NGINX HTTP(S) Reverse Proxy with ModSecurity Protection

I would like to welcome you to my new project: building a reverse proxy powered by Nginx software, with a ModSecurity web application firewall enabled module.

There are many articles on how to do this configuration on the Internet, but I couldn't find any which had a holistic approach, from a to z, giving you all the steps on how to perform the above installation.

Nginx is an open-source HTTP and reverse proxy server. ModSecurity, an open-source web application firewall, has released packages in order to work together with nginx. Taking advantage of this architecture, you can redirect all the requests to nginx, let them get parsed and sanitised by ModSecurity and as a consequence, have your websites protected.

Ingredients:

• Debian Linux 7.3.0
• ModSecurity source code
• NGINX source code

First of all we need to fulfill some requirements before configuring ModSecurity to work with nginx.

1. Install gcc:
   $> apt-get install gcc
2. Install Apache apxs:
   $> apt-get install apache2-threaded-dev
3. Install libxml2-dev:
   $> apt-get install libxml2-dev
4. Install libcurl4-gnutls-dev:
   $> apt-get install libcurl4-gnutls-dev
5. Install lua:
   $> apt-get install liblua5.1-dev

Then configure and build ModSecurity to be ready to get integrated in NGINX (following exactly the instructions as publish in ModSecurity website here):

Navigate to ModSecurity directory:

$> ./configure --enable-standalone-module

$> make

$> make install

Then we change to the directory where nginx source code is downloaded.

We configure NGINX to include ModSecurity and SSL support:

$> ./configure --add-module=../modsecurity-apache_2.7.7/nginx/modsecurity/ --with-http_ssl_module

$> make

$> make install

And the rest is pure configuration! Some references for your next steps are:

• http://www.cyberciti.biz/tips/using-nginx-as-reverse-proxy.html
• http://www.modsecurity.org/documentation/
• http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
• https://www.feistyduck.com/books/modsecurity-handbook/gettingStarted.html
• https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Enjoy protecting your websites!

Luring the Bots for Fun!

Project Introduction

These days I am hosting a custom honeypot which is based on Metasploitable VM. Unfortunately I didn't have the time to build a new one, so I based it on Metasploitable VM. Initially, I wanted to capture all the wordlists hosted on the machines that would target me. Secondly, I wanted to make a statistical analysis of the regions which attack the most. Obviously, a honeypot situated in Greece wouldn't be a good statistical sample, however after a month of honeypot's "production" state I have gathered very interesting data which I would like to share (apart from the wordlists!).

Honeypot Services

The first service which is built in order to lure the bots is the SSH. This has given me a very interesting amount of data and wordlists of the brute force attacks. SSH service by default does not log any failed login attempts. That's why I had to download SSH source code and recompile it in a way that the SSH daemon would log any failed logon attempt. The altered source code (auth_passwd.c) can be found here.

The second service is HTTP. I wanted to lure any bots or blackhats (script kiddies to be more accurate because no one serious blackhat would like to hack a useless site!) who would try to hack a web application. I uploaded to the Apache server a PHP project I had written during my first degree, which is full of vulnerabilities (in the 3rd semester no one had made me an introduction to web application security, I admit it!). In order to log the attacks I installed and configured ModSecurity as I have described in a previous article (later I found that modsecurity can be linked with online honeypot projects! Just google it!). Unfortunately, HTTP service has not faced any attack attempt yet, so this project did not go well!...

Attacking Hosts by Region

Below there is a graph of the number of attacks and the region from which these attacks came from!

I am sure that you had imagined that China would win the race easily!

Conclusion

In the near future I am looking to add more services to my honeypot, so stay tuned for future posts!
And remember: The bots are out there! (like X-Files motto? :p)

Setting up a ModSecurity powered Reverse Proxy

Overview

Following the series of my ModSecurity related posts, in this one, I explain how we can set up a reverse proxy that will process all the requests received by any browser and then forward them to the web applications we want to protect. This reverse proxy will be an autonomous VM that is very flexible to deploy in front of numerous web applications. For example, we can write generic ModSecurity rules and then we can copy and apply the VM to multiple places in order to process the requests. Afterwards, we can parameterize each VM according to the application that resides behind it.

Infrastructure

I used the following VMs for this demo:

• Debian 6 64-bit (2 processors, 1024MB RAM), acting as reverse proxy with ModSecurity 2.5.12. Installed Apache version: 2.2.16.
• OWASP Broken Web Applications VM. Just the guarenteed solution! Download it here.
• Windows XP Pro with Hacme bank vulnerable web application installed. Installation instructions can be found here.

My aim is to create a reverse proxy that handles more than one web application's requests.

Below, there is a schematic of the VM infrastructure that I have described earlier.

Architecture

Advantages

• Unified Rules. With this architecture we have a VM that is charged with filtering every HTTP request to our web applications and therefore, we can edit the rules and parameterize it in order to filter possibly malicious requests. Core rule sets can be used in order to have a generic protection and, on the meanwhile, we can paramiterize the rules for specific fields and functions of our web applications.
• Network Security. The security of our network becomes more robust and solid. The web applications are isolated, they receive only HTTP request from the reverse proxy.
• Cost Free! I have used only freeware software, no money are needed for this architecture and infrastracture.

Disadvantages

• Time Consuming. ModSecurity needs dedicated professionals in order to write rules and parameterize the product.
• Single point of Failure. ModSecurity VM is a single point of failure, meaning that if VM is down, the web applications will be unavailable and unaccessible.

Configuration

First of all, we need to install ModSecurity at our Debian VM which will be acting as a reverse proxy. Then we enable it and then we download the OWASP Core Rule Set which can be found here.

More specifically, we follow these steps:

€ > apt-get install libapache-mod-security
€ > a2enmod mod-security

Now, we need to set up the reverse proxy. We create a file at the location /etc/apache2/sites-available and we enable it by creating a soft link to it a the location /etc/apache2/sites-enabled. Below you can see a sample site. This is only a sample, you can parameterize it and customize it as you wish.

LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
<IfModule security2_module>
        Include /etc/apache2/crs/activated_rules/*.conf
</IfModule>
<VirtualHost *:80>
        ServerName modsecurity
        ProxyRequests Off
        ProxyPass               /HacmeBank_v2_Website/  http://192.168.200.15/HacmeBank_v2_Website/
        ProxyPassReverse        /HacmeBank_v2_Website/  http://192.168.200.15/HacmeBank_v2_Website/
        ProxyPass               /owaspbwa/      http://192.168.200.12/
        ProxyPassReverse        /owaspbwa/      http://192.168.200.12/
</VirtualHost>

Now, every request to the web applications is examined by ModSecurity and then, proxied to the appropriate IP inside our LAN.

Example

I am going to omit a demo attack to the OWASP BWA VM because I have already examined it on a previous post in my blog. Therefore, the scenario I am going to follow, is to send a simple SQL injection payload to the Hacme Bank web application.

The logs generated by ModSecurity:

--84b6cd1e-A--
[09/Nov/2012:15:19:50 +0200] UJ0C9X8AAQEAAB0xAVcAAAAC 192.168.200.1 6177 192.168.200.18 80
--84b6cd1e-B--
POST /HacmeBank_v2_Website/aspx/login.aspx HTTP/1.1
Host: 192.168.200.18
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.200.18/HacmeBank_v2_Website/aspx/login.aspx
Cookie: PHPSESSID=saafok2s1qn7tkf1ln7800isg3; ASP.NET_SessionId=tgsda3mibmrqgluhkzms4u55; CookieLoginAttempts=5
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
--84b6cd1e-C--
__VIEWSTATE=dDwtNDI1MDU4NDs7Pr7Z3yoqTxmFlpDLZYX86TQOF%2Fbz&txtUserName=x%27+or+1%3D1--&txtPassword=test&btnSubmit=Submit
--84b6cd1e-F--

And the log that activated the ModSecurity rule:

Message: Warning. Pattern match "(?i:([\s'"`Β΄ββ\(\)]*)?([\d\w]+)([\s'"`Β΄ββ\(\)]*)?(?:=|<=>|r?like|sounds\s+like|regexp)([\s'"`Β΄ββ\(\)]*)?\2|([\s'"`Β΄ββ\(\)]*)?([\d\w]+)([\s'"`Β΄ββ\(\)]*)?(?:!=|<=|>=|<>|<|>|\^|is\s+not|not\s+like|not\s+regexp)([\s'"`Β΄ββ\(\)] ..." at ARGS:txtUserName. [file "/etc/apache2/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data " 1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. Pattern match "(?i:\bor\b ?(?:\d{1,10}|[\'"][^=]{1,10}[\'"]) ?[=<>]+|(?i:'\s+x?or\s+.{1,20}[+\-!<>=])|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')|\b(?i:x?or)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[=<>])" at ARGS:txtUserName. [file "/etc/apache2/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "134"] [id "959071"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data "' or 1=1--"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Warning. Pattern match "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;"\'\Β΄\β\β\`\<\>].*){4,}" at ARGS:txtUserName. [file "/etc/apache2/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "-"]
Message: Warning. Pattern match "(?i:(?i:\d["'`Β΄ββ]\s+["'`Β΄ββ]\s+\d)|(?:^admin\s*?["'`Β΄ββ]|(\/\*)+["'`Β΄ββ]+\s?(?:--|#|\/\*|{)?)|(?:["'`Β΄ββ]\s*?(x?or|div|like|between|and)[\w\s-]+\s*?[+<>=(),-]\s*?[\d"'`Β΄ββ])|(?:["'`Β΄ββ]\s*?[^\w\s]?=\s*?["'`Β΄ββ]) ..." at ARGS:txtUserName. [file "/etc/apache2/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "217"] [id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "' or 1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
Message: Warning. Pattern match "(?i:(?:["'`Β΄ββ]\s*?(x?or|div|like|between|and)\s*?["'`Β΄ββ]?\d)|(?:\\x(?:23|27|3d))|(?:^.?["'`Β΄ββ]$)|(?:(?:^["'`Β΄ββ\\]*?(?:[\d"'`Β΄ββ]+|[^"'`Β΄ββ]+["'`Β΄ββ]))+\s*?(?:n?and|x?x?or|div|like|between|and|not|\|\||\&\&)\s*?[\w ..." at ARGS:txtUserName. [file "/etc/apache2/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "249"] [id "981242"] [msg "Detects classic SQL injection probings 1/2"] [data "' or 1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
Apache-Handler: proxy-server
Stopwatch: 1352467189580612 738276 (1537* 9311 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.1.2.
Server: Apache/2.2.16 (Debian)
--84b6cd1e-Z--

Conclusion

A reverse proxy running ModSecurity can be used to protect server farms that host critical web applications. This architecture is a low cost that could offer significant security protection if ModSecurity is parameterized correctly.

References - Further reading

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

http://www.ibm.com/developerworks/web/library/wa-lampsec/

http://www.apachetutor.org/admin/reverseproxies

http://www.f5.com/glossary/reverse-proxy.html

http://en.wikipedia.org/wiki/Reverse_proxy

Securing OWASP Broken Web Apps with ModSecurity

Overview

In this blog entry I am going to secure the Apache deployed in OWASP broken web apps VM with Trustwave's ModSecurity. OWASP broken web apps VM comes with ModSecurity integrated. The only thing we have to do, is to enable it.

The main goal for this post, is to help IT professionals enable ModSecurity, an open source waf, and then, get acquainted with it.

Enabling ModSecurity Module

ModSecurity module is not enabled by default in OWASP broken web apps VM. Some actions are needed by our side in order to make the module functional.

First of all we need to shutdown Apache server:

/etc/init.d/apache2 stop

We need to edit httpd.conf located at  /etc/apache2 and add the following lines:

<IfModule security2_module>
        Include /etc/apache2/modsecurity-crs/activated_rules/*.conf
</IfModule>

Create soft links of the rules we want to activate to the activated rules folder. In our example we are going to copy the whole base rule set by issuing the command:

ln -s /etc/apache2/modsecurity-crs/base_rules/* /etc/apache2/modsecurity-crs/activated_rules/
ln -s /etc/apache2/modsecurity_crs_10_config_log.conf /etc/apache2/modsecurity-crs/activated_rules/ (for the log settings)

Next, we have to edit modsecurity_crs_10_config_log.conf in order to parameterize the loggin engine.

• If we need the ModSecurity waf to block the requests that violate any of the activated rules we have to alter the directive "SecRuleEngine" from "DetectionOnly" to "On".
• Change the directive "SecDefaultAction" to "phase:2,deny,nolog,auditlog" in order to log at at a different file.
• At the end of the file, un-comment the directive "SecAuditEngine" and if you wish, alter the log file location and name by changing the value at the "SecAuditLog" directive.

Finally, we start Apache server:

/etc/init.d/apache2 start

Now, ModSecurity is fully operational and logs every rule violation.

Attack Example

At this point, we send a simple SQL payload in order to test ModSecurity rules:

The ModSecurity logs are populated by the module. Here we can see the logs generated after our request:

Message: Rule b853e718 [id "950901"][file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule b853e718 [id "950901"][file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Pattern match "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?([\\d\\w]+)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?\\2|([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\ ..." at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data " 1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Pattern match "(?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*[=<>])" at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "134"] [id "959071"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data "' or 1=1--"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){4,}" at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "-"]
Message: Pattern match "(?i:(?i:\\d[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+\\d)|(?:^admin\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|(\\/\\*)+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\"'`\xc2\xb4\xe2\x80\x9 ..." at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "217"] [id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "' or 1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
Message: Pattern match "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\ ..." at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "249"] [id "981242"] [msg "Detects classic SQL injection probings 1/2"] [data "' or 1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 23, SQLi=13, XSS=): 981242-Detects classic SQL injection probings 1/2"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1352206441253338 16368 (- - -)
Stopwatch2: 1352206441253338 16368; combined=11385, p1=165, p2=10807, p3=3, p4=91, p5=318, sr=20, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.0trunk (http://www.modsecurity.org/); core ruleset/2.1.2.
Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5

Conclusion

By enabling ModSecurity in OWASP Broken web apps VM is a good hands-on opportunity for waf administrations to get used to configuring and parametrizing ModSecurity open source web application firewall.

References

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Installation_for_Apache

http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/07-logging.html