Feature request: modsecurity WAF for reverse proxy and WebUI itself

[sempervictus]

Libmodsecurity (modsec 3) can be used with Apache or Nginx, and can be deployed embedded (in the target web server) or inline on the network as an HTTP reverse proxy. HTTP endpoints being the primary target of choice these days, it seems like a useful tool to put on the belt, even in pure logging mode.

[fichtner]

I think a NAXSI plugin was mentioned once or twice...

[fabianfrz]

NAXSI is for nginx. It won't work with lighttpd. I am for using nginx as a webserver but this is a change for a major release. If it will come, it won't happen soon for the web GUI itself.

For using it as a reverse proxy, you can install nginx via cli as NAXSI is compiled in:

pkg install nginx

Please note that there is no plugin available. You have to configure it by yourself via the command line interface.

NAXSI: https://github.com/nbs-system/naxsi

[mimugmail]

libmodsecurity is badly maintained on BSD. I'm running it since December 2016 with Nginx Plus on Linux. I was thinking about a plugin but this wont happen before Q2

[sempervictus]

I'm sure the modsec developers would appreciate having a commonly used Hardened BSD system to distribute with. After all, they could sell more commercial rules like Talos sells through the IDS, helps with their marketing, etc. I'll point this thread out to people who may agree and are in comms with spider labs. If there's appetite for it, other contributors might be leveraged to implement plugins/ports barring technical blockers in core needing prior resolution.

[mimugmail]

You have to ask @zimmerle about the status of libmodsecurity and FreeBSD, I never tried it but was involved in testing the development version since fall 2016. Sorry for CC'ing Felipe, perhaps you can give some insights. 👍

[zimmerle]

Hi there,

Recently we have had a release for ModSec v3. It is available here: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0

It should work fine ;)

[fichtner]

It's now in FreeBSD ports... www/mod_security3

[sempervictus]

Thank you!

[fabianfrz]

@mimugmail If you want to get the ticket assigned, just let me know.

[mimugmail]

Yep, I'm way more comfortable with MS3, I'll start in April with this task :)

[sempervictus]

Thank you very much

[Similian206]

Is this going to be based on nginx? since default proxy is squid or will it be nasix? is there a manual way to achieve this? as waf would make opnsense our lead gateway node

[sempervictus]

AFAIK libmodsec can be used in nginx, but isn't quite up to feature parity with the apache module.

[mimugmail]

@fabianfrz created already a branch for nginx with Naxsi. When it's in master I'll try to add libmodsecurity .. which not depends on the webserver, so same features :)

[mimugmail]

For the brave :) https://forum.opnsense.org/index.php?topic=8877.0

[fabianfrz]

@mimugmail the code is on the nginx branch of opnsense/plugins so it should be easy to contribute.

[fabianfrz]

@mimugmail I built libmodsecurity 3.0.2 and it seems to be quite large:

% ls -lh src/.libs/libmodsecurity.so.3.0.2 
-rwxr-xr-x 1 bonsai users 36M 16. Jun 08:43 src/.libs/libmodsecurity.so.3.0.2
% file src/.libs/libmodsecurity.so.3.0.2
src/.libs/libmodsecurity.so.3.0.2: ELF 64-bit LSB pie executable x86-64, version 1 (SYSV), dynamically linked, with debug_info, not stripped

it may be better delivered as an extension since it is bigger than ruby ;) I think we should see the nginx plugin as infrastructure for other plugins and allow plugins in a style like squid. @fichtner What do you think?

[zimmerle]

Hi @fabianfrz,

If you strip it, it should be less than 3M.

 ~/core-trustwave/ModSecurity   v3/test ●  du -hs ./src/.libs/libmodsecurity.so.3.0.2                                                       
65M     ./src/.libs/libmodsecurity.so.3.0.2
 ~/core-trustwave/ModSecurity   v3/test ●  strip ./src/.libs/libmodsecurity.so.3.0.2                                                        
 ~/core-trustwave/ModSecurity   v3/test ●  du -hs ./src/.libs/libmodsecurity.so.3.0.2                                                       
2.3M    ./src/.libs/libmodsecurity.so.3.0.2

[fabianfrz]

ok, 3M is small enough.

[mimugmail]

I think we should close this in favor of Nginx+Naxsi @fabianfrz already integrated. Would take too much work to offer both.

[barti04]

NAXSI is no longer maintained by NBS System. This renders Nginx+Naxsi obsolete. I kindly ask you to reopen this issue. @fabianfrz

[AdSchellevis]

@barti04 >> https://www.nginx.com/blog/f5-nginx-modsecurity-waf-transitioning-to-eol/

[kulikov-a]

and https://github.com/opnsense/plugins/issues/3480

[sempervictus]

@AdSchellevis - just because SpiderLabs abandoned it doesn't mean its dead. @atomicturtle and his team maintain a commercial-grade fork of the code more than capable of meeting the need. Not having a WAF is sort of a no-go in the modern day and age, don't you think?

[AdSchellevis]

@sempervictus my personal opinion on the subject is not very relevant, I'm merely looking at upstream sources which look quite abandoned. (https://github.com/opnsense/ports/blob/master/security/modsecurity3-nginx/Makefile and https://github.com/SpiderLabs/ModSecurity-nginx if I'm not mistaken).

Trading one dead project for another usually isn't the best plan in the world, but this isn't my plugin, so I won't hold anyone back from working on a replacement.

[mimugmail]

I dont get the point, isnt modsecurity available with OPNwaf plugin?

Naxsi has a new maintainer, should also be good to go?

[AdSchellevis]

@mimugmail yes, but we don't use Nginx (apache's binding seem to be more active, but maybe that doesn't make a difference). Personally I don't mind what's being used in this plugin, just advice to investigate before choosing anything.