Tuesday, March 23, 2021

Install modsecurity for Nginx

I. Compile modsecurity-nginx modules

1. Download applications

If you installed nginx from repository, you should down nginx with version corresponding to.

apt install libyajl-dev lua5.3 liblua5.3-dev libfuzzy-dev

$git clone https://github.com/SpiderLabs/ModSecurity.git

$git checkout <tag>

$wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/tags/v1.0.3.tar.gz

$wget https://nginx.org/download/nginx-1.20.0.tar.gz

3. Compile modsecurity-nginx

Compile  and install Modsecurity

$git submodule init

$git submodule update

$./build.sh

$./configure

$make && make install

Example: I installed nginx-1.18.0, so I download nginx-1.20.0 and modsecurity-nginx-v1.0.3

$cd nginx-1.20.0

$./configure --add-dynamic-module=../modsecurity-nginx-v1.0.3 --with-compat

$make -f objs/Makefile modules

$ cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules/ngx_http_modsecurity_module.so

$mkdir -p /etc/nginx/modsecurity.d

II. Configure nginx with modsecurity

1. Download modsecurity.conf.example and unicode.mapping from https://github.com/SpiderLabs/ModSecurity

$cp modsecurity.conf-recommended /etc/nginx/modsecurity.d/modsecurity.conf

$cp unicode.mapping /etc/nginx/modsecurity.d/unicode.mapping

2. Enabled rule engine:

$sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/nginx/modsecurity.d/modsecurity.conf

 3. Download owasp rules 

$git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/nginx/modsecurity.d/modsecurity-crs

$cd /etc/nginx/modsecurity.d/modsecurity-crs

$cp crs-setup.conf.example crs-setup.conf

4. Create modsec_includes.conf in modsecurity.d directory and add lines below:

include modsecurity.conf

include modsecurity-crs/crs-setup.conf

include modsecurity-crs/rules/*.conf

5. Load modsecurity module and turn it on

Add line below into nginx.conf file

load_module modules/ngx_http_modsecurity_module.so;

In server context, turn on the modsecurity for sepcifier server

server {

....

modsecurity on;

modsecurity_rules_file /etc/nginx/modsecurity.d/modsec_includes.conf;

....

}

6. Application-Specific Rule Exclusions

If your server use Wordpress, add line into end of crs-setup.conf

SecAction \
  "id:900130,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
   setvar:tx.crs_exclusions_wordpress=1"

If your wordpress is using the www.domain.com sub-domain and the request headers sent from visitor's browser contain this sub-domain, then modsecurity will apply the rule exclusion for wordpress:

$cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Add line below into REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file:

SecRule REQUEST_HEADERS:Host "@streq blog.yourdomain.com" "id:1000,phase:1,setvar:tx.crs_exclusions_wordpress=1"

IP whitelisting

SecRule REMOTE_ADDR "^12\.34\.56\.78" "id:1004,phase:1,allow,ctl:ruleEngine=off"

The modsecurity will disable for this IP: 12.34.56.68  


Reference

https://www.linuxbabe.com/security/modsecurity-apache-debian-ubuntu

https://mkyong.com/nginx/nginx-modsecurity-and-owasp-crs/

https://mkyong.com/blog/mod_security-blocking-my-ip-when-editing-post-in-wordpress/


Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)