-------------------------- Mod Defender for HAProxy -------------------------- This is a service that talks SPOE protocol and uses the Mod Defender (https://github.com/VultureProject/mod_defender) functionality to detect HTTP attacks. It returns a HTTP status code to indicate whether the request is suspicious or not, based on NAXSI rules. The value of the returned code can be used in HAProxy rules to determine if the HTTP request should be blocked/rejected. Unlike ModSecurity, Mod Defender is a whitelist based WAF (everything is disallowed, unless there are rules saying otherwise). It's a partial replication of NAXSI and it uses NAXSI compatible rules configuration format. 1) How to build it ------------------ Required packages : * Mod Defender source (https://github.com/VultureProject/mod_defender) * Asynchronous event notification library and headers (libevent) * Apache 2 (>= 2.4) development headers * APR library and headers * GNU C (gcc) and C++ (g++) >= 4.9 * GNU Standard C++ Library v3 (libstdc++) * GNU Make Compile the source : $ make MOD_DEFENDER_SRC=/path/to/mod_defender_src 2) Configuration ---------------- Download the Naxsi core rules file : $ wget -O /path/to/core.rules \ https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules Create the Mod Defender configuration file. For example : # Defender toggle Defender On # Match log path MatchLog /path/to/defender_match.log # JSON Match log path JSONMatchLog /path/to/defender_json_match.log # Request body limit RequestBodyLimit 8388608 # Learning mode toggle LearningMode Off # Extensive Learning log toggle ExtensiveLog Off # Libinjection SQL toggle LibinjectionSQL On # Libinjection XSS toggle LibinjectionXSS On # Rules Include /path/to/core.rules # Score action CheckRule "$SQL >= 8" BLOCK CheckRule "$RFI >= 8" BLOCK CheckRule "$TRAVERSAL >= 4" BLOCK CheckRule "$EVADE >= 4" BLOCK CheckRule "$XSS >= 8" BLOCK CheckRule "$UPLOAD >= 8" BLOCK # Whitelists # .... Next step is to configure the SPOE for use with the Mod Defender service. Example configuration (args elements order is important) : [mod_defender] spoe-agent mod-defender-agent messages check-request option var-prefix defender timeout hello 100ms timeout idle 30s timeout processing 15ms use-backend spoe-mod-defender spoe-message check-request args src unique-id method path query req.ver req.hdrs_bin req.body event on-frontend-http-request The engine is in the scope "mod_defender". To enable it, you must set the following line in a frontend/listener section : frontend my_frontend ... filter spoe engine mod_defender config /path/to/spoe-mod-defender.conf ... Also, we must define the "spoe-mod-defender" backend in HAProxy configuration : backend spoe-mod-defender mode tcp balance roundrobin timeout connect 5s timeout server 3m server defender1 127.0.0.1:12345 The Mod Defender status is returned in a variable "sess.defender.status" -- it contains the returned HTTP status code. The request is considered malicious if the variable contains value greater than zero. The following rule can be used to reject all suspicious HTTP requests : http-request deny if { var(sess.defender.status) -m int gt 0 } 3) Start the service -------------------- To start the service, you need to use "defender" binary : $ ./defender -h Usage : ./defender [OPTION]... -h Print this message -f Mod Defender configuration file -l Mod Defender log file -d Enable the debug mode -m Specify the maximum frame size (default : 16384) -p Specify the port to listen on (default : 12345) -n Specify the number of workers (default : 10) -c Enable the support of the specified capability -t