prerequisites
ModSecurity (libmodsecurity)
apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
clone libmodsecuirty
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
Compile
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install
Nginx connector
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
$ nginx -v
download nginx source code -->
cd nginx-1.xxxx
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules
configuration
add line to /etc/nginx/nginx.conf
load_module "modules/ngx_http_modsecurity_module.so";
configure modsecurity
-
recommended ModSecurity configuration
mkdir /etc/nginx/modsec wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
-
change from detetion only mode to actively dropping traffic
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
-
put following text in /etc/nginx/modsec/main.conf
# Edit to set SecRuleENgine On Include "/etc/nginx/modsec/modsecurity.conf" # basic test rule SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
-
Final nginx config
-
Enable modsec in config
server { # .... modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; }
-
reload
nginx -t && nginx -s reload
-
Test
curl localhost?testparam=test
more info: https://www.nginx.com/blog/modsecurity-logging-and-debugging/ & ModSecurity 3.0 and NGINX: Getting Started
Should read next: deploy the OWSAP core ruleset (CRS)
SecRemoveRuleById