The Kubernetes Ingress-Nginx controller allows us to enable ModSecurity, an OpenSource Web Application Firewall. In this post I will go over how to use and configure ModSecurity with Ingress-Nginx.

“Marshmello walking down the side of the road with camera on the top of the building” by arvin febry on Unsplash

What is ModSecurity

ModSecurity is a web application firewall which is used to protect your web application from a variety of attacks.

In Ingress-NGINX you will be able to ModSecurity in a variety of ways:

Default Configuration

OWASP Core Rule Set

Snippet

Default Configuration

When enabling ModSecurity without the OWASP Core Rule Set or a Snippet, a Default Configuration from ModSecurity is used. It runs only in “Detection Only Mode” and is non-disruptive to your applications.

Usually you would run in “Detection Only Mode” for some time and review all the events generated by ModSecurity. Then you should start fine tuning it towards your specific application.

The default Configuration also contains different rules for ModSecurity which are heavily documented which you can review in the link above. It is recommended that you modify this file as needed.

OWASP Core Rule Set

The OWASP Core Rule Set is a set of generic attack detection rules that can be used with ModSecurity. It provides protection from a variety attacks, while limiting false positives.

It protects against the OWASP Top 10 and many others. Some of the common attacks it protects against are:

SQL Injection (SQLi) : SQL Injection is an attack in which an SQL query is inserted into from client to application.

: SQL Injection is an attack in which an SQL query is inserted into from client to application. Cross Site Scripting (XSS): Cross-site scripting attacks occur when an attacker uses a web application to send malicious code to a different end user.

Cross-site scripting attacks occur when an attacker uses a web application to send malicious code to a different end user. Local File Inclusion (LFI) : Local File Inclusion is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.

: Local File Inclusion is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. Remote File Inclusion (RFI): Remote File Inclusion is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application.

Remote File Inclusion is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. Remote Code Execution (RCE): Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application.

Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. Session Fixation : Session Fixation is an attack that permits an attacker to hijack a valid user session.

: Session Fixation is an attack that permits an attacker to hijack a valid user session. Scanner Detection : Scanners can be used by hackers for malicious reasons. If you aren’t expecting any scan on your system, it is useful to detect that it is happening.

: Scanners can be used by hackers for malicious reasons. If you aren’t expecting any scan on your system, it is useful to detect that it is happening. Metadata/Error Leakages: Leaking of descriptive errors or sensitive information.

Note, that the OWASP Core Rule Set configuration is highly documented and it is recommended that it be tuned.

Snippet

Using a ModSecurity Snippet, you can insert any set of ModSecurity Directives Desired. For a list of directives you can checkout the ModSecurity documentation.

I recommended once you have ModSecurity configuration tuned with all of your needs you use the ModSecurityConfig directive to point toward your configuration.

In order to add a custom ModSecurity configuration, you can either add all the required code to the Snippet(maybe hard to maintain) or build an Ingress-NGINX image containing your ModSecurity configuration. Search for “build modsecurity library” in the nginx build file for an example.

Note: Customizing and Building NGINX with Custom ModSecurity files is out of the scope of this blog post, but there is some documentation here.