/mod_defender

Naxsi for Apache2

Primary LanguageC++GNU General Public License v3.0GPL-3.0

ModDefender logo

travis-ci
Mod Defender is an Apache2 module aiming to block attacks thanks to a whitelist policy
It is an almost complete replication of NAXSI, which is for Nginx
It uses the same configs format and is thus fully compatible with NXAPI/NXTOOL

Advantages

  • Human readable log: colored output to watch Mainrules and Basicrules processing
  • JSON match log: easier parsing and more compact logs
  • Combined log: regular and extensive match log are mixed so that content and name of variable in question are presents on the same line

Required packages

  • apache2 dev package to provide Apache2 headers
  • apr package to provide Apache Portal Runtime library and headers
  • gcc & g++ >= 4.9 (for std::regex)
  • GNU make
  • cmake >= 3.2

Installation

Debian

  1. Install required packages

    sudo apt-get install apache2-dev make gcc g++ cmake
  2. Compile the source

    cmake -H. -Bbuild
    cmake --build build -- -j4
  3. Install the module

    sudo cp build/mod_defender.so /usr/lib/apache2/modules/
  4. Create its module load file

    cat << EOF | sudo tee /etc/apache2/mods-available/defender.load > /dev/null
    LoadModule defender_module /usr/lib/apache2/modules/mod_defender.so
    <IfModule defender_module>
    Include /etc/defender/core.rules
    </IfModule>
    EOF
  5. Add mod_defender settings in the desired location / directory / proxy blocks

    <VirtualHost *:80>
        ServerName ...
        DocumentRoot ...
    
        <Location ...>
            <IfModule defender_module>
            # Defender toggle
            Defender On
            # Match log path
            MatchLog ${APACHE_LOG_DIR}/defender_match.log
            # JSON Match log path
            JSONMatchLog ${APACHE_LOG_DIR}/defender_json_match.log
            # Request body limit
            RequestBodyLimit 8388608
            # Learning mode toggle
            LearningMode On
            # Extensive Learning log toggle
            ExtensiveLog Off
            # Libinjection SQL toggle
            LibinjectionSQL Off
            # Libinjection XSS toggle
            LibinjectionXSS Off
            ## Score action
            CheckRule "$SQL >= 8" BLOCK
            CheckRule "$RFI >= 8" BLOCK
            CheckRule "$TRAVERSAL >= 4" BLOCK
            CheckRule "$EVADE >= 4" BLOCK
            CheckRule "$XSS >= 8" BLOCK
            CheckRule "$UPLOAD >= 8" BLOCK
    
            # Whitelists (BasicRule)
            Include /etc/defender/my_whitelist.rules
            </IfModule>
        </Location>
    <VirtualHost>
    
  6. Create Mod Defender conf directory

    sudo mkdir /etc/defender/
  7. Populate it with the core rules

    sudo wget -O /etc/defender/core.rules \
    https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules
  8. Enable the module

    sudo a2enmod defender
  9. Restart Apache2 to take effect

    sudo service apache2 restart

FreeBSD

  1. Install required packages

    pkg install apr make gcc cmake
  2. Compile the source

    cmake -H. -Bbuild
    cmake --build build -- -j4
  3. Install the module

    cp build/mod_defender.so /usr/local/libexec/apache24/
  4. Create its module load file

    cat << EOF | tee /usr/local/etc/apache24/modules.d/250_defender.conf > /dev/null
    LoadModule defender_module libexec/apache24/mod_defender.so
    <IfModule defender_module>
    Include etc/defender/core.rules
    </IfModule>
    EOF
  5. Add mod_defender settings in the desired location / directory / proxy blocks

    <VirtualHost *:80>
        ServerName ...
        DocumentRoot ...
    
        <Location ...>
            <IfModule defender_module>
            # Defender toggle
            Defender On
            # Match log path
            MatchLog /var/log/defender_match.log
            # JSON Match log path
            JSONMatchLog /var/log/defender_json_match.log
            # Request body limit
            RequestBodyLimit 8388608
            # Learning mode toggle
            LearningMode On
            # Extensive Learning log toggle
            ExtensiveLog Off
            # Libinjection SQL toggle
            LibinjectionSQL Off
            # Libinjection XSS toggle
            LibinjectionXSS Off
            ## Score action
            CheckRule "$SQL >= 8" BLOCK
            CheckRule "$RFI >= 8" BLOCK
            CheckRule "$TRAVERSAL >= 4" BLOCK
            CheckRule "$EVADE >= 4" BLOCK
            CheckRule "$XSS >= 8" BLOCK
            CheckRule "$UPLOAD >= 8" BLOCK
    
            # Whitelists (BasicRule)
            Include etc/defender/my_whitelist.rules
            </IfModule>
        </Location>
    <VirtualHost>
    
  6. Create Mod Defender conf directory

    mkdir /usr/local/etc/defender/
  7. Populate it with the core rules

    wget -O /usr/local/etc/defender/core.rules \
    https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules
  8. Restart Apache2 to take effect

    service apache24 restart

Configuration hierarchy

Top (above <VirtualHost>)

# Score rules
Include /etc/defender/core.rules
MainRule "..."

<Location> / <Directory> / <Proxy> blocks

# Action rules
CheckRule "..."

# Whitelist rules
BasicRule "..."

Credits

NAXSI's team from nbs-system