On demand version can be accessed at https://www.nginx.com/resources/webinars/modsecurity-3-0-and-nginx-getting-started/
The long-awaited ModSecurity 3.0 is available now. ModSecurity 3.0 is a complete rewrite of ModSecurity, and is the first version to work natively with NGINX. ModSecurity 3.0 loads into NGINX as a dynamic module.
Watch this webinar to learn:
- A brief history of the ModSecurity project
- How ModSecurity stops Layer 7 attacks
- What’s changed with ModSecurity 3.0 and how it integrates with NGINX
- How to install and configure ModSecurity with both open source NGINX and NGINX Plus
3. Agenda
1. The current security landscape
2. ModSecurity overview
3. How to install with NGINX open source
4. How to install with NGINX Plus
5. Basic configuration and validation
4. Akamai State of the Internet, Security report
In the last 12 months…
Web Application attacks are increasing:
… whereas DDoS attacks levels are flat:
Source: Q3 2017 Akamai State of the Internet Security report
69% total increase in web application attacks
3% decrease in total DDoS attacks
2% decrease in infrastructure layer attacks
2% decrease in reflection-based attacks
5. Akamai State of the Internet, Security report
Recent trends (Q2 to Q3 2017)
6. What attackers are after
1. High-value personal data
• Credit card numbers
• Passwords
• Email, address, phone numbers,
any identity information
2. Ransom and Extortion
• Steal, pay not to release
• Encrypt, pay to decrypt
3. Botnets and CryptoCurrency mining
4. Political change
7. 8 months in 2017
March 2017
• Wonga, UK: 0.25m customer details
• Chipolte: Payment card data
• Gamestop: 5 months of payment data
• HipChat: Cloud Web Tier compromised
• AA: 2m customer details
April 2017
• Deloitte: Client details, inc. passwords
• ABTA: 43,000 customer details
• Cellebrite: 900Gb data, inc users and passwords
• Debenhams Flowers: 26,000 customer payment details
May 2017:
• Edmodo: 78m customer details
• Bell: 1.9m customer details
• Guardian Soulmates: Unspecified customer details
• OneLogin: Unspecified database tables
June 2017:
• Deep Root Analytics: 2m US voter details
July 2017
• Equifax: 143m account details
• Bithumb: 32,000 users compromised
• HBO: 1.5Tb data, GoT scripts, 1,000’s docs
• Parity: $32m ethereum
August 2017
• Cex: 2m customer details
September 2017
• Sonic Drive-In: 5m customer payment details
October 2017
• Yahoo: All 3bn accounts
• PizzaHut: 60,000 customer payment details
9. Example: Apache Struts (CVE-2017-5638)
• Bug in a widely-deployed Java Application Framework
• Not an operating-system library, so challenging to replace
• https://nvd.nist.gov/vuln/detail/CVE-2017-5638:
Incorrect exception handling … allows remote attackers to
execute arbitrary commands via a crafted Content-Type,
Content-Disposition, or Content-Length HTTP header,
as exploited in the wild in March 2017 with a Content-Type
header containing a #cmd= string. ”
• Within hours, scanning and attack tools were updated with
signatures to identify vulnerable web applications
“
10. Example: Apache Struts (CVE-2017-5638)
• Check vulnerability announcement, determine nature of issue:
• “a Content-Type header containing a #cmd= string”
• Construct and deploy Web App Firewall rule to block this traffic,
monitor for false positives:
• Investigate vulnerability further; determine that other headers
(Content-Disposition, Content-Length) and other exploits (#cmds=)
are possible. Extend Web App Firewall rule as necessary
• Finally, patch applications, verify, decommission WAF rule
SecRule REQUEST_HEADERS:Content-Type "@contains #cmd="
"id:5638,auditlog,log,deny,status:403"
11. Agenda
1. The current security landscape
2. ModSecurity overview
3. How to install with NGINX open source
4. How to install with NGINX Plus
5. Basic configuration and validation
12. Brief history of ModSecurity
● 2002: First open source release
● 2004: Commercialized as Thinking Stone
● 2006: Thinking Stone acquired by Breach Security
● 2006: ModSecurity 2.0 released
● 2009: Ivan Ristic, original author, leaves Breach Security
● 2010: Breach Security acquired by TrustWave
● 2017: ModSecurity 3.0 released
“... I realized that producing secure web applications is virtually impossible. As a result, I
started to fantasize about a tool that would sit in front of web applications and control
the flow of data in and out.”
- Ivan Ristic, ModSecurity creator
13. How ModSecurity works
• Dynamic module for NGINX
• Sits in front of application servers
• Inspects all incoming traffic
• Matches traffic against database of
rules searching for malicious
patterns
• Traffic that violates rules are
dropped and/or logged
14. What you get with ModSecurity
• Layer 7 attack protection
– SQLi, LFI, RFI, RCE, XSS,CSRF, and
more
• Project Honeypot IP reputation
• Standard PCRE regex rules
language
• Virtual patching
• Audit logs
• PCI-DSS 6.6 compliance
15. What’s new in ModSecurity 3.0
• Redesigned to work natively with NGINX
• Core functionality split off into libmodsecurity
• A special NGINX connector integrates libmodsecurity with
NGINX
-- Connector available for Apache
• Previous ModSecurity 2.9 technically worked with NGINX
but had poor performance and reliability
16. ModSecurity 3.0 Caveats
• Not yet at full feature parity with ModSecurity 2.9
• DDoS mitigation rules not supported; use NGINX native
functionality
• Rules that inspect application responses are not supported
• Other miscellaneous directives are yet to be implemented,
or will not be carried forward from 2.9
• OWASP CRS and Trustwave Commercial Rules are
supported with the above caveats
17. Agenda
1. The current security landscape
2. ModSecurity overview
3. How to install with NGINX open source
4. How to install with NGINX Plus
5. Basic configuration and validation
18. Install ModSecurity with NGINX open source
1. Install build tools and
prerequisites
2. Clone and build
libmodsecurity
3. Clone and build
NGINX connector and
NGINX module
19. 1 Prerequisites
1. Install NGINX 1.11.5 or later from our official repository
• See: nginx.org/en/linux_packages.html#mainline
2. Install prerequisite packages
apt-get install -y apt-utils autoconf automake build-
essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev
ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget
zlib1g-dev
20. 2. Download and compile libmodsecurity
1. Clone the GitHub repository
2. Compile the source code
$ cd ModSecurity
$ git submodule init
$ git submodule update
$ ./build.sh
$ ./configure
$ make
$ make install
$ git clone --depth 1 -b v3/master --single-branch
https://github.com/SpiderLabs/ModSecurity
21. 3. Download and compile NGINX connector
1. Clone the GitHub repository
2. Determine NGINX version
$ nginx -v
nginx version: nginx/1.13.7
$ git clone --depth 1
https://github.com/SpiderLabs/ModSecurity-nginx.git
22. 3. Download and compile NGINX connector
3. Download corresponding NGINX source code
4. Compile the dynamic module and copy it to NGINX directory
$ cd nginx-1.13.7
$ ./configure --with-compat --add-dynamic-
module=../ModSecurity-nginx
$ make modules
$ cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules
$ wget http://nginx.org/download/nginx-1.13.7.tar.gz
$ tar zxvf nginx-1.13.7.tar.gz
23. Agenda
1. The current security landscape
2. ModSecurity overview
3. How to install with NGINX open source
4. How to install with NGINX Plus
5. Basic configuration and validation
26. Agenda
1. The current security landscape
2. ModSecurity overview
3. How to install with NGINX open source
4. How to install with NGINX Plus
5. Basic configuration and validation
27. 1. Load the dynamic module
1. Add the load_module directive in the main (top-level) context in
/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
load_module "modules/ngx_http_modsecurity_module.so";
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
29. 3. Create test rule
1. Put the following text in /etc/nginx/modsec/main.conf
# From https://github.com/SpiderLabs/ModSecurity/blob/master/
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
30. 4. Final NGINX configuration
1. Enable ModSecurity in NGINX configuration
2. Reload for changes to take effect
server {
# ...
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
}
$ nginx -t && nginx –s reload
31. 5. Test it out
1. Issue the following curl command, look for the 403
$ curl localhost?testparam=test
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.1</center>
</body>
</html>
32. Enable Audit and Debug Logging
1. HOWTO: See NGINX
Admin Guide
2. Deep Dive: see
https://www.nginx.com/
blog/modsecurity-
logging-and-
debugging/
33. Deploy the OWASP Core Ruleset (CRS)
See NGINX Admin Guide
1. Clone from GitHub and
Include rules
2. Test in detection-only
mode first, and
investigate false-
positives:
SecRemoveRuleById
34. Comparing OSS and NGINX Plus options
ModSecurity OSS NGINX WAF
Obtaining the
module
Build from source, test and deploy Fully-tested builds direct from
NGINX
Updates Track GitHub, build and deploy
updates as necessary
NGINX tracks GitHub and pushes
out necessary updates
Support Community (GitHub,
StackOverflow)
Additional commercial support
from Trustwave
Commercial support from NGINX
and Trustwave
Financial Cost $0, self-supported Per-instance, NGINX supported
35. Summary
• The number of web application attacks is rising year over year
• The cost of a security breach can be devastating to the business
• Protecting web applications requires a multi-faceted approach
• A web application firewall protects against layer 7 attacks
• ModSecurity WAF now runs natively with NGINX
• NGINX Plus users get access to a pre-built binary and 24x7 support
These are all discolosed databreaches that relate to vulnerabilities in technology
232m people affected, /plus/ every single Yahoo account (3bn)
https://www.entrepreneur.com/slideshow/290673
http://www.wired.co.uk/article/hacks-data-breaches-2017
These are all inline devices
IDS is adjacent, monitors and can then generate rules for firewall, IPS and Web app firewall
Also mention SAST and DAST (static / dynamic app security testing) to generate WAF rules based on static analysis of application code and dynamic analysis of application errors and pen tests
The “What happened” slide
Struts was challenging to replace because:
Not managed by the OS vendor, cannot be updated using usual OS patch approaches
Owned by individual application teams, bundled with application, difficult to scan and locate vulnerable deployments
Individual apps need to be patched and tested, then redeployed. Apps may be several years old, or may import struts through external dependencies
The “How should I respond” slide
Even when you understand security, it is difficult to create secure applications, especially when working under the pressures so common in today’s enterprise.
The NGINX Web Application Firewall (WAF) protects applications against sophisticated Layer 7 attacks that might otherwise lead to systems being taken over by attackers, loss of sensitive data, and downtime. The NGINX WAF is based on the widely used ModSecurity open source software.
Even when you understand security, it is difficult to create secure applications, especially when working under the pressures so common in today’s enterprise.
The NGINX Web Application Firewall (WAF) protects applications against sophisticated Layer 7 attacks that might otherwise lead to systems being taken over by attackers, loss of sensitive data, and downtime. The NGINX WAF is based on the widely used ModSecurity open source software.