160 lines
4.9 KiB
Plaintext
160 lines
4.9 KiB
Plaintext
|
--------------------------
|
||
|
Mod Defender for HAProxy
|
||
|
--------------------------
|
||
|
|
||
|
|
||
|
This is a service that talks SPOE protocol and uses the Mod Defender
|
||
|
(https://github.com/VultureProject/mod_defender) functionality to detect
|
||
|
HTTP attacks. It returns a HTTP status code to indicate whether the request
|
||
|
is suspicious or not, based on NAXSI rules. The value of the returned code
|
||
|
can be used in HAProxy rules to determine if the HTTP request should be
|
||
|
blocked/rejected.
|
||
|
|
||
|
Unlike ModSecurity, Mod Defender is a whitelist based WAF (everything is
|
||
|
disallowed, unless there are rules saying otherwise). It's a partial
|
||
|
replication of NAXSI and it uses NAXSI compatible rules configuration
|
||
|
format.
|
||
|
|
||
|
|
||
|
1) How to build it
|
||
|
------------------
|
||
|
|
||
|
Required packages :
|
||
|
|
||
|
* Mod Defender source (https://github.com/VultureProject/mod_defender)
|
||
|
* Asynchronous event notification library and headers (libevent)
|
||
|
* Apache 2 (>= 2.4) development headers
|
||
|
* APR library and headers
|
||
|
* GNU C (gcc) and C++ (g++) >= 4.9
|
||
|
* GNU Standard C++ Library v3 (libstdc++)
|
||
|
* GNU Make
|
||
|
|
||
|
|
||
|
Compile the source :
|
||
|
|
||
|
$ make MOD_DEFENDER_SRC=/path/to/mod_defender_src
|
||
|
|
||
|
|
||
|
2) Configuration
|
||
|
----------------
|
||
|
|
||
|
Download the Naxsi core rules file :
|
||
|
|
||
|
$ wget -O /path/to/core.rules \
|
||
|
https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules
|
||
|
|
||
|
|
||
|
Create the Mod Defender configuration file. For example :
|
||
|
|
||
|
# Defender toggle
|
||
|
Defender On
|
||
|
# Match log path
|
||
|
MatchLog /path/to/defender_match.log
|
||
|
# JSON Match log path
|
||
|
JSONMatchLog /path/to/defender_json_match.log
|
||
|
# Request body limit
|
||
|
RequestBodyLimit 8388608
|
||
|
# Learning mode toggle
|
||
|
LearningMode Off
|
||
|
# Extensive Learning log toggle
|
||
|
ExtensiveLog Off
|
||
|
# Libinjection SQL toggle
|
||
|
LibinjectionSQL On
|
||
|
# Libinjection XSS toggle
|
||
|
LibinjectionXSS On
|
||
|
|
||
|
# Rules
|
||
|
Include /path/to/core.rules
|
||
|
|
||
|
# Score action
|
||
|
CheckRule "$SQL >= 8" BLOCK
|
||
|
CheckRule "$RFI >= 8" BLOCK
|
||
|
CheckRule "$TRAVERSAL >= 4" BLOCK
|
||
|
CheckRule "$EVADE >= 4" BLOCK
|
||
|
CheckRule "$XSS >= 8" BLOCK
|
||
|
CheckRule "$UPLOAD >= 8" BLOCK
|
||
|
|
||
|
# Whitelists
|
||
|
# ....
|
||
|
|
||
|
|
||
|
Next step is to configure the SPOE for use with the Mod Defender service.
|
||
|
Example configuration (args elements order is important) :
|
||
|
|
||
|
[mod_defender]
|
||
|
|
||
|
spoe-agent mod-defender-agent
|
||
|
messages check-request
|
||
|
option var-prefix defender
|
||
|
timeout hello 100ms
|
||
|
timeout idle 30s
|
||
|
timeout processing 15ms
|
||
|
use-backend spoe-mod-defender
|
||
|
|
||
|
spoe-message check-request
|
||
|
args src unique-id method path query req.ver req.hdrs_bin req.body
|
||
|
event on-frontend-http-request
|
||
|
|
||
|
|
||
|
The engine is in the scope "mod_defender". To enable it, you must set the
|
||
|
following line in a frontend/listener section :
|
||
|
|
||
|
frontend my_frontend
|
||
|
...
|
||
|
filter spoe engine mod_defender config /path/to/spoe-mod-defender.conf
|
||
|
...
|
||
|
|
||
|
|
||
|
Also, we must define the "spoe-mod-defender" backend in HAProxy configuration :
|
||
|
|
||
|
backend spoe-mod-defender
|
||
|
mode tcp
|
||
|
balance roundrobin
|
||
|
timeout connect 5s
|
||
|
timeout server 3m
|
||
|
server defender1 127.0.0.1:12345
|
||
|
|
||
|
|
||
|
The Mod Defender status is returned in a variable "sess.defender.status" --
|
||
|
it contains the returned HTTP status code. The request is considered
|
||
|
malicious if the variable contains value greater than zero.
|
||
|
|
||
|
The following rule can be used to reject all suspicious HTTP requests :
|
||
|
|
||
|
http-request deny if { var(sess.defender.status) -m int gt 0 }
|
||
|
|
||
|
|
||
|
3) Start the service
|
||
|
--------------------
|
||
|
|
||
|
To start the service, you need to use "defender" binary :
|
||
|
|
||
|
$ ./defender -h
|
||
|
Usage : ./defender [OPTION]...
|
||
|
-h Print this message
|
||
|
-f <config-file> Mod Defender configuration file
|
||
|
-l <log-file> Mod Defender log file
|
||
|
-d Enable the debug mode
|
||
|
-m <max-frame-size> Specify the maximum frame size (default : 16384)
|
||
|
-p <port> Specify the port to listen on (default : 12345)
|
||
|
-n <num-workers> Specify the number of workers (default : 10)
|
||
|
-c <capability> Enable the support of the specified capability
|
||
|
-t <time> Set a delay to process a message (default: 0)
|
||
|
The value is specified in milliseconds by default,
|
||
|
but can be in any other unit if the number is suffixed
|
||
|
by a unit (us, ms, s)
|
||
|
|
||
|
Supported capabilities: fragmentation, pipelining, async
|
||
|
|
||
|
Example:
|
||
|
|
||
|
$ ./defender -n 4 -f /path/to/mod_defender.conf -d -l /path/to/error.log
|
||
|
|
||
|
|
||
|
4) Known bugs and limitations
|
||
|
-----------------------------
|
||
|
|
||
|
In its current state, the module is limited by haproxy to the analysis of
|
||
|
the first buffer. One workaround may consist in significantly increasing
|
||
|
haproxy's buffer size.
|