.. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 .. SPDX-License-Identifier CC-BY-4.0 .. (c) Authors of Clover .. _modsecurity_config_guide: ========================================= ModSecurity Configuration Guide ========================================= This document provides a guide to setup the ModSecurity web application firewall as a security enhancement for the Istio ingressgateway. ModSecurity Overview ===================== ModSecurity is an open source web application firewall. Essentially, ModSecurity is an Apache module that can be added to any compatible version of Apache. To detect threats, the ModSecurity engine is usually deployed embedded within the webserver or as a proxy server in front of a web application. This allows the engine to scan incoming and outgoing HTTP communications to the endpoint. In Clover, we deploy ModSecurity on an Apache server and running it as a Kubernetes service that reside in "clover-gateway" namespace. ModSecurity provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. Dependent on the rule configuration the engine will decide how communications should be handled which includes the capability to pass, drop, redirect, return a given status code, execute a user script, and more. In Clover, we choose the OWASP ModSecurity Core Rule Set (CRS) for use with ModSecurity. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. Ingress traffic security enhancement ====================================== In a typical Istio service mesh, ingressgateway terminates TLS from external networks and allows traffic into the mesh. .. image:: imgs/istio_gateway.png :align: center :scale: 100% Clover enhances the security aspect of ingressgateway by redirecting all incoming HTTP requests through the ModSecurity WAF. To redirect HTTP traffic to the ModSecurity, Clover enables ext_authz (external authorization) Envoy filter on the ingressgateway. For all incoming HTTP traffic, the ext_authz filter will authenticate each ingress request with the ModSecurity service. To perform authentication, an HTTP subrequest is sent from ingressgateway to ModSecurity where the subrequest is verified. If the subrequest is clean, ModSecurity will return a 2xx response code, access is allowed; If it returns 401 or 403, access is denied. Deploying the ModSecurity WAF ============================== .. _modsecurity_prerequisites: Prerequisites ------------- The following assumptions must be met before continuing on to deployment: * Installation of Kubernetes has already been performed. * Installation of Istio and Istio client (istioctl) is in your PATH. Deploy from source ------------------ Clone the Clover git repository and navigate within the samples directory as shown below: .. code-block:: bash $ git clone https://gerrit.opnfv.org/gerrit/clover $ cd clover/samples/scenarios $ git checkout stable/gambia To deploy the ModSecurity WAF in the "clover-gateway" Kubernetes namespace, use the following command: .. code-block:: bash $ kubectl create namespace clover-gateway $ kubectl apply -n clover-gateway -f modsecurity_all_in_one.yaml Verifying the deployment ------------------------ To verify the ModSecurity pod is deployed, executing the command below: .. code-block:: bash $ kubectl get pod -n clover-gateway The listing below must include the following ModSecurity pod: .. code-block:: bash $ NAME READY STATUS RESTARTS AGE modsecurity-crs-cf5fffcc-whwqm 1/1 Running 0 1d To verify the ModSecurity service is created, executing the command below: .. code-block:: bash $ kubectl get svc -n clover-gateway The listing below must include the following ModSecurity service: .. code-block:: bash $ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE modsecurity-crs NodePort 10.233.11.72 <none> 80:31346/TCP 1d To verify the ext-authz Envoy filter is created, executing the command below: .. code-block:: bash $ istioctl get envoyfilter -n clover-gateway The listing below must include the following Envoy filter: .. code-block:: bash $ NAME KIND NAMESPACE AGE ext-authz EnvoyFilter.networking.istio.io.v1alpha3 istio-system 1d ModSecurity configuration ========================== OWASP ModSecurity CRS mode --------------------------- The OWASP ModSecurity CRS can run in two modes: * **Anomaly Scoring Mode** - In this mode, each matching rule increases an 'anomaly score'. At the conclusion of the inbound rules, and again at the conclusion of the outbound rules, the anomaly score is checked, and the blocking evaluation rules apply a disruptive action, by default returning an error 403. * **Self-Contained Mode** - In this mode, rules apply an action instantly. Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). The first rule that matches will execute this action. In most cases this will cause evaluation to stop after the first rule has matched, similar to how many IDSs function. By default, the CRS runs in Anomally scoring mode. You can configurate CRS mode by editing the **crs-setup.conf** in the modsecurity-crs container: .. code-block:: bash $ kubectl exec -t -i -n clover-gateway [modsecurity-crs-pod-name] -c modsecurity-crs -- bash $ vi /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf Alert logging ------------- By default, CRS enables all detailed logging to the ModSecurity audit log. You can check the audit log using the command below: .. code-block:: bash $ kubectl exec -t -i -n clover-gateway [modsecurity-crs-pod-name] -c modsecurity-crs -- cat /var/log/modsec_audit.log CRS Rules --------- By default, Clover enables all OWASP CRS rules. Below is a short description of all enabled rules: * **REQUEST-905-COMMON-EXCEPTIONS** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf Some rules are quite prone to causing false positives in well established software, such as Apache callbacks or Google Analytics tracking cookie. This file offers rules that will allow the transactions to avoid triggering these false positives. * **REQUEST-910-IP-REPUTATION** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-910-IP-REPUTATION.conf These rules deal with detecting traffic from IPs that have previously been involved with malicious activity, either on our local site or globally. * **REQUEST-912-DOS-PROTECTION** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-912-DOS-PROTECTION.conf The rules in this file will attempt to detect some level 7 DoS (Denial of Service) attacks against your server. * **REQUEST-913-SCANNER-DETECTION** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-913-SCANNER-DETECTION.conf These rules are concentrated around detecting security tools and scanners. * **REQUEST-920-PROTOCOL-ENFORCEMENT** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf The rules in this file center around detecting requests that either violate HTTP or represent a request that no modern browser would generate, for instance missing a user-agent. * **REQUEST-921-PROTOCOL-ATTACK** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf The rules in this file focus on specific attacks against the HTTP protocol itself such as HTTP Request Smuggling and Response Splitting. * **REQUEST-930-APPLICATION-ATTACK-LFI** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf These rules attempt to detect when a user is trying to include a file that would be local to the webserver that they should not have access to. Exploiting this type of attack can lead to the web application or server being compromised. * **REQUEST-931-APPLICATION-ATTACK-RFI** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf These rules attempt to detect when a user is trying to include a remote resource into the web application that will be executed. Exploiting this type of attack can lead to the web application or server being compromised. * **REQUEST-941-APPLICATION-ATTACK-SQLI** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-941-APPLICATION-ATTACK-SQLI.conf Within this configuration file we provide rules that protect against SQL injection attacks. SQL attackers occur when an attacker passes crafted control characters to parameters to an area of the application that is expecting only data. The application will then pass the control characters to the database. This will end up changing the meaning of the expected SQL query. * **REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf These rules focus around providing protection against Session Fixation attacks. * **REQUEST-949-BLOCKING-EVALUATION** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf These rules provide the anomaly based blocking for a given request. If you are in anomaly detection mode this file must not be deleted. * **RESPONSE-954-DATA-LEAKAGES-IIS** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf These rules provide protection against data leakages that may occur because of Microsoft IIS * **RESPONSE-952-DATA-LEAKAGES-JAVA** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf These rules provide protection against data leakages that may occur because of Java * **RESPONSE-953-DATA-LEAKAGES-PHP** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf These rules provide protection against data leakages that may occur because of PHP * **RESPONSE-950-DATA-LEAKAGES** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf These rules provide protection against data leakages that may occur genericly * **RESPONSE-951-DATA-LEAKAGES-SQL** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf These rules provide protection against data leakages that may occur from backend SQL servers. Often these are indicative of SQL injection issues being present. * **RESPONSE-959-BLOCKING-EVALUATION** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf These rules provide the anomaly based blocking for a given response. If you are in anomaly detection mode this file must not be deleted. * **RESPONSE-980-CORRELATION** Configuration Path: /etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf The rules in this configuration file facilitate the gathering of data about successful and unsuccessful attacks on the server.