WAF ModSecurity open source tools

0 Introduction

　　ModSecurity is an open source cross-platform Web application firewall (WAF) engine for Apache, IIS and Nginx, SpiderLabs developed by Trustwave's. As WAF products, ModSecurity focus exclusively on HTTP traffic, when issuing an HTTP request, ModSecurity checks all parts of the request, if the request is malicious, it will be blocked and recorded.　　

Advantage

Perfectly compatible with nginx, nginx is the official recommended WAF
Support OWASP rules
3 a .0 version of the update faster than the old version, more stable, and has been actively supported nginx, Inc, and Trustwave and other teams
free

Features

SQL Injection (SQLi): prevent SQL Injection
Cross Site Scripting (XSS): prevent cross-site scripting attacks
Local File Inclusion (LFI): stop using the local file that contains the vulnerability to attack
Remote File Inclusione (RFI): prevent the use of remote file inclusion vulnerability to attack
Remote Code Execution (RCE): stop using the remote command execution vulnerability attack
PHP Code Injectiod: PHP code injection stop
HTTP Protocol Violations: HTTP protocol violation prevent malicious access
HTTPoxy: to prevent infection using the Remote Agent vulnerability to attack
Shellshock: Shellshock exploit loopholes to prevent attacks
Session Fixation: Session session ID to prevent use of the same vulnerabilities to attack
Scanner Detection: prevent hackers from scanning website
The Metadata / Error Leakages: stop source code / error information disclosure
Project Honey Pot Blacklist: honeypot project blacklist
GeoIP Country Blocking: The home IP address is determined to block IP

Disadvantaged

Does not support the body in response checking rule, if the configuration includes these rules will be ignored, the Nginx sub_filter instruction can be used to check Clauses: rewriting the response data, the rules are the OWASP 95X.
It does not support OWASP Core Rule Set DDoS rule REQUEST - 912 -DOS- PROTECTION.conf, nginx itself supports configuration DDoS limit
Request and response are not supported in the audit log body

　　Above is an excerpt: ModSecurity: an excellent open source WAF .

00 Preface

　　This introduction on how to install ModSecurity CentOS7.6. Link to the content above given more messy, rearranged to record.

installation

Install nginx

　　If you have nginx, can be ignored; if not, please refer to: RHEL / CentOS install the latest version of Nginx .

Installation depends

# yum install epel-release -y
# yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre pcre-devel libxml2 libxml2-devel autoconf automake lmdb-devel ssdeep-devel ssdeep-libs lua-devel libmaxminddb-devel git apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev -y

Compile ModSecurity

　　We use the v3 version, we installed in the / opt directory.

# CD / opt / # handover to / opt 
# Git clone --depth . 1 -b V3 / Master --single-Branch HTTPS: // github.com/SpiderLabs/ModSecurity download # 
# CD ModSecurity / 
# Git the init # initialization submodule
 # git submodule update update #
 ...
Submodule path 'test/test-cases/secrules-language-tests': checked out 'c8cf2c588a93dce20781e597643e1b9d11aa4bba'
# ./build.sh
# ./configure
# make
# make install

[Note] will receive an error in the implementation of build.sh, can be ignored.

fatal: No names found, cannot describe anything

ModSecurity-nginx connector

　　We now need to ModSecurity-nginx incorporated.

# Nginx - v # View nginx version, mainline version 
nginx Version: nginx / 1.17 . 5 
# git clone --depth 1 HTTPS: //github.com/SpiderLabs/ModSecurity-nginx.git

# cd /opt/
# git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

# Wget http: // nginx.org/download/nginx-1.17.5.tar.gz 
# tar -xvf nginx- 1.17 . 5 . tar .gz
# Ls 
ModSecurity ModSecurity -nginx nginx- 1.17 . 5   nginx- 1.17 . 5 . Tar .gz
# cd nginx-1.17.5/
# ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
# The make modules # produces the following * .so
# Ls ./objs/ ngx_http_modsecurity_module.so
./objs/ngx_http_modsecurity_module.so

# Head - . 1 / etc / Nginx / nginx.conf         
load_module / opt / nginx- 1.17 . . 5 / OBJS / ngx_http_modsecurity_module.so;      # Add to the first line profile
# Nginx - T # Test by 
Nginx: The Configuration File / etc / Nginx / nginx.conf syntax IS OK
nginx: configuration file /etc/nginx/nginx.conf test is successful

test

ECHO test 

　　New configuration file: /etc/nginx/conf.d/echo.conf:

# service nginx start　　
Redirecting to /bin/systemctl start nginx.service
# cat /etc/nginx/conf.d/echo.conf 
server {
    listen localhost:8085;
    location / {
        default_type text/plain;
        return 200 "Thank you for requesting ${request_uri}\n";
    }
}
# nginx -s reload
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@localhost ~]# curl -D - http://localhost:8085
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Mon, 18 Nov 2019 05:35:40 GMT
Content-Type: text/plain
Content-Length: 27
Connection: keep-alive

Thank you for requesting /
[root@localhost ~]# curl -D - http://localhost:8085/notexist
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Mon, 18 Nov 2019 05:35:49 GMT
Content-Type: text/plain
Content-Length: 35
Connection: keep-alive

Thank you for requesting /notexist

　　You can see the normal echo.

Configure Reverse Proxy

　　New configuration file: /etc/nginx/conf.d/proxy.conf, reads as follows:

[root@localhost ~]# cat /etc/nginx/conf.d/proxy.conf 
server {
    listen 80;
    location / {
        proxy_pass http://localhost:8085;　　　　# 80 => 8085
        proxy_set_header Host $host;
    }
}

　　Because the normal installation, nginx is the default configuration: /etc/nginx/conf.d/default.conf, this will affect the above normal effect.

[root@localhost ~]# mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak
[root@localhost ~]# nginx -s reload
[root@localhost ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@localhost ~]# curl -D - http://localhost
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Mon, 18 Nov 2019 05:43:05 GMT
Content-Type: text/plain
Content-Length: 27
Connection: keep-alive

Thank you for requesting /
[root@localhost ~]# curl -D - http://localhost/noexist
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Mon, 18 Nov 2019 05:44:06 GMT
Content-Type: text/plain
Content-Length: 34
Connection: keep-alive

Thank you for requesting /noexist
[root@localhost ~]# 

　　You can see the default access port 80, will reverse proxy to port 8085.

Enable WAF

　　Configuring NGINX WAF to protect by preventing certain requests demo web application.

[root@localhost ~]# mkdir /etc/nginx/modsec
[root@localhost ~]# cd /etc/nginx/modsec
[root@localhost modsec]# sudo wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
[root@localhost modsec]# sudo mv modsecurity.conf-recommended modsecurity.conf

　　Modsecurity.conf modify configuration files

[root@localhost modsec]# vim  modsecurity.conf 
# -- Rule engine initialization ----------------------------------------------
...
SecRuleEngine On    <== 设置为On

　　Nginx waf modify the configuration file: /etc/nginx/modsec/main.conf, add a response rule.

# cat /etc/nginx/modsec/main.conf 
# Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf
# A test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

• Include: modsecurity.conf including the configuration proposed in the document.
• SecRule: Create a rule, when testparam parameter query string contains the string Test, by preventing the request and return the status code 403 to protect applications.

　　Nginx modify the configuration file, to enable WAF protection.

# cat /etc/nginx/conf.d/proxy.conf 
server {
    the listen 80 ;
     ModSecurity ON; # Enable 
    modsecurity_rules_file / etc / nginx / modsec / main.conf; # rule document 
    LOCATION / {
        proxy_pass http://localhost:8085;
        proxy_set_header Host $host;
    }
}

• modsecurity on: Enable Nginx WAF;
• modsecurity_rules_file: specify rules file path.

[modsec the root @ localhost] # CP /opt/ModSecurity/unicode.mapping / etc / Nginx / modsec /　　　　# unicode.mapping need to copy the file 
[modsec the root @ localhost] Nginx # - S # reload configuration reload
[root @ localhost modsec] # nginx - t test #
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

　　Test parameters with a test, will be prohibited.

[root@localhost modsec]# curl -D - http://localhost/foo?testparam=thisisatestofmodsecurity
HTTP/1.1 403 Forbidden
Server: nginx/1.17.5
Date: Mon, 18 Nov 2019 05:59:10 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.5</center>
</body>
</html>

Logging

　　Nginx modify the configuration file: /etc/nginx/nginx.conf,

# head -5 /etc/nginx/nginx.conf 
load_module / opt / nginx- 1.17 . . 5 / OBJS / ngx_http_modsecurity_module.so; # loading module
user  nginx;
worker_processes  1;

error_log   /var/log/nginx/error.log info ; # log the error level is set to info

[modsec the root @ localhost] Nginx # - S # reload configuration reload
[root @ localhost modsec] # nginx - t test #
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost modsec]# curl -D - http://localhost/foo?testparam=thisisatestofmodsecurity　　　　　　# 再次访问
HTTP/1.1 403 Forbidden
Server: nginx/1.17.5
Date: Mon, 18 Nov 2019 06:02:09 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.5</center>
</body>
</ HTML> 
[modsec the root @ localhost] # tail - . 5 / var / log / Nginx / the error.log  　　　　　　# View error log file
 2019 / . 11 / 18 is  14 : 01 : 57 is [Notice] 24845 # 24845 : Process worker 25 847 the Exited code with 0 
2019 / . 11 / 18 is  14 : 01 : 57 is [Notice] 24845 # 24845 : Signal 29 (the SIGIO) Received
 2019 / . 11 /18 14:01:59 [notice] 25880#25880: ModSecurity-nginx v1.0.0 (rules loaded inline/local/remote: 0/7/0)
2019/11/18 14:02:09 [error] 25879#25879: *11 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Contains' with parameter `test' against variable `ARGS:testparam' (Value: `thisisatestofmodsecurity' ) [file "/etc/nginx/modsec/main.conf"] [line "4"] [id "1234"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/foo"] [unique_id "157405692985.199277"] [ref "o7,4v19,24"], client: 127.0.0.1, server: , request: "GET /foo?testparam=thisisatestofmodsecurity HTTP/1.1", host: "localhost"
2019/11/18 14:02:09 [info] 25879#25879: *11 client 127.0.0.1 closed keepalive connection

reference

       ModSecurity: an excellent open source WAF

　　　　https://www.freebuf.com/sectool/211354.html

　　Installing NGINX WAF

 　　　　https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-installation-logging/#