Announcing the availability of ModSecurity extension for Nginx

ModSecurity for Nginx

image from wiki.nginx.orgModSecurity for Nginx is a web server plug-in for the Nginx web server platform. This module was created through a collaboration between Trustwave SpiderLabs Research, Microsoft Security Research Center (MSRC), Yandex and community members. With the addition of the Nginx platform to go along with Apache and Microsoft IIS, ModSecurity is now able to run on ~86% of web server platforms (according to Netcraft).

Development Status: BETA

We are actively seeking community testers. If you would like to help with testing, please follow the steps listed here and use the Developer mail-list for discussions.

Downloading

The porting effort to migrate the ModSecurity code to non-Apache platforms required the creation of "standalone" version which includes the Apache Runtime (APR) environment. So, in order to use ModSecurity on Nginx, you must first create the standalone ModSecurity version. You can download the full ModSecurity source code (which includes the Nginx code) from SVN trunk here:

Compiling

The extensibility model of the nginx server does not include dynamically loaded modules, thus ModSecurity must be compiled with the source code of the main server. Since nginx is available on multiple Unix-based platforms (and also on Windows), for now the recommended way of obtaining ModSecurity for nginx is compilation in the designated environment.

The first step in obtaining nginx server with built-in ModSecurity module is building of standalone library containing full ModSecurity with a set of intermediate API (this layer is a common base for IIS version, nginx version, and server-less command line version of ModSecurity). It is recommended to follow the general steps of preparing build environment for ModSecurity and then follow with two simple commands:

~/mod_security$ ./configure --enable-standalone-module~/mod_security$ make
Once the standalone library is built successfully, one can follow with building the nginx server, following the steps from the nginx build tutorial:
~/nginx-1.2.0$ ./configure --add-module=../mod_security/nginx/modsecurity~/nginx-1.2.0$ make~/nginx-1.2.0$ sudo make install

The last command performs server installation on the local machine, which can be either customized or omitted with built binaries packaged or moved to alternative server.

Configuring

The ModSecurity configuration file must be linked in nginx.conf file using the following directives defined by nginx's ModSecurity extension module:

   server {        listen       80;        server_name  localhost;           location / {                ModSecurityEnabled on;                ModSecurityConfig modsecurity.conf;                ModSecurityPass @backend;           }           location @backend {                proxy_pass http://localhost:8011;                proxy_read_timeout 180s;          }} 
This configures ModSecurity as an Nginx request handler. The updated request flow is now:
request -> modsecurity handler -> backend

You will need to modify the @backend definition to point to your correct back-end web application that Nginx is proxying to. The ModSecurityConfig modsecurity.conf directive lists the configuration file that contains all of your configurations and rules. Important - as opposed to the Apache version where you can dynamically specify multiple ModSecurity config/rule files using Includes, the current Nginx version requires you to put all data into a single file. This is easily accomplished by concatenating the following files into the modsecurity.conf file:

  • ModSecurity modsecurity.conf-recommended file which specifies the recommended default configurations
  • OWASP ModSecurity CRS modsecurity_crs_10_setup.conf file which specifies the main configurations for the CRS
  • OWASP ModSecurity CRS base_rules conf files

After you have concatenated these files into the modsecurity.conf file, you should also copy the OWASP ModSecurity base_rules/*.data files into the same directory so that any @pmFromFile operators can use them. In my initial configuration, I have the SecRuleEngine set to "DetectionOnly" mode.

Starting Nginx with ModSecurity

Once you start Nginx with ModSecurity, you will see the following data in the logs directory:

[root@localhost logs]# pwd/usr/local/nginx/logs[root@localhost logs]# ls -ltotal 4-rw-r--r--. 1 root root 0 Sep 28 17:05 access.log-rw-r--r--. 1 root root 0 Sep 28 17:05 error.log-rw-r-----. 1 root root 0 Sep 28 17:05 modsec_audit.log-rw-r-----. 1 root root 0 Sep 28 17:05 modsec_debug.log-rw-r--r--. 1 root root 6 Sep 28 17:05 nginx.pid

You can monitor the error.log file for any new ModSecurity events.

Testing

In order to test that the Nginx port is working with the OWASP ModSecurity CRS, I sent the following Cross-site Scripting test request:

http://192.168.1.106/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E

I then reviewed the Nginx error.log file and found many CRS alerts:

2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\balert\\b\\W*?\\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2047"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\< ?script\\b" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2095"] [id "958051"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\balert\\b\\W*?\\(" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2292"] [id "958120"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "\\< ?script\\b" at REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2356"] [id "958119"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS) Attack"] [data "<script"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag "OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|h ..." at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2455"] [id "973300"] [rev "2.2.5"] [msg "Possible XSS Attack Detected - HTML Tag Handler"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(fromcharcode|alert|eval)\\s*\\(" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2545"] [id "973307"] [rev "2.2.5"] [msg "XSS Attack Detected"] [data "alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:<script.*?>)" at ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2656"] [id "973331"] [rev "2.2.5"] [msg "IE XSS Filters - Attack Detected"] [data "<script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:960024-WEB_ATTACK/RESTRICTED_SQL_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: ')</"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981173-WEB_ATTACK/RESTRICTED_SQLI_CHARS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>alert('foo')</script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-REQUEST_FILENAME. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:981243-Detects classic SQL injection probings 2/2-WEB_ATTACK/SQLI-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: >alert('f"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958052-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958051-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958120-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:958119-WEB_ATTACK/XSS-REQUEST_URI. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973300-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973307-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: alert("] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:0. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]2012/09/28 20:34:36 [info] 24924#0: [client 127.0.0.1] ModSecurity: Warning. Pattern match "(.*)" at TX:973331-WEB_ATTACK/XSS-ARGS:txtSearch. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 53, SQLi=4, XSS=35): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: <script>"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert%28%27foo%27%29%3C%2Fscript%3E"] [unique_id "12345"]

I then ran a test to use blocking mode by changing the SecRuleEngine to On, restarted Nginx and resent the request. This time I received the following alert:

2012/09/28 20:43:49 [info] 26259#0: [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:960017-POLICY/IP_HOST-REQUEST_HEADERS:Host. [file "/usr/local/nginx/conf/modsecurity.conf"] [line "2791"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 58, SQLi=4, XSS=40): Last Matched Message: IE XSS Filters - Attack Detected"] [data "Last Matched Data: 192.168.1.106"] [hostname "standalone"] [uri "/search.aspx?txtSearch=%3Cscript%3Ealert(%27foo%27)%3C%2Fscript%3E"] [unique_id "12345"]

As you can see, the request was denied with a 403 HTTP status code due to a high anomaly score.

Outstanding Development Items

As you can see, we have made a tremendous amount of progress on the Nginx port of ModSecurity. That being said, there is still work to be done. One area that is not yet implemented is inspection of outbound response data. We also need help with load testing for performance and validating that all ModSecurity features work as expected.

Please help us by downloading and testing!

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.