. 2. Configure ModSecurity 1. Download recommended ModSecurity configuration 2. Change from “detection only” mode to actively dropping traffic $ mkdir /etc/nginx/modsec $ wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/mas ter/modsecurity.conf-recommended $ mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf $ sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
- 30. 3. Create test rule 1. Put the following text in /etc/nginx/modsec/main.conf # From https://github.com/SpiderLabs/ModSecurity/blob/master/ # modsecurity.conf-recommended # # Edit to set SecRuleEngine On Include "/etc/nginx/modsec/modsecurity.conf" # Basic test rule SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
- 31. 4. Final NGINX configuration 1. Enable ModSecurity in NGINX configuration 2. Reload for changes to take effect server { # ... modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; } $ nginx -t && nginx –s reload
- 32. 5. Test it out 1. Issue the following curl command, look for the 403 response $ curl localhost?testparam=test <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.13.1</center> </body> </html>
- 33. Enable Audit and Debug Logging 1. HOWTO: See NGINX Admin Guide 2. Deep Dive: see https://www.nginx.com/ blog/modsecurity- logging-and- debugging/
- 34. Deploy the OWASP Core Ruleset (CRS) See NGINX Admin Guide 1. Clone from GitHub and Include rules 2. Test in detection-only mode first, and investigate false- positives: SecRemoveRuleById
- 35. Comparing OSS and NGINX Plus options ModSecurity OSS NGINX Plus with ModSecurity WAF Obtaining the module Build from source, test and deploy Fully-tested builds direct from NGINX Updates Track GitHub, build and deploy updates as necessary NGINX tracks GitHub and pushes out necessary updates Support Community (GitHub, StackOverflow) Additional commercial support from Trustwave Commercial support from NGINX and Trustwave Financial Cost $0, self-supported Per-instance, NGINX supported
- 36. Summary • The number of web application attacks is rising year over year • The cost of a security breach can be devastating to the business • Protecting web applications requires a multi-faceted approach • A web application firewall protects against layer 7 attacks • ModSecurity WAF now runs natively with NGINX • NGINX Plus users get access to a pre-built binary and 24x7 support
- 37. Thank you! Q & A More Resources: search ”NGINX Admin Guide” Try NGINX ModSecurity WAF module free for 30 days: nginx-inquiries@nginx.com
Editor's Notes
- #7: These are all discolosed databreaches that relate to vulnerabilities in technology 232m people affected, /plus/ every single Yahoo account (3bn) https://www.entrepreneur.com/slideshow/290673 http://www.wired.co.uk/article/hacks-data-breaches-2017
- #8: These are all inline devices IDS is adjacent, monitors and can then generate rules for firewall, IPS and Web app firewall Also mention SAST and DAST (static / dynamic app security testing) to generate WAF rules based on static analysis of application code and dynamic analysis of application errors and pen tests
- #9: The “What happened” slide Struts was challenging to replace because: Not managed by the OS vendor, cannot be updated using usual OS patch approaches Owned by individual application teams, bundled with application, difficult to scan and locate vulnerable deployments Individual apps need to be patched and tested, then redeployed. Apps may be several years old, or may import struts through external dependencies
- #10: The “How should I respond” slide
- #11: The “How should I respond” slide
- #14: Even when you understand security, it is difficult to create secure applications, especially when working under the pressures so common in today’s enterprise. The NGINX Web Application Firewall (WAF) protects applications against sophisticated Layer 7 attacks that might otherwise lead to systems being taken over by attackers, loss of sensitive data, and downtime. The NGINX WAF is based on the widely used ModSecurity open source software.
- #15: Even when you understand security, it is difficult to create secure applications, especially when working under the pressures so common in today’s enterprise. The NGINX Web Application Firewall (WAF) protects applications against sophisticated Layer 7 attacks that might otherwise lead to systems being taken over by attackers, loss of sensitive data, and downtime. The NGINX WAF is based on the widely used ModSecurity open source software.
- #21: Takes about 15 minutes to compile
- #22: Takes about 15 minutes to compile
- #23: Takes about 15 minutes to compile
- #26: Takes about 15 minutes to compile
- #29: Takes about 15 minutes to compile
- #30: Takes about 15 minutes to compile
- #31: Takes about 15 minutes to compile
- #32: Takes about 15 minutes to compile
- #33: Takes about 15 minutes to compile