Comparison of Security Enhanced NGINX and Hiawatha Web Server when repelling level 7 attacks (BOTS / SQL / XSS etc.)

    Good afternoon.

    At the end of the "NGINX week", we decided to talk about a very interesting assembly of the "safe" version of NGINX by the Chinese company Neusoft , which was not seen in a single article on Habré, namely, SeNginx . In addition to this, we will also tell you about a second web server, which does not receive as much attention as Nginx - Hiawatha Web Server , and try to compare Hiawatha with SeNginx in terms of using them to ensure the security of your website or web application.

    imageimage

    Note that over the 5 years of the existence of our hosting company, we have been able to see a whole range of attacks of various levels and types on the websites and web applications of our customers, as well as work with the London Metropolitan Police in finding and catching one botnet manager. Today, DDoS attacks have become so frequent that just yesterday Arbor recorded 49 DDoS attacks of 3/4 levels with a capacity of up to 20-25 Gbit / s in one of our data centers ( Chart 1 and Chart 2 ). And although Arbor devices can do quite well with level 3 and 4 attacks with a certain configuration , they are practically useless with level 7 attacks, the purpose of which is to overload server resources, as well as search for vulnerabilities in your application.

    The most budgetary option to repel level 7 attacks are various options using DNS RoundRobin + HaProxy, Nginx, Varnish Cache, etc., which either allow you to disperse the attack between multiple client servers, or make it possible to process bot requests “head-on” using recoil cached version of the page. Unfortunately, this approach often requires manual configuration, constant monitoring, and is rarely effective for changing types of attacks.

    Visual representation of RoundRobin + Nginx DNS ( source ):

    image

    After a long search, we found an excellent module for NGINX, written by Russian Perl programmers in 2012 and allowing you to filter bots that come to your site automatically - Roboo ( article on Habr) The module showed its best side, allowing you to filter hundreds of thousands of requests from bots using NGINX with minimal server load.

    We could not figure out how, but the Roboo module was already noticed by Chinese programmers, rewritten in C and included in the NGINX assembly with security modules, which was called SeNginx.

    So what exactly is SeNGINX?

    SeNginx is an NGINX assembly with additional security modules, namely:

    • HTTP Robot Mitigation is a Roboo module rewritten in C that protects the site from bots that do not support Javascript or Flash. Most of these bots are currently available, although new bots are appearing ( PhantomJS , Zombie JS , etc.) that support Java - there are much fewer such botnets so far.
    • Naxsi & Mod Security - protection modules against SQL, XSS and web scanners using Whitelist and rule sets.
    • User-Agent Whitelist with DNS Reverse Resolve - the ability to add bots to the list of permissions that are used by search engines (Google, Yandex, etc.) with checking for Reverse DNS, which will restrict access to bots that have UserAgent: googlebot, but those really are not.
    • Dynamic IP Blacklist - the module allows you to add IP addresses of bots or scanners to the blacklist in automatic mode, write them to a log file and, if desired, unlock after a certain time
    • NetEye Security Layer - a module that allows you to integrate various security modules among themselves and establish in what order they perform checks
    • Statistics - a convenient statistics module in JSON format that displays both the statistics of NGINX itself and security modules - http://demo.senginx.org

    In addition, SeNginx includes modules for Load Balancing (Session Persistence, Fastest Load Balancing Algorithm / Fair Load Balancing Alogorithm), a MIME cache module, as well as support for Syslog.

    As a result, SeNginx is a very powerful tool to counter bots and automated security scanners that are used to search for vulnerabilities on your site.

    What is the Hiawatha Web Server?

    Hiawatha is a full-fledged web server written by a student from Amsterdam Hugo Leisink in 2002 and maintained until now. Unlike Nginx, Hiawatha was originally conceived as a web server with security features such as protection against SQL, XSS, CSRF and Exploit attacks.

    After our communication with Hugo over the past few years, a Roboo module was also added and tested in Hiawatha to protect against websites from bots, but with one additional feature, which we will consider later.

    The advantage of Hiawatha is that this web server is very easy to configure and operate. While Nginx is a powerful and sometimes complex tool, Hiawatha can be installed and configured in a short time, including monitoring and protection. Nginx, for example, does not have a convenient way to track traffic for each virtual host and requires the configuration of third-party modules for advanced monitoring of virtual hosts.

    Features of Hiawatha Web Server:

    • Security - protection against SQL / XSS / CSRF / Exploit attacks, logging in system.log
    • Cache support - the ability to set the cache size and conveniently configure the types of files stored in the cache (CacheRProxyExtensions = css, gif, html, jpg, js, png, txt)
    • Reverse Proxy Support - Like Nginx, Hiawatha implements reverse proxy support
    • Protection against bots - since recently, you can enable protection against bots using Javascript or HTTPHeader (ChallengeClient)
    • Hiawatha Monitor - Hiawatha has a web panel for collecting statistics from all its servers into a single database, data from which can be integrated into your applications

    As a result, Hiawatha is a convenient and fairly easy to use web server, which, unlike Nginx, does not have a million settings, it simply installs and works out of the box and has additional security features.

    What are the differences between SeNginx and Hiawatha?

    Of course, someone will say that comparing Nginx with a little-known web server does not make sense, but our tests and the rather long use of Hiawatha in the production environment showed that Hiawatha is an excellent open source tool that does not require much knowledge in configuration and management and is not much inferior Nginx.

    However, the main difference between SeNginx and Hiawatha in their ways of integrating the Roboo module is as follows:

    In SeNginx Robot Mitigation, the module works according to the On / Off principle, which means the need to either fine tune the whitelist of IP addresses (for example, payment systems) to prevent them from being blocked by this module, or to enable the protection module from bots directly during a bot attack. This method of protection is not very convenient, because you need to constantly monitor sites that are under attack by bots, or keep the module constantly on, which can lead to certain problems with the site’s availability for white bots.

    In Hiawatha, the mechanism for enabling the bot protection module is implemented only if the number of connections to your server exceeds a certain barrier. For example, if you process 10,000 connections at peak times on your web server, then a bot attack can create a load of 100,000 or more connections to your web server. In this case, setting the Hiawatha settings to a level of 15,000 connections will allow you to automatically connect the bot protection module only when your server is under attack.

    As a result, if you do not want to deal with a huge number of SeNginx settings, then it will be easier and faster to configure Hiawatha, and forget about botnet attacks for a while. If you are professionally engaged in protection against DDoS, then the assembly of SeNginx is an excellent tool that can be precisely tailored to the needs of your customers.

    Also popular now: