SlideShare a Scribd company logo

Optimizing ModSecurity on NGINX and NGINX Plus

Slides for an O'Reilly Media Webcast on Januar 9, 2018. In this webcast, we introduce the open source ModSecurity Web Application Firewall. ModSecurity allows you to thwart web attacks by inspecting the incoming HTTP requests a selection of granular rules. The standard ruleset accompanying ModSecurity, the OWASP ModSecurity Core Rule Set, will be presented by one of its authors. You will learn how to set it all up with NGINX open source and NGINX Plus, how to begin addressing common security threats, and where to find additional information.

Optimizing ModSecurity on NGINX and NGINX Plus

1 of 49
Download to read offline
Optimizing ModSecurity on
NGINX and NGINX Plus
Christian Folini
January 9, 2018
Christian Folini
 PhD in Medieval History
 Program chair Swiss Cyber Storm Conf
 Working with ModSecurity since 2006
 Co-Lead of
OWASP ModSec Core Rule Set Project
 Author of “ModSecurity Handbook” 2ed
2
Replace box with
photo then send to
back
Program
 Introduction to ModSecurity
 Introduction to the OWASP ModSec Core Rule Set
 How to get this up an running on NGINX
 First steps at optimizing your setup
3
Introduction to ModSecurity
4
ModSecurity – Brief History

Started in 2002 by Ivan Ristić

Apache license since 2010

V3.0 in December 2017

Originally: Apache Module

Now: Server independent

Small dev team: Trustwave
5
“ModSecurity is not a high-flying, cloud-
enabled, machine-learning mastermind.
It is better to think of ModSecurity as of a
mechanical watch. ”
– Christian Folini
6
Ad

Recommended

ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 
The Service Mesh: It's about Traffic
The Service Mesh: It's about TrafficThe Service Mesh: It's about Traffic
The Service Mesh: It's about TrafficC4Media
 
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereously2021/0/15 - Solarwinds supply chain attack: why we should take it sereously
2021/0/15 - Solarwinds supply chain attack: why we should take it sereouslySirris
 
Les menaces applicatives
Les menaces applicativesLes menaces applicatives
Les menaces applicativesBee_Ware
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Sphinx autodoc - automated api documentation - PyCon.KR 2015
Sphinx autodoc - automated api documentation - PyCon.KR 2015Sphinx autodoc - automated api documentation - PyCon.KR 2015
Sphinx autodoc - automated api documentation - PyCon.KR 2015Takayuki Shimizukawa
 

More Related Content

What's hot

In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesInfosec
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
Cyber threat intelligence
Cyber threat intelligenceCyber threat intelligence
Cyber threat intelligenceMondher Smii
 
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiMitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiBGA Cyber Security
 
2023 Ivanti September Patch Tuesday
2023 Ivanti September Patch Tuesday2023 Ivanti September Patch Tuesday
2023 Ivanti September Patch TuesdayIvanti
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service MeshNatanael Fonseca
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityCentrify Corporation
 
Sensibilisation sur la cybersécurité
Sensibilisation sur la cybersécuritéSensibilisation sur la cybersécurité
Sensibilisation sur la cybersécuritéOUSMANESoumailaYaye
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Starbase: Graph-Based Security Analysis for Everyone
Starbase: Graph-Based Security Analysis for EveryoneStarbase: Graph-Based Security Analysis for Everyone
Starbase: Graph-Based Security Analysis for EveryoneNeo4j
 
IBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxIBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm
Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm
Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm NATS
 

What's hot (20)

In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 
Solar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenchesSolar winds supply chain breach - Insights from the trenches
Solar winds supply chain breach - Insights from the trenches
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 
Cyber threat intelligence
Cyber threat intelligenceCyber threat intelligence
Cyber threat intelligence
 
security onion
security onionsecurity onion
security onion
 
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiMitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
 
2023 Ivanti September Patch Tuesday
2023 Ivanti September Patch Tuesday2023 Ivanti September Patch Tuesday
2023 Ivanti September Patch Tuesday
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service Mesh
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
 
Sensibilisation sur la cybersécurité
Sensibilisation sur la cybersécuritéSensibilisation sur la cybersécurité
Sensibilisation sur la cybersécurité
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Starbase: Graph-Based Security Analysis for Everyone
Starbase: Graph-Based Security Analysis for EveryoneStarbase: Graph-Based Security Analysis for Everyone
Starbase: Graph-Based Security Analysis for Everyone
 
SonarQube et la Sécurité
SonarQube et la SécuritéSonarQube et la Sécurité
SonarQube et la Sécurité
 
IBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxIBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptx
 
Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm
Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm
Simple and Scalable Microservices: Using NATS with Docker Compose and Swarm
 
Wazuh Pre.pptx
Wazuh Pre.pptxWazuh Pre.pptx
Wazuh Pre.pptx
 

Similar to Optimizing ModSecurity on NGINX and NGINX Plus

ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapPatrick Chanezon
 
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...Corley S.r.l.
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxMartin Holovský
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
 
Nsx security deep dive
Nsx security deep diveNsx security deep dive
Nsx security deep divesolarisyougood
 

Similar to Optimizing ModSecurity on NGINX and NGINX Plus (20)

ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
Windows network
Windows networkWindows network
Windows network
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
 
Nsx security deep dive
Nsx security deep diveNsx security deep dive
Nsx security deep dive
 

More from Christian Folini

Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landChristian Folini
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectChristian Folini
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectChristian Folini
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandChristian Folini
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanChristian Folini
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetChristian Folini
 
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule SetExtensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule SetChristian Folini
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...Christian Folini
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetChristian Folini
 
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Christian Folini
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerChristian Folini
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern ServersChristian Folini
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenChristian Folini
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dosChristian Folini
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017Christian Folini
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetChristian Folini
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 

More from Christian Folini (17)

Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP Project
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS project
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in Switzerland
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein Fortsetzungsroman
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
 
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule SetExtensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
 
Introduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule SetIntroduction to ModSecurity and the OWASP Core Rule Set
Introduction to ModSecurity and the OWASP Core Rule Set
 
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für Datenschützer
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der Experten
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dos
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 

Recently uploaded

Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defensethirdeyegen65
 
[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchainhackersuli
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionalsthirdeyegen65
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter TuningVarun Garg
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...ssuser7b7f4e
 
UGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxUGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxRiteshsahu101
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....josephiigo
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspacesttyk
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetmatt806068
 

Recently uploaded (13)

Riesgos online
Riesgos onlineRiesgos online
Riesgos online
 
INTERNET
INTERNETINTERNET
INTERNET
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defense
 
[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain[Hackersuli]Privacy on the blockchain
[Hackersuli]Privacy on the blockchain
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
B1 Evaluation.docx
B1 Evaluation.docxB1 Evaluation.docx
B1 Evaluation.docx
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...
 
UGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptxUGBINTERNETBANKING FACILITY LAUNCHED.pptx
UGBINTERNETBANKING FACILITY LAUNCHED.pptx
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspace
 
Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budget
 

Optimizing ModSecurity on NGINX and NGINX Plus

  • 1. Optimizing ModSecurity on NGINX and NGINX Plus Christian Folini January 9, 2018
  • 2. Christian Folini  PhD in Medieval History  Program chair Swiss Cyber Storm Conf  Working with ModSecurity since 2006  Co-Lead of OWASP ModSec Core Rule Set Project  Author of “ModSecurity Handbook” 2ed 2 Replace box with photo then send to back
  • 3. Program  Introduction to ModSecurity  Introduction to the OWASP ModSec Core Rule Set  How to get this up an running on NGINX  First steps at optimizing your setup 3
  • 5. ModSecurity – Brief History  Started in 2002 by Ivan Ristić  Apache license since 2010  V3.0 in December 2017  Originally: Apache Module  Now: Server independent  Small dev team: Trustwave 5
  • 6. “ModSecurity is not a high-flying, cloud- enabled, machine-learning mastermind. It is better to think of ModSecurity as of a mechanical watch. ” – Christian Folini 6
  • 7. ModSecurity – Key Features  Above all: Rule language  XML Schema validation  GeoIP Lookup  Remote Blacklist Support  CSRF Token Injection  ... 7
  • 8. ModSecurity – Domain Specific Language Over 100 Variables  REQUEST_URI  ARGS_POST  REMOTE_USER  RESPONSE_STATUS  Persistent Session Variables  ... Over 30 Operators  @rx  @eq, @gt, @lt, ...  @containsWord  @ipMatchFromFile  @validateByteRange  ... 8
  • 9. ModSecurity – Domain Specific Language About 70 Actions  deny  drop  pass  pause  redirect  chain  setenv  setvar  expirevar  skipAfter  multiMatch  ... 9
  • 10. ModSecurity – Rule Example I 10 Whitelisting rule allowing only parameter “firstname” matching a predefined pattern: SecRule ARGS:firstname "!@rx ^[a-zA-Z-]*$" "id:1000,deny"
  • 11. ModSecurity – Rule Example II 11 Blacklisting rule making sure parameters are submitted only once per request (HTTP Parameter Pollution): SecRule ARGS_NAMES "@unconditionalMatch" "id:1001,pass, setvar:'TX.counter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/counter_.*/ "@gt 1" "id:1002,deny"
  • 12. Introduction to the OWASP ModSecurity Core Rule Set 12
  • 13. 13
  • 14. CRS – Brief History  Started in 2006 by Ofer Shezaf  Apache license  Team of 10 developers  v3.0 / CRS3 in November 2016 14
  • 15. 15
  • 16. “The OWASP ModSecurity Core Rule Set is the standard rule set used with ModSecurity. It is the 1st line of defense against attacks as those described by the OWASP Top Ten.” – Christian Folini 16
  • 17. CRS – Key Features  Generic Blacklisting rule set  Scoring Mechanism  Variable Anomaly Thresholds  Paranoia Levels to adjust aggressiveness of rules  Low rate of False Positives per default 17
  • 18. CRS – Rule Example: SQL Injection  920273 : Invalid character in request (outside of very strict set)  942100 : SQL Injection Attack Detected via libinjection  942130 : SQL Injection Attack: SQL Tautology Detected.  942180 : Detects basic SQL authentication bypass attempts 1/3  942390 : SQL Injection Attack  942432 : Restricted SQL Character Anomaly Detection (args) 18
  • 19. 19 Anomaly Scoring is like challenging attacking Storm Troopers to do a Limbo Dance. CRS – Anomaly Scoring
  • 20. CRS – Overview Over Rule Groups Incoming Requests  Scanner detection  Protocol enforcement  Local File Inclusion attacks  Remote Command Execution  Cross Site Scripting attacks  SQL Injection attacks  ... Outgoing Responses Not Supported by NGINX  SQL Data leakages  Java data leakages  PHP data leakages  IIS data leakages  … 20
  • 22. CRS – Paranoia Level Overview 22  Paranoia Level 1: Basic security Minimal amount of False Positives  Paranoia Level 2: Elevated security level More rules, fair amount of FPs  Paranoia Level 3: Online banking level security Specialised rules, more FPs  Paranoia Level 4: Nuclear power plant level security Insane rules, lots of FPs
  • 23. Summary 23  ModSecurity is the ENGINE.  CRS is the default RULE SET that runs on top of the engine. By default, it blocks over 80%.  With 3.0, ModSecurity / NGINX is ready for PRIME TIME.
  • 24. How to get this up and running on NGINX 24
  • 25. ModSec on NGINX: Installation 25  ModSecurity 2.x was never really stable on NGINX  ModSecurity 3.0 only came out in December 2017  3.0 is not yet packaged by distributions  Compile it yourself  Get a precompiled binary with your NGINX Plus WAF subscription
  • 26. ModSec on NGINX: Basic Architecture 26 NGINX Server ModSecurity Connector libModSecurity 3.0 (standalone) API
  • 27. ModSec on NGINX: Compilation Overview 27  Compile ModSecurity 3.0  Create connector config file  Compile NGINX together with connector module
  • 28. ModSec on NGINX: Compilation ModSec 3.0 28  Download from https://github.com/SpiderLabs/ModSecurity/ releases/download/v3.0.0/  ./configure --prefix=/opt/modsecurity-3.0.0 --enable-mutex-on-pm  make  make install
  • 29. ModSec on NGINX: Connector Configuration 29  Download from https://github.com/SpiderLabs/ModSecurity- nginx/releases/download/v1.0.0/  Adopt paths in file “config” Watch out for the following variables: ngx_feature_path ngx_feature_libs
  • 30. ModSec: Compile NGINX with Connector 30  ./configure --prefix=/opt/nginx-1.13.8 … --add-module=/usr/src/modsecurity/modsecurity- nginx-v1.0.0 ...
  • 31. ModSec on NGINX: Download Binaries 31  Download and Installation Guides for NGINX Plus at https://www.nginx.com/resources/admin-guide/
  • 32. ModSec on NGINX: Advantages of NGINX Plus WAF 32  Binaries guaranteed to work with your OS  LoadBalancer included  Content Cache preconfigured (includes Purging API)  Session Persistence  JWT / OpenID Connect authentication  Additional products fitting the environment
  • 33. ModSec on NGINX: CRS Quick Installation 33 Please follow the INSTALL file or NGINX Admin Guide for proper CRS installation. This here is a quick demo.  Download from https://github.com/SpiderLabs/owasp- modsecurity-crs/releases/tag/v3.0.2  Untar  Copy crs-setup.conf.example to crs-setup.conf
  • 34. ModSec on NGINX: CRS Inclusion in nginx.conf 34 # Include OWASP ModSec CRS3 Include /path-to-crs/crs-setup.conf Include /path-to-crs/rules/*.conf
  • 35. ModSec on NGINX: Test Attack 35
  • 36. First Steps at Optimizing Your Setup 36
  • 37. Example Rule Alert – Right out of Sysadmin Hell 37 2018/01/09 14:55:50 [info] 1167#1167: *1 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:test' (Value: `/etc/passwd' ) [file "/tmp/nginx-crs/rules/REQUEST-930- APPLICATION-ATTACK-LFI.conf"] [line "71"] [id "930120"] [rev "4"] [msg "OS File Access Attempt"] [data "Matched Data: etc/passwd found within ARGS:test: /etc/passwd"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "127.0.0.1"] [uri "/index.html"] [unique_id "151550615052.381887"] [ref "o1,10v21,11t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"], client: 127.0.0.1, server: localhost, request: "GET /index.html?test=/etc/passwd HTTP/1.1", host: "localhost"
  • 38. Optimization: Learn to read the logs I 38  ModSecurity Alerts very hard to read. Aliases to the rescue!  Go to: https://www.netnea.com/cms/apache-tutorials/  Download .apache-modsec.alias Nevermind this was written for Apache. The aliases work on NGINX too.
  • 39. Optimization: Learn to read the logs II 39  $> cat error.log | melidmsg 920273 Invalid character in request (outside of very strict set) 942100 SQL Injection Attack Detected via libinjection 942130 SQL Injection Attack: SQL Tautology Detected. 942180 Detects basic SQL authentication bypass attempts 1/3 ...
  • 40. Optimization: More aliases in the collection 40  meldata  melidmsg  melline  melmsg  meltags  melunique_id  ...  sucs  greppl[1-4]  mappl  pathsegs[1-5]  col[1-20]  Swapcolumns  ...
  • 41. Let NGINX Amplify help you monitor the logs 41  Visualize Alerts / Logs  Get notified in realtime  Keep an eye on performance
  • 42. Optimization : Adjust Anomaly Threshold  Always work in Blocking Mode  Start with a high anomaly threshold  Handle False Positives  Lower threshold step by step  Run over 3 – 5 iterations 42
  • 43. Optimization: Adjust Anomaly Threshold 43 File crs-setup.conf # Uncomment this rule to change the defaults: # SecAction "id:900110, phase:1, nolog, pass, t:none, setvar:tx.inbound_anomaly_score_threshold=1000, setvar:tx.outbound_anomaly_score_threshold=1000"
  • 44. Optimization : Learn to handle False Positives  Remove Rule at Startup  Remove arg for rule at startup  Remove rule for rule at runtime for given path  Remove arg for rule at runtime for given path 44 Four basic ways to handle a False Positive
  • 45. Photos and other resources 45  Watch: https://www.flickr.com/photos/billadler/391674817  Limbo: https://www.flickr.com/photos/jdhancock/3605011903  CRS Release Poster: https://coreruleset.org/poster/  ModSecurity Cheatsheet: https://netnea.com/cms/rule-exclusion-cheatsheet-download/  Aliases: https://netnea.com/cms/apache-tutorials/  Tutorials for Handling False Positives: https://netnea.com/cms/apache-tutorials/ All Resources with exception of the Cheatsheet are released under a Creative Commons license.
  • 46. More from Christian Folini  Follow me on twitter at @ChrFolini  ModSecurity / CRS courses in Frankfurt and Zurich, Switzerland https://www.feistyduck.com  ModSecurity Handbook https://www.feistyduck.com  Blogging at https://netnea.com and https://coreruleset.org 46
  • 47. Future ModSecurity Course Sites  New York  San Francisco Please get in touch via  Amsterdam folini@netnea.com  Geneva or @ChrFolini on twitter  Barcelona  Milano 47 If there is interest, we will do future courses in:
  • 48. And now on to the Q & A! 48