ModSecurity — Efficient and Free WAF Component for Mid- and Small-Scale Webmasters

Image for post
Image for post

Original Author: Lei Xi
According to posting requirements, an “@” must be added in front of all http links.

Introduction

Installation

nginx/apache

1. Preparations

nginx @http://nginx.org/
modsecurity for Nginx: @https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
OWASP rule set: @https://github.com/SpiderLabs/owasp-modsecurity-crs

2. Dependencies

Nginx Dependencies: (Pcre, zlib, and openssl are available in centos 6.5 and above) yum install zlib zlib-devel opensslopenssl-devel pcre pcre-devel
ModSecurity Dependencies: pcre @httpd-devellibxml2 apr
yum install @httpd-devel apr apr-util-develapr-devel pcre pcre-devel libxml2 libxml2-devel

3. Enable and Compile Standalone Module
Download and unzip modsecurity fornginx, and execute the following directories after entering unzipping:

./autogen.sh
./configure --enable-standalone-module--disable-mlogc
make

4. Add ModSecurity module to nginx

After compiling Standalone, add the ModSecurity module via “ — add-module” during nginx compilation:

./configure--add-module=/root/modsecurity-2.9.1/nginx/modsecurity/  --prefix=/opt/tengine
make && make install

5. Add Rules

ModSecurity is intended to filter and stop web hazards. Its power comes from its rules. Rules provided by OWASP are maintained by volunteers, and are called core rules (CRS). They are reliable and powerful, but they can also be customized to meet different requirements.

a. Download OWASP rules:

git clone ~@https://github.com/SpiderLabs/owasp-modsecurity-crs

mv owasp-modsecurity-crs /opt/tengine/conf/
cd/opt/tengine/conf/owasp-modsecurity-crs && mvmodsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

b. Enable OWASP rules:

Copy modsecurity.conf-recommended and unicode.mapping under the ModSecurity source code directory to the nginx conf subdirectory, and rename modsecurity.conf-recommended to modsecurity.conf.

Edit the file modsecurity.conf and set SecRuleEngine to On. The default value DetectOnly is the observation mode. It is recommended that you use this mode by default during installation, and observe whether it has an unexpected influence on the website and server.

There are a lot of folders for storing rules in owasp-modsecurity-crs such as base_rules, experimental_rules, optional_rules, and slr_rules. You can enable the rules you need by including them in modsecurity.conf

Includeowasp-modsecurity-crs/modsecurity_crs_10_setup.conf
Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
Include owasp-modsecurity-crs/base_rules /modsecurity_crs_45_trojans.confwebshell

//Considering the probable impact on the performance of the host, it is recommended you only add defense rules for critical vulnerabilities to defend against the most current critical web attacks.

For the details of the overall rules, please refer to @[url]http://www.2cto.com/Article/201409/334251.html[/url]. You can add rules based on your website’s individual requirements.

Note: nginx parses the @http request in a different way from apache. Therefore, some rules cannot be used in nginx. For more details, please refer to
nginxmodule :more_set_headers (@http://comments.gmane.org/gmane.comp.apache.mod-security.owasp-crs/962)

6. Configure nginx

Add the following lines to the location of the ModSecurity host that needs to be enabled:
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
The following are example configurations of PHP virtual host conf or the vhost file:

server {
listen 80;
server_name xxx.com www.xxx.com;
location ~ \.php$ {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
root /web/webroot;
index index.php index.html index.htm;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $Document_root$fastcgi_script_name;
include fastcgi_params;
}
}

IIS

1. Preparations

• ModSecurity V2.9.1 for IIS MSI Install-32、64bits @http://www.modsecurity.org/download.html
• Microsoft VisualC++ 2013 Redistributable Package @https://www.microsoft.com/en-gb/download/details.aspx?id=40784

2. Installation

  1. Install the package above.
  2. Find the ModSecurity line in C:WindowsSystem32inetsrvconfigapplicationHost.config, and change it to <sectionname=”ModSecurity” overrideModeDefault=”Allow”allowDefinition=”Everywhere” /></sectionGroup>
  3. Find modsecurity.conf under the installation directory ModSecurity IIS of ModSecurrity, and change “SecRuleEngine” to “On”.
  4. Add the following configurations to the file web.config under the root directory of the web <?xmlversion=”1.0" encoding=”UTF-8"?> <configuration> d. <system.webServer> <ModSecurityenabled=”true” configFile=” C:ProgramFilesModSecurity IISmodsecurity_iis.conf “ /> </system.webServer> </configuration>
  5. Reload the website.

Results

The interception rate was quite high for test scripts, satisfying expectations for intercepting high threat attacks like XSS, SQL injection, file inclusion, and command execution.
As far as other WAF products currently on the market go, Safedog is quite good but some problems still exist in its usability. It lacks adequate Windows compatibility, for example, and some website functionality is unavailable after deployment. Furthermore its defense capabilities in Linux simply don’t hold up to ModSecurity.

User maintenance and operation

  1. The location of the log is defined in SecAuditLog in the modsecurity.conf file. In linux this location is /var/log/modesec_audit.log by dafault, but you need to set the location yourself in Windwos.
  2. ModSecurity provides its own WAF syntax for custom rule creation. If you want to add a custom rule, just add it to the modsecurity.conf file.

Reference:

https://www.alibabacloud.com/blog/ModSecurity---Efficient-and-Free-WAF-Component-for-Mid--and-Small-Scale-Webmasters_p292676?spm=a2c41.11201641.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store