欢迎来到starnight_cyber的博客

【译】ModSecurity

Preface

  本篇译ModSecurity 主页的自身介绍。

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.

ModSecurity是一个开源、跨平台的web应用防火墙(WAF)模块。它被称为WAFs的“瑞士军刀”,使web应用程序防御者能够了解HTTP(S)流量,并提供一种有力规则语言和API来实现高级保护。 

What Can ModSecurity Do?


ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. I like to think about it as an enabler: there are no hard rules telling you what to do; instead, it is up to you to choose your own path through the available features. That's why the title of this section asks what ModSecurity can do, not what it does.

ModSecurity是一个用于实时web应用程序监视、日志记录和访问控制的工具包。我喜欢把它看作是一个赋能器:没有硬性的规则告诉你该做什么;相反,你可以通过可用的功能选择自己的路径。这就是为什么本节的标题询问ModSecurity可以做什么,而不是它做什么的原因。

The freedom to choose what to do is an essential part of ModSecurity's identity and goes very well with its open source nature. With full access to the source code, your freedom to choose extends to the ability to customize and extend the tool itself to make it fit your needs. It's not a matter of ideology, but of practicality. I simply don't want my tools to restrict what I can do.

选择做什么的自由是ModSecurity身份的一个重要组成部分,并且非常符合其开源特性。通过对源代码的完全访问,您的自由选择扩展到自定义和扩展工具本身以使其满足您的需要的能力。这不是意识形态的问题,而是实用性的问题。我只是不想让我的工具限制我的能力。

Back on the topic of what ModSecurity can do, the following is a list of the most important usage scenarios:

回到ModSecurity可以做什么的主题,下面列出了最重要的使用场景:

Real-time application security monitoring and access control

实时应用安全监控和访问控制

At its core, ModSecurity gives you access to the HTTP traffic stream, in real-time, along with the ability to inspect it. This is enough for real-time security monitoring. There's an added dimension of what's possible through ModSecurity's persistent storage mechanism, which enables you to track system elements over time and perform event correlation. You are able to reliably block, if you so wish, because ModSecurity uses full request and response buffering.

ModSecurity的核心是让您能够实时访问HTTP流量,并能够对其进行检查。这足以进行实时安全监视。通过ModSecurity的持久存储机制,有一个额外的维度可以实现什么,它使您能够随时间跟踪系统元素并执行事件关联。如果您愿意,您可以可靠地阻止,因为ModSecurity使用完整的请求和响应缓冲。

Full HTTP traffic logging

完全HTTP流量记录

Web servers traditionally do very little when it comes to logging for security purposes. They log very little by default, and even with a lot of tweaking you are not able to get everything that you need. I have yet to encounter a web server that is able to log full transaction data. ModSecurity gives you that ability to log anything you need, including raw transaction data, which is essential for forensics. In addition, you get to choose which transactions are logged, which parts of a transaction are logged, and which parts are sanitized.

传统上,Web服务器在出于安全目的进行日志记录时很少做什么。默认情况下,它们的日志很少,即使进行了大量调整,也无法获得所需的所有内容。我还没有遇到能够记录完整事务数据的web服务器。ModSecurity使您能够记录所需的任何内容,包括原始事务数据,这对于取证是必不可少的。此外,还可以选择记录哪些事务、记录事务的哪些部分以及清除哪些部分。

Continuous passive security assessment

持续被动安全评估

Security assessment is largely seen as an active scheduled event, in which an independent team is sourced to try to perform a simulated attack. Continuous passive security assessment is a variation of real-time monitoring, where, instead of focusing on the behavior of the external parties, you focus on the behavior of the system itself. It's an early warning system of sorts that can detect traces of many abnormalities and security weaknesses before they are exploited.

安全评估在很大程度上被视为一个活动的预定事件,其中一个独立的团队试图执行模拟攻击。持续被动安全评估是实时监控的一种变体,在这种情况下,您不必关注外部方的行为,而是关注系统本身的行为。这是一种早期预警系统,可以在被利用之前发现许多异常和安全弱点的痕迹。

Web application hardening

加固Web应用程序

One of my favorite uses for ModSecurity is attack surface reduction, in which you selectively narrow down the HTTP features you are willing to accept (e.g., request methods, request headers, content types, etc.). ModSecurity can assist you in enforcing many similar restrictions, either directly, or through collaboration with other Apache modules. They all fall under web application hardening. For example, it is possible to fix many session management issues, as well as cross-site request forgery vulnerabilities.

我最喜欢的ModSecurity的一个用途是减少攻击面,在攻击面中,有选择地缩小您愿意接受的HTTP特性(例如,请求方法、请求头、内容类型等)。ModSecurity可以帮助您直接或通过与其他Apache模块协作来实施许多类似的限制。它们都属于web应用程序强化的范畴。例如,可以修复许多会话管理问题以及跨站点请求伪造漏洞。

Something small, yet very important to you

一些小事,但对你很重要

Real life often throws unusual demands to us, and that is when the flexibility of ModSecurity comes in handy where you need it the most. It may be a security need, but it may also be something completely different. For example, some people use ModSecurity as an XML web service router, combining its ability to parse XML and apply XPath expressions with its ability to proxy requests. Who knew?

现实生活常常给我们带来不寻常的需求,也就是说,ModSecurity的灵活性在你最需要它的时候是有用的。这可能是一种安全需要,但也可能是完全不同的东西。例如,有些人将ModSecurity用作XML web服务路由器,将其解析XML和应用XPath表达式的能力与代理请求的能力结合起来。谁知道?

Guiding Principles


 There are four guiding principles on which ModSecurity is based, as follows:

 ModSecurity基于以下四个指导原则:

Flexibility

I think that it's fair to say that I built ModSecurity for myself: a security expert who needs to intercept, analyze, and store HTTP traffic. I didn't see much value in hardcoded functionality, because real life is so complex that everyone needs to do things just slightly differently. ModSecurity achieves flexibility by giving you a powerful rule language, which allows you to do exactly what you need to, in combination with the ability to apply rules only where you need to.

我认为公平地说,我为自己构建了ModSecurity:一个需要拦截、分析和存储HTTP流量的安全专家。我认为硬编码功能没有多大价值,因为现实生活是如此复杂,每个人都需要做一些稍微不同的事情。ModSecurity通过给你一个强大的规则语言来实现灵活性,它允许你精确地做你需要做的事情,并结合在需要的地方应用规则的能力。

Passiveness

ModSecurity will take great care to never interact with a transaction unless you tell it to. That is simply because I don't trust tools, even the one I built, to make decisions for me. That's why ModSecurity will give you plenty of information, but ultimately leave the decisions to you.

ModSecurity会非常小心,除非你告诉它不要与事务交互。这仅仅是因为我不相信工具,即使是我建立的工具,来为我做决定。这就是为什么ModSecurity会给你大量的信息,但最终还是由你来决定。

Predictability

There's no such thing as a perfect tool, but a predictable one is the next best thing. Armed with all the facts, you can understand ModSecurity's weak points and work around them.

世上没有完美的工具,但可预测的工具是下一个最好的工具。掌握了所有的事实,你就能理解ModSecurity的弱点并解决它们。

Quality over quantity

Over the course of six years spent working on ModSecurity, we came up with many ideas for what ModSecurity could do. We didn't act on most of them. We kept them for later. Why? Because we understood that we have limited resources available at our disposal and that our minds (ideas) are far faster than our implementation abilities. We chose to limit the available functionality, but do really well at what we decided to keep in.

在为期六年的ModSecurity研究中,我们对ModSecurity的功能提出了很多想法。我们没有对他们中的大多数采取行动。我们留了一会儿。为什么?因为我们知道我们可利用的资源有限,我们的思维(想法)远远快于我们的执行能力。我们选择限制可用的功能,但在我们决定保留的方面做得非常好。

There are bits in ModSecurity that fall outside the scope of these four principles. For example, ModSecurity can change the way Apache identifies itself to the outside world, confine the Apache process within a jail, and even implement an elaborate scheme to deal with a onceinfamous universal XSS vulnerability in Adobe Reader. Although it was I who added those features, I now think that they detract from the main purpose of ModSecurity, which is a reliable and predictable tool that allows for HTTP traffic inspection.

ModSecurity中有一些部分超出了这四个原则的范围。例如,ModSecurity可以改变Apache对外标识自己的方式,将Apache进程限制在jail中,甚至可以实现一个精心设计的方案来处理Adobe Reader中著名的通用XSS漏洞。虽然是我添加了这些特性,但我现在认为它们偏离了ModSecurity的主要目的,ModSecurity是一个可靠且可预测的工具,允许HTTP流量检查。

Deployment Options



ModSecurity supports two deployment options: embedded and reverse proxy deployment. There is no one correct way to use them; choose an option based on what best suits your circumstances. There are advantages and disadvantages to both options:

ModSecurity支持两种部署选项:嵌入式和反向代理部署。没有一种“所谓”正确的方法使用它们;根据最适合您的情况选择一个选项。这两种选择各有利弊:

Embedded

Because ModSecurity is an Apache module, you can add it to any compatible version of Apache. At the moment that means a reasonably recent Apache version from the 2.0.x branch, although a newer 2.2.x version is recommended. The embedded option is a great choice for those who already have their architecture laid out and don't want to change it. Embedded deployment is also the only option if you need to protect hundreds of web servers. In such situations, it is impractical to build a separate proxybased security layer. Embedded ModSecurity not only does not introduce new points of failure, but it scales seamlessly as the underlying web infrastructure scales. The main challenge with embedded deployment is that server resources are shared between the web server and ModSecurity.

因为ModSecurity是一个Apache模块,所以可以将其添加到任何兼容版本的Apache中。目前,这意味着2.0.x分支提供了一个相当新的Apache版本,尽管建议使用较新的2.2.x版本。对于那些已经设计好了架构却不想改变架构的人来说,嵌入式选项是一个很好的选择。如果需要保护数百个web服务器,嵌入式部署也是唯一的选择。在这种情况下,构建单独的基于代理的安全层是不切实际的。嵌入式ModSecurity不仅没有引入新的故障点,而且随着底层web基础设施的扩展,它可以无缝地扩展。嵌入式部署的主要挑战是服务器资源在web服务器和ModSecurity之间共享。

Reverse proxy

Reverse proxies are effectively HTTP routers, designed to stand between web servers and their clients. When you install a dedicated Apache reverse proxy and add ModSecurity to it, you get a “proper” network web application firewall, which you can use to protect any number of web servers on the same network. Many security practitioners prefer having a separate security layer. With it you get complete isolation from the systems you are protecting. On the performance front, a standalone ModSecurity will have resources dedicated to it, which means that you will be able to do more (i.e., have more complex rules). The main disadvantage of this approach is the new(maybe one) point of failure, which will need to be addressed with a high-availability setup of two or more reverse proxies.

反向代理是一种有效的HTTP路由器,它被设计成站在Web服务器和客户端之间。当您安装一个专用的Apache反向代理并向其添加ModSecurity时,您将获得一个适当的网络web应用防火墙,您可以使用它来保护同一网络上的任意数量的web服务器。许多安全实践者喜欢有一个单独的安全层。有了它,你可以完全与你所保护的系统隔离。在性能方面,一个独立的ModSecurity将有专用于它的资源,这意味着您将能够做更多的事情(即,有更复杂的规则)。这种方法的主要缺点是新的故障点(单点失效?),需要通过两个或多个反向代理的高可用性设置来解决。

Is Anything Missing?

ModSecurity is a very good tool, but there are a number of features, big and small, that could be added. The small features are those that would make your life with ModSecurity easier, perhaps automating some of the boring work (e.g., persistent blocking, which you now have to do manually). But there are really only two features that I would call missing:

ModSecurity是一个非常好的工具,但是有很多功能,无论大小,都可以添加。这些小功能可以让你使用ModSecurity的生活变得更轻松,也许可以自动化一些枯燥的工作(例如,持久阻塞,现在必须手动完成)。但实际上只有两个特性我可以称之为缺失:

Learning

Defending web applications is difficult, because there are so many of them, and they are all different. (I often say that every web application effectively creates its own communication protocol.) It would be very handy to have ModSecurity observe application traffic and create a model that could later be used to generate policy or assist with false positives. While I was at Breach Security, I started a project called ModProfiler [http://www.modsecurity.org/projects/modprofiler/] as a step toward learning, but that project is still as I left it, as version 0.2.

保护web应用程序是很困难的,因为它们太多了,而且都是不同的。(我经常说,每个web应用程序都有效地创建了自己的通信协议。)让ModSecurity观察应用程序通信量,并创建一个模型,稍后可以用来生成策略或帮助处理误报,这将非常方便。当我在break Security工作时,我开始了一个名为ModProfiler的项目[http://www.modsecurity.org/projects/ModProfiler/]作为学习的一个步骤,但是这个项目仍然是我留下的版本0.2。

Passive mode of deployment

ModSecurity can be embedded only in Apache 2.x, but when you deploy it as a reverse proxy, it can be used to protect any web server. Reverse proxies are not everyone's cup of tea, however, and sometimes it would be very handy to deploy ModSecurity passively, without having to change anything on the network.

ModSecurity只能嵌入到Apache2.x中,但是当您将其部署为反向代理时,它可以用于保护任何web服务器。然而,反向代理并不是每个人都喜欢的东西,有时在被动地部署ModSecurity非常方便,而不必在网络上更改任何内容。

posted @ 2019-11-19 13:59  starnight_cyber  阅读(...)  评论(...编辑  收藏