ModSecurity & nginx


#1

prerequisites

ModSecurity (libmodsecurity)

apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

clone libmodsecuirty

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

Compile

cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

Nginx connector

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

$ nginx -v

download nginx source code -->

cd nginx-1.xxxx
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

configuration

add line to /etc/nginx/nginx.conf

load_module "modules/ngx_http_modsecurity_module.so";

configure modsecurity

  1. recommended ModSecurity configuration

    mkdir /etc/nginx/modsec
    wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
    mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
    
  2. change from detetion only mode to actively dropping traffic

    sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
    
  3. put following text in /etc/nginx/modsec/main.conf

    # Edit to set SecRuleENgine On
    Include "/etc/nginx/modsec/modsecurity.conf"
    
    # basic test rule
    SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
    
  4. Final nginx config

  5. Enable modsec in config

    server {
      # ....
      modsecurity on;
      modsecurity_rules_file /etc/nginx/modsec/main.conf;
    }
    
  6. reload

    nginx -t && nginx -s reload
    
  7. Test

    curl localhost?testparam=test
    

:memo: more info: https://www.nginx.com/blog/modsecurity-logging-and-debugging/ & ModSecurity 3.0 and NGINX: Getting Started

:goal_net: Should read next: deploy the OWSAP core ruleset (CRS)

SecRemoveRuleById