Posted on

NGINX with ModSecurity: Protecting Legacy Applications with a Proxy Layer

Protecting Legacy Applications with Nginx and ModSecurity

Excerpt: Learn how to configure Nginx with ModSecurity as a proxy layer to protect legacy applications, including installation, configuration, and automated email notifications for security incidents.

Introduction

In this article, we’ll walk you through how to protect your legacy applications using Nginx as a reverse proxy with ModSecurity as a Web Application Firewall (WAF). ModSecurity provides a powerful layer of defense against common web attacks, such as SQL injection, XSS, and more. Since legacy applications often lack modern security features, this setup acts as a necessary protective measure without requiring code changes to the legacy system.

Why Use Nginx with ModSecurity for Legacy Apps?

  • Security: ModSecurity filters out malicious traffic before it reaches the legacy application.
  • Flexibility: Nginx can be used to load balance traffic and handle large-scale operations while ModSecurity provides the protection.
  • Non-invasive: The legacy application remains untouched, as ModSecurity and Nginx act as a proxy layer.

Installation and Configuration

1. Installing Nginx with ModSecurity on Ubuntu

  1. Update the package list: 
    sudo apt update
  2. Install Nginx: 
    sudo apt install nginx
  3. Install ModSecurity (ModSecurity 3.x): 
    sudo apt install libmodsecurity3
  4. Install Nginx ModSecurity Module: 
    sudo apt install nginx-module-security
  5. Enable ModSecurity in the Nginx configuration. Edit the Nginx configuration file:
    6. sudo nano /etc/nginx/nginx.conf
  6. Add the following lines to enable ModSecurity:
    7. modsecurity on;
            modsecurity_rules_file /etc/nginx/modsec/modsec_rules.conf;
  7. Restart Nginx: 
    sudo systemctl restart nginx

2. Installing Nginx with ModSecurity on CentOS

  1. Install Nginx: 
    sudo yum install nginx
  2. Install ModSecurity: 
    sudo yum install mod_security
  3. Enable ModSecurity by modifying the Nginx configuration as done in the Ubuntu guide:
    4. sudo nano /etc/nginx/nginx.conf
  4. Restart Nginx: 
    sudo systemctl restart nginx

Configuring ModSecurity with Nginx

Once ModSecurity is installed, you need to configure it to protect the legacy application. One of the first steps is to use a rule set, such as the OWASP ModSecurity Core Rule Set (CRS), but there are alternatives available.

Alternatives to CRS

  • Comodo WAF Rules: A popular alternative to the CRS that provides a range of rules for SQL injection, XSS, and other threats.
  • Atomicorp WAF: A commercial WAF solution with additional rules designed for high-traffic applications.
  • Custom Rules: You can develop your own rules based on the specific vulnerabilities in your legacy app.

Configuring ModSecurity Rules

  1. Download the CRS rule set (or use an alternative): 
    git clone https://github.com/coreruleset/coreruleset.git
  2. Copy the rules to your ModSecurity directory: 
    sudo cp -r coreruleset /etc/nginx/modsec/
  3. Configure the rule set file: 
    sudo nano /etc/nginx/modsec/modsec_rules.conf
  4. Include the following in your Nginx configuration to enable ModSecurity: 
    modsecurity on;
                modsecurity_rules_file /etc/nginx/modsec/modsec_rules.conf;

Automating Email Notifications for Security Incidents

To monitor and respond to incidents effectively, configure ModSecurity to send email notifications when security rules are triggered:

  1. Edit ModSecurity to send an email: 
    SecRuleEngine On
                SecAuditLog /var/log/modsec_audit.log
                SecAuditLogParts ABIJDEFHZ
                SecRule REQUEST_URI "@rx /wp-admin" \
                    "phase:2,deny,status:403,msg:'Possible WordPress Admin Access Attempt',\
                    log,auditlog,exec:/path/to/your/email/script"
  2. Write a script to send an email when an audit log event is triggered. The script could look like this: 
    #!/bin/bash
                tail -n 50 /var/log/modsec_audit.log | mail -s "ModSecurity Alert" your-email@example.com
  3. Make the script executable: 
    chmod +x /path/to/your/email/script

ModSecurity SecRule Cheat Sheet

Here’s a list of common SecRule directives and their functions:

SecRule Directive Function
SecRule REQUEST_METHOD Matches a specific HTTP method (e.g., GET, POST, DELETE).
SecRule REQUEST_URI Matches the URI of the incoming request.
SecRule ARGS Matches input parameters in HTTP requests (such as GET/POST data).
SecRule RESPONSE_BODY Inspects the response body to detect potential threats.
SecRule REQUEST_HEADERS Matches specific headers in HTTP requests (e.g., User-Agent, X-Forwarded-For).
Posted on

Use of Web Application Firewalls: Open Source vs. Non-Open Source

Introduction

Web Application Firewalls (WAFs) provide critical protection against attacks targeting web applications, such as SQL injection, cross-site scripting (XSS), and DDoS attacks. WAFs inspect HTTP/HTTPS traffic and filter out malicious requests before they reach the application. Businesses can choose from open-source or commercial (non-open-source) WAF solutions, each catering to different needs based on performance, cost, and security features.

In this article, we compare the benefits of open-source and commercial WAFs to help organizations make an informed decision when securing their web applications.

Open-Source Web Application Firewalls

Open-source WAFs are freely available and can be modified or extended by users. These solutions are highly customizable and tend to be the go-to option for developers and smaller organizations with limited budgets.

Popular Open-Source WAFs:

  1. ModSecurity
    ModSecurity is one of the most popular open-source WAFs. It works with Apache, NGINX, and IIS, offering flexible rule sets for detecting and blocking a wide variety of attacks. It is highly customizable, enabling users to tweak security rules to fit specific needs.
  2. OWASP CRS (Core Rule Set)
    The OWASP CRS is a set of security rules that can be used with ModSecurity or other WAF systems to detect common threats such as SQL injection and cross-site scripting. The CRS is open source and constantly updated by the open-source community.
  3. NAXSI
    NAXSI is another open-source WAF for NGINX, designed to prevent common web application attacks. It focuses on simplicity and high performance, making it a great choice for businesses running high-traffic websites.

Advantages of Open-Source WAFs:

  • Cost-Effective: Open-source WAFs are free to use, making them a cost-effective solution, especially for small businesses or startups.
  • Flexibility: They can be customized to fit specific security needs, allowing for tailored protections.
  • Community Support: Open-source WAFs benefit from large communities that contribute to continuous improvement and rule updates.
  • Transparency: Since the code is open to everyone, there is full transparency in how the WAF works, offering greater trust in its security.

Challenges of Open-Source WAFs:

  • Maintenance and Updates: Unlike commercial solutions, open-source WAFs may require more effort for updates, troubleshooting, and maintenance. Organizations may need internal expertise to manage them effectively.
  • Limited Features: Open-source WAFs may lack some advanced features available in commercial offerings, such as enhanced DDoS protection or integrated threat intelligence feeds.

Non-Open Source (Commercial) Web Application Firewalls

Commercial WAFs are proprietary solutions offered by vendors that provide advanced features, support, and regular updates. These solutions often come with a price tag but can be worth the investment for larger organizations that require higher levels of security and reliability.

Popular Commercial WAFs:

  1. Cloudflare WAF
    Cloudflare’s WAF offers cloud-based security services, providing protection against a range of threats, including DDoS attacks, bot activity, and OWASP Top 10 vulnerabilities. Cloudflare’s WAF is part of its suite of performance and security features, providing an easy-to-use dashboard and robust reporting tools.
  2. Akamai Kona Site Defender
    Akamai’s Kona Site Defender is a premium solution that provides robust protection against web application attacks, including sophisticated DDoS attacks. Akamai leverages its massive CDN infrastructure to deliver global WAF coverage with low latency.
  3. Imperva WAF
    Imperva offers both cloud and on-premises WAF solutions that provide high-performance security, offering detailed analytics and reporting. Its solution includes features such as bot mitigation, API security, and advanced machine learning for threat detection.

Advantages of Commercial WAFs:

  • Comprehensive Protection: Commercial WAFs often offer more advanced features, including integrated threat intelligence, DDoS protection, and bot management.
  • Managed Services: Many commercial WAFs come with managed services, meaning that the vendor takes care of maintenance, updates, and monitoring.
  • Advanced Analytics: Commercial solutions provide more robust reporting and analytics tools, which help businesses track security incidents and optimize their web application security strategy.
  • 24/7 Support: Commercial WAF providers offer dedicated support, ensuring that businesses have access to expertise when issues arise.

Challenges of Commercial WAFs:

  • Cost: Commercial WAFs can be expensive, especially for smaller businesses. Pricing is often based on traffic volume or the number of websites protected.
  • Less Customizable: While commercial WAFs provide a wide range of features, they may not offer the same level of customization as open-source alternatives, as the underlying code is proprietary.

Choosing Between Open-Source and Commercial WAFs

When selecting a WAF, organizations need to consider their specific needs, resources, and security requirements:

  • For Small to Medium-Sized Businesses: Open-source WAFs like ModSecurity or NAXSI are ideal for businesses with limited budgets or those with in-house security expertise. They are a great option for companies that are just getting started with web security and need a customizable solution.
  • For Larger Enterprises: Commercial WAFs like Cloudflare, Imperva, or Akamai are better suited for large enterprises or businesses with high-traffic websites that require enhanced security features, real-time support, and managed services. These solutions offer a more streamlined experience with advanced features like DDoS protection and AI-driven threat detection.

Best Practices for Implementing a WAF

  1. Regularly Update Rules: Whether you use an open-source or commercial WAF, regularly updating security rules is critical to protecting against emerging threats.
  2. Monitor Logs and Analytics: Both open-source and commercial WAFs offer logging and reporting features. Monitoring logs can help identify false positives and optimize security rules.
  3. Combine with Other Security Layers: A WAF should be part of a multi-layered security approach, working in conjunction with other tools such as firewalls, intrusion detection systems (IDS), and encryption.

Conclusion

Both open-source and commercial Web Application Firewalls provide vital protection against online threats. The decision between the two depends largely on the size of your organization, your security needs, and available resources. Open-source solutions offer a cost-effective, flexible option for smaller organizations, while commercial WAFs provide more advanced security features, ease of use, and support for larger businesses.