LibModSecurity is a free and open source web application firewall application that can be used to protect Nginx servers from various types of cyber attacks. It comes with a basic set of rules including SQL injection, cross-site scripting, Trojans, and more. It works by monitoring HTTP traffic in real time and countering vulnerabilities with the OWASP ModSecurity base set of rules. LibModSecurity works with Apache, Nginx, and IIS and is also compatible with Debian, Ubuntu, and CentOS.
In this tutorial, we’ll show you how to download and bundle LibModSecurity with Nginx support on CentOS 8.
Requirements
- CentOS 8 server.
- Log in as root or a user with sudo privileges.
Before starting
Before starting, update your server to the latest version with the following command:
dnf update
After updating your server, restart it to reduce system errors.
Install required repositories and dependencies
First, install the EPEL and REMI repositories on the system. You can install it with the following command:
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
The next step proves all required dependencies with the following command:
dnf install gcc-c++ flex bison yajl curl-devel zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config wget openssl openssl-devel nano
Once all packages are installed, you can install other dependencies using the PowerTool repository:
dnf --enablerepo=PowerTools install doxygen yajl-devel
Install GeoIP using the REMI repository by running the following command:
dnf --enablerepo=remi install GeoIP-devel
Once all packages are installed, you can move to the next step.
Download and translate LibModsecurity
First, you will need to download and compile the LibModsecurity source on your system. To do this, go to the manual /opt
And download the latest version of LibModsecurity from the Git repositories:
cd /opt/ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
Enter the directory ModSecurity
And download the code libInjection
With the following command:
cd ModSecurity git submodule init git submodule update
Configure LibModsecurity with the following command:
./build.sh ./configure
Finally, compile and install LibModSecurity with the following command:
make make install
At this point, LibModsecurity has been installed on the system. You can now proceed with installing Nginx with LibModsecurity support.
Download Nginx and translate it using LibModsecurity support
First, you will need to create a system user and group for Nginx. You can create it with the following command:
useradd -r -M -s /sbin/nologin -d /usr/local/nginx nginx
Next, you need to download Nginx and compile it with LibModsecurity support.
To do this, first download the ModSecurity-nginx connector from the Git repository with the following command:
cd /opt git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
After that, download the latest version of Nginx with the following command:
wget http://nginx.org/download/nginx-1.17.6.tar.gz
Once downloaded, extract the downloaded files with the following command:
tar -xvzf nginx-1.17.6.tar.gz
Next, go to the Nginx directory and configure it with the following command:
cd nginx-1.17.6 ./configure --user=nginx --group=nginx --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx
Then install Nginx with the following command:
make make install
At this point, Nginx has been installed with LibModsecurity support. You may now proceed to configure Nginx.
Configure Nginx with ModSecurity
First you need to copy the ModSecurity sample configuration file from the source Nginx directory to the Nginx configuration directory.
You can copy it with the following command:
cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf cp /opt/ModSecurity/unicode.mapping /usr/local/nginx/conf/
Next, create a symbolic link from the Nginx binary to the /usr/sbin/
With the following command:
ln -s /usr/local/nginx/sbin/nginx /usr/sbin/
Next, create the Nginx log directory, this directory functions to log all the accesses and errors in Nginx, to create the Nginx log directory, use the following command:
mkdir /var/log/nginx
Next, open the Nginx configuration file with the following command:
nano /usr/local/nginx/conf/nginx.conf
Make the following changes:
user nginx; worker_processes 1; pid /run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name ganti_dengan_alamat_IP_atau_hostname_atau_domain; modsecurity on; modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
If you have multiple domains and want to make your own settings for each, please see our guide on how to create server blocks in Nginx.
Save and close the file when done. Next, check Nginx for any syntax errors with the following command:
nginx -t
You will see the following result:
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
At this point, Nginx is configured. You can proceed to create a systemd file for Nginx.
Create a Systemd Service File for Nginx
Next, you need to create a systemd file to manage the Nginx service. You can create it with the following command:
nano /etc/systemd/system/nginx.service
Add the following line:
[Unit] Description=The nginx server After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/run/nginx.pid ExecStartPre=/usr/bin/rm -f /run/nginx.pid ExecStartPre=/usr/sbin/nginx -t ExecStart=/usr/sbin/nginx ExecReload=/bin/kill -s HUP $MAINPID KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=mixed PrivateTmp=true [Install] WantedBy=multi-user.target
Save and close the file when done. After that, restart the systemd daemon with the following command:
systemctl daemon-reload
After that, start the Nginx service and enable it to start after restarting the system with the following command:
systemctl start nginx systemctl enable --now nginx
You will see the following result:
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /etc/systemd/system/nginx.service.
After that, check the Nginx service with the following command:
systemctl status nginx
You will see the following result:
? nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2019-12-30 10:20:01 EST; 41s ago Process: 17730 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS) Process: 17728 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS) Process: 17727 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS) Main PID: 17732 (nginx) Tasks: 2 (limit: 6102) Memory: 5.0M CGroup: /system.slice/nginx.service ??17732 nginx: master process /usr/sbin/nginx ??17733 nginx: worker process Dec 30 10:20:00 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server... Dec 30 10:20:00 nginx nginx[17728]: nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok Dec 30 10:20:00 nginx nginx[17728]: nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful Dec 30 10:20:01 nginx systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument Dec 30 10:20:01 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.
At this point, Nginx is up and running. You can now proceed to configure ModSecurity.
Configure safe mode
By default, ModSecurity is set to detection mode only. Therefore, you have to make some changes to the ModSecurity rules. You can do this by editing a file modsecurity.conf
:
nano /usr/local/nginx/conf/modsecurity.conf
Find the following line:
SecRuleEngine DetectionOnly
And replace it with the following line:
SecRuleEngine On
And replace it with the following line:
/var/log/modsec_audit.log
And replace it with the following line:
/var/log/nginx/modsec_audit.log
Save and close the file when done.
After that, download the latest version of ModSecurity Core Rule Set from the Git repository with the following command:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/local/nginx/conf/owasp-crs
After downloading the file, rename the configuration file crs-setup.conf.example
Become crs-setup.conf
With the following command:
mv /usr/local/nginx/conf/owasp-crs/crs-setup.conf.example /usr/local/nginx/conf/owasp-crs/crs-setup.conf
Next, configure ModeSecurity to use these rules by editing the file /usr/local/nginx/conf/modsecurity.conf:
nano /usr/local/nginx/conf/modsecurity.conf
Add the following line at the end of the file:
Include owasp-crs/crs-setup.conf Include owasp-crs/rules/*.conf
Save and close the file when done. After that, restart the Nginx service to implement the changes:
systemctl restart nginx
ModSecurity settings and performance test
ModSecurity is installed and configured. It’s time to test whether our settings are working or not.
To test ModSecurity against Driving injection-Open a web browser and type the URL http://localhost/index.html?exec=/bin/bash
. You will see a 403 Forbidden Error like this:
To test ModSecurity’s response to XSS (cross-site scripting) attacks, open a terminal and run the command curl
Together with the XSS payload.
curl http://localhost/?q="><script>alert(1)</script>"
If you get the following output, it means that ModSecurity has successfully detected the attack and blocked it.
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.17.6</center> </body> </html>
Conclusion
Congratulations! You have successfully downloaded and compiled LibModSecurity with Nginx. Your server is now protected from various attacks. For more information, you can visit the ModSecurity documentation at ModSecurity Doc.
.
Originally posted 2020-11-18 12:57:11.