feat(router): include a firewall to mitigate security problems.

cococonuts · Nov 29, 2014 · 1017388 · 1017388
1 parent 9653bfe
commit 1017388
Show file tree

Hide file tree

Showing 11 changed files with 2,553 additions and 2 deletions.
diff --git a/docs/customizing_deis/router_settings.rst b/docs/customizing_deis/router_settings.rst
@@ -45,6 +45,8 @@ setting                                      description
 /deis/router/controller/timeout/connect      proxy_connect_timeout for deis-controller (default: 10m)
 /deis/router/controller/timeout/read         proxy_read_timeout for deis-controller (default: 20m)
 /deis/router/controller/timeout/send         proxy_send_timeout for deis-controller (default: 20m)
+/deis/router/firewall/enabled                nginx naxsi firewall (default: false)
+/deis/router/firewall/errorCode              nginx default firewall error code (default: 400)
 /deis/router/gzip                            nginx gzip setting (default: on)
 /deis/router/gzipCompLevel                   nginx gzipCompLevel setting (default: 5)
 /deis/router/gzipDisable                     nginx gzipDisable setting (default: "msie6")

diff --git a/router/README.md b/router/README.md
@@ -25,6 +25,25 @@ install, and start **deis/router**.
 * **PORT** sets the TCP port on which the router listens (default: *80*)
 
 
+## Firewall
+
+Why a firewall in deis-router?
+[Shellshock](https://shellshocker.net) exposed that some apps (mostly CGI based) inside a web server can be exploited like is explained here [Inside Shellshock: How hackers are using it to exploit systems](https://blog.cloudflare.com/inside-shellshock) allowing the arbitrary execution of commands.
+
+To reduce the contact surface of this attack and others (like sql injection and cross site scripting) is possible to enable the naxsi firewall (disabled by default). [**NAXSI**](https://github.com/nbs-system/naxsi) is an open-source, high performance, low rules maintenance WAF for NGINX.
+The rules included are from this project [doxi-rules](https://bitbucket.org/lazy_dogtown/doxi-rules)
+
+Only this modules are enabled:
+
+|--|--|
+|File| |
+|web_app.rules       |detect exploit/misuse-attempts againts web-applications
+|web_server.rules    |generic rules to protect a webserver from misconfiguration and known mistakes / exploit-vectors 
+|active-mode.rules   |rules to configure active-mode (block)
+|naxsi_core          |core naxsi rules
+
+
+
 ## License
 
 © 2014 OpDemand LLC

diff --git a/router/parent/Dockerfile b/router/parent/Dockerfile
@@ -1,5 +1,7 @@
 FROM golang:1.3
 
+ADD firewall /tmp/firewall
+
 ADD build.sh /go/src/github.com/deis/deis/router/build.sh
 
 WORKDIR /go/src/github.com/deis/deis/router

diff --git a/router/parent/build.sh b/router/parent/build.sh
@@ -12,6 +12,7 @@ fi
 
 export VERSION_NGINX=nginx-1.6.2
 export VERSION_TCP_PROXY=0.4.5
+export VERSION_NAXSI=0d53a64ed856e694fcb4038748c8cf6d5551a603
 
 export BUILD_PATH=/tmp/build
 
@@ -32,10 +33,12 @@ apt-get update \
 # grab the source files
 curl -sSL http://nginx.org/download/$VERSION_NGINX.tar.gz -o $BUILD_PATH/$VERSION_NGINX.tar.gz
 curl -sSL https://github.com/yaoweibin/nginx_tcp_proxy_module/archive/v$VERSION_TCP_PROXY.tar.gz -o $BUILD_PATH/$VERSION_TCP_PROXY.tar.gz
+curl -sSL https://github.com/nbs-system/naxsi/archive/$VERSION_NAXSI.tar.gz -o $BUILD_PATH/$VERSION_NAXSI.tar.gz
 
 # expand the source files
 tar xzf $VERSION_NGINX.tar.gz
 tar xzf $VERSION_TCP_PROXY.tar.gz
+tar xzf $VERSION_NAXSI.tar.gz
 
 # build nginx
 cd $BUILD_PATH/$VERSION_NGINX
@@ -61,4 +64,7 @@ patch -p1 < $BUILD_PATH/nginx_tcp_proxy_module-$VERSION_TCP_PROXY/tcp.patch
   --with-mail \
   --with-mail_ssl_module \
   --add-module=$BUILD_PATH/nginx_tcp_proxy_module-$VERSION_TCP_PROXY \
+  --add-module=$BUILD_PATH/naxsi-$VERSION_NAXSI/naxsi_src \
   && make && make install
+
+mv /tmp/firewall /opt/nginx/firewall
diff --git a/router/parent/firewall/README.md b/router/parent/firewall/README.md
@@ -0,0 +1,99 @@
+
+
+# README.rulesets for doxi / dogtown-naxi-rules
+
+- Readme-Version: 2014-04-04
+- [latest ruleset-commits](https://bitbucket.org/lazy_dogtown/doxi-rules/src)
+- [Doxi-News Blog](http://blog.dorvakt.org/)
+
+these rulesets are now available as independent git-repo @ 
+[bitbucket.org/lazy_dogtown/doxi-rules](https://bitbucket.org/lazy_dogtown/doxi-rules)
+
+for tools to manage your doxi-rules you might want to install doxi-tools
+[bitbucket.org/lazy_dogtown/doxi](https://bitbucket.org/lazy_dogtown/doxi)
+
+to keep track of changes and ruleset-updates you could either 
+subscribe to the [doxi-news - blog](http://blog.dorvakt.org/) ([rss-feed](http://blog.dorvakt.org/feeds/posts/default)), 
+subscribe to the naxsi-mailinglist 
+https://groups.google.com/forum/?fromgroups#!forum/naxsi-discuss or
+subscribe to the [ruleset-commit-feed](https://bitbucket.org/lazy_dogtown/doxi-rules/rss)
+or follow that project on Bitbucket
+
+License: see License.txt
+
+
+
+all not-mentioned files here are part of naxsi/nginx - default-configuration
+
+
+# configuration rules 
+
+please note: due to changes in naxsi after 0.49 this file-layout might get 
+obsolete. 
+
+### rules.conf
+
+- your global includes-file; you might setup different rules.con - files,
+- maybe tuned for each virtualhost.
+
+
+### learning-mode.rules 
+
+- rules to configure/enable learning-mode 
+
+### active-mode.rules 
+
+- rules to configure active-mode (block)
+
+
+# detection rules
+
+### app_server.rules
+
+- rules you might want to enable when running nginx as lb/proxy 
+for app-servers like tomcat / rails etc and you're shure to
+have no php/asp/cgi - files lying around
+
+### malware.rules
+
+**NOTE: for a better coverage you might want to try a real ids
+like snort or suricata  with et-rulesets rules to detect malicious
+content in- and outbound. **
+
+- this ruleset is designed to detect malicious request that give a 
+hint for hacked / misused / C&C-servers and tries to detect
+web-backdoors, webshells and other malicious access to unwanted
+files/services.
+
+- **CAUTION:** these rules are quite noise, so if included you might want to
+tune and create whitelists for your applications
+
+### scanner.rules
+
+- detect scanners (WebAppScanners/Testing-Tools
+- detetc vuln-scanning-bots or attack-tools) by UA or by certain requests.
+- some of these rules could be included into web_[app|server].rules,
+like scanners for certain webapp/server-vulns, but when there's a 
+clear sign for an automated scanning-process the sigs are include here
+- **CAUTION:** these rules are quite noise, so if included you might want to
+tune and create whitelists for your applications
+
+
+### web_app.rules
+
+- detect exploit/misuse-attempts againts web-applications; please see 
+scanner.rules for some details on webapp-based scanners
+
+### web_server.rules
+
+- generic rules to protect a webserver from misconfiguration 
+and known mistakes / exploit-vectors 
+
+
+# misc. rules (obsolete, not maintained after jan 2014)
+
+# misc_whitelisting.rules 
+
+- whitelistings for different webapps/actions that are known to fail
+on certain parameters 
+
diff --git a/router/parent/firewall/active-mode.rules b/router/parent/firewall/active-mode.rules
@@ -0,0 +1,19 @@
+#LearningMode; #Enables learning mode
+SecRulesEnabled;
+#SecRulesDisabled;
+DeniedUrl "/RequestDenied";
+
+
+
+## check rules
+CheckRule "$SQL >= 8" BLOCK;
+CheckRule "$RFI >= 8" BLOCK;
+CheckRule "$TRAVERSAL >= 4" BLOCK;
+CheckRule "$EVADE >= 4" BLOCK;
+CheckRule "$XSS >= 8" BLOCK;
+
+# UnWantedAccess -> see app-server.rules
+CheckRule "$UWA >= 8" BLOCK;
+
+# Identified Attacks
+CheckRule "$ATTACK >= 8" BLOCK;
diff --git a/router/parent/firewall/naxsi_core.rules b/router/parent/firewall/naxsi_core.rules
@@ -0,0 +1,80 @@
+##################################
+## INTERNAL RULES IDS:1-10      ##
+##################################
+#weird_request : 1
+#big_body : 2
+#no_content_type : 3
+
+#@MainRule "msg:weird/incorrect request" id:1;
+#@MainRule "msg:big request, unparsed" id:2;
+#@MainRule "msg:uncommon hex encoding (%00 etc.)" id:10;
+MainRule "msg:uncommon/empty content-type in POST" id:11;
+MainRule "msg:uncommon/malformed URL" id:12;
+
+#MainRule "str:123FREETEXT" "msg:exemple learning test pattern"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:BLOCK" id:0;
+
+##################################
+## SQL Injections IDs:1000-1099 ##
+##################################
+MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
+# matches /config in controller
+# MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
+MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
+## Hardcore rules
+MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
+MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
+#MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
+MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
+## end of hardcore rules
+MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
+MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
+MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
+#MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
+#MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
+MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
+MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
+MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
+
+###############################
+## OBVIOUS RFI IDs:1100-1199 ##
+###############################
+MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
+MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
+MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
+MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
+MainRule "str:ftps://" "msg:ftps:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
+MainRule "str:phps://" "msg:phps:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
+
+
+#######################################
+## Directory traversal IDs:1200-1299 ##
+#######################################                                          
+MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
+MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
+MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
+MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
+#MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
+#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
+
+########################################
+## Cross Site Scripting IDs:1300-1399 ##
+########################################
+MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
+MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
+MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
+MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
+MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
+MainRule "str:`"  "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
+#MainRule "rx:%[2|3]."  "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
+
+####################################
+## Evading tricks IDs: 1400-1500 ##
+####################################
+MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
+MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
+#@MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;
+
+#############################
+## File uploads: 1500-1600 ##
+#############################
+#@MainRule "rx:.ph*|.asp*" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;