The ModSecurity-nginx connector is the connection point between nginx and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between nginx and libmodsecurity. This connector is required to use LibModSecurity with nginx. The ModSecurity-nginx connector takes the form of a nginx module. The module simply serves as a layer of communication between nginx and ModSecurity. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.
Install Dependencies
As we are going to Compile both Nginx and libModSecurity from the source we are going to need following dependencies installed, so before start installing the dependencies, update your repository list with the following command:
apt-get update
Now execute the following command to install all of the needed dependencies:
apt-get install apache2-dev autoconf automake build-essential bzip2 checkinstall devscripts flex g++ gcc git graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat libaio-dev libaio1 libass-dev libatomic-ops-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libbz2-dev libcdio-cdda1 libcdio-paranoia1 libcdio13 libcurl4-openssl-dev libfaac-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 libgif-dev libgpac-dev libgsm1-dev libjack-jackd2-dev libjpeg-dev libjpeg-progs libjpeg8-dev liblmdb-dev libmp3lame-dev libncurses5-dev libopencore-amrnb-dev libopencore-amrwb-dev libpam0g-dev libpcre3 libpcre3-dev libperl-dev libpng12-dev libpng12-0 libpng12-dev libreadline-dev librtmp-dev libsdl1.2-dev libssl-dev libssl1.0.0 libswscale-dev libtheora-dev libtiff5-dev libtool libva-dev libvdpau-dev libvorbis-dev libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libxvidcore-dev libxvidcore4 libyajl-dev make openssl perl pkg-config tar texi2html unzip zip zlib1g-dev
In this section we are going to clone the ModSecurity source form it’s official Git repository then checkout and build the libModSecurity so execute the following commands one by one to get it done:
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
If you have done everything right, you will not see any errors during the configuration, so you can go ahead and start compiling with the following command (It’s going to take a few minutes):
make && make install
After the installation process is finished, it’s a good idea to check if everything has been installed correctly with the following command:
make check
Download the ModSecurity Nginx connector
Switch back to the “opt” directory and clone the ModSecurity-nginx connector with the command below:
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
Download and Install Nginx
In this section, we are going to download the latest stable version of Nginx which is “1.12.2” at the time of the writing. you can always go to Nginx official website to get the latest stable version.
Download the source file in the “opt” directory using Wget:
cd /opt/
wget http://nginx.org/download/nginx-1.12.2.tar.gz
Extract the source files with the command below:
tar xvzf nginx-1.12.2.tar.gz
Now execute the following commands one by one to compile and install Nginx:
cd nginx-1.12.2
./configure --user=www-data --group=www-data --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx
make && make install
The ModSecurity source code that we downloaded earlier includes a sample ModSecurity.conf file with some recommended settings. Copy this file to the folder with the Nginx configuration files:
cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
Create a symlink from the Nginx binary to our executable path:
ln -s /usr/local/nginx/sbin/nginx /bin/nginx
Configuring Nginx
In order to get libModSecurity working with your Nginx, you have to do some configuration first. so open the Nginx global configuration file with the command below:
nano /usr/local/nginx/conf/nginx.conf
At the very beginning of the file, you can see a line that refers to “user”, uncomment it and change its value like below:
user www-data;
Find the "pid" line and make it looks like below:
pid /var/run/nginx.pid;
Find the “server” directive and delete everything within the two curly braces “{}” and add the following lines in it:
listen 80;
server_name localhost;
modsecurity on;
location / {
root html;
index index.html index.htm;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
}
Save and Exit the editor.
Now we are going to create a "systemd" service for Nginx. Create a “nginx.service” file in the proper path with the following command:
nano /etc/systemd/system/nginx.service
Paste the following lines into the file then save and exit:
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/bin/nginx -t
ExecStart=/bin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Execute the following command to take effect:
systemctl daemon-reload
You can check if your Nginx configurations are ok with the following command:
nginx -t
You have to see something like below:
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Install OWASP Core Rule Set (CRS)
Clone and copy the latest version of OWASP rules and configurations to Nginx:
cd /opt/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /usr/local/nginx/conf/
cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf
Edit the ModSecurity config file to include the OWASP rule set files:
nano /usr/local/nginx/conf/modsecurity.conf
Paste the following lines at the end of the file:
#Load OWASP Config
Include crs-setup.conf
#Load all other Rules
Include rules/*.conf
#Disable rule by ID from error message
#SecRuleRemoveById 920350
At last, Restart your Nginx to take effect with the command below:
systemctl restart nginx
You can view the following log file to see all of the ModSecurity events:
tail -f /var/log/modsec_audit.log