How to install LibModsecurity WAF app on Nginx CentOS 8

LibModSecurity is a free and open source web application firewall application that can be used to protect Nginx servers from various types of cyber attacks. It comes with a basic set of rules including SQL injection, cross-site scripting, Trojans, and more. It works by monitoring HTTP traffic in real time and countering vulnerabilities with the OWASP ModSecurity base set of rules. LibModSecurity works with Apache, Nginx, and IIS and is also compatible with Debian, Ubuntu, and CentOS.

In this tutorial, we’ll show you how to download and bundle LibModSecurity with Nginx support on CentOS 8.

Requirements

• CentOS 8 server.
• Log in as root or a user with sudo privileges.

Before starting

Before starting, update your server to the latest version with the following command:

dnf update

After updating your server, restart it to reduce system errors.

Install required repositories and dependencies

First, install the EPEL and REMI repositories on the system. You can install it with the following command:

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
 dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm

The next step proves all required dependencies with the following command:

dnf install gcc-c++ flex bison yajl curl-devel zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config wget openssl openssl-devel nano

Once all packages are installed, you can install other dependencies using the PowerTool repository:

dnf --enablerepo=PowerTools install doxygen yajl-devel

Install GeoIP using the REMI repository by running the following command:

dnf --enablerepo=remi install GeoIP-devel

Once all packages are installed, you can move to the next step.

Download and translate LibModsecurity

First, you will need to download and compile the LibModsecurity source on your system. To do this, go to the manual /opt And download the latest version of LibModsecurity from the Git repositories:

cd /opt/
 git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

Enter the directory ModSecurity And download the code libInjection With the following command:

cd ModSecurity
 git submodule init
 git submodule update

Configure LibModsecurity with the following command:

./build.sh
 ./configure

Finally, compile and install LibModSecurity with the following command:

make
 make install

At this point, LibModsecurity has been installed on the system. You can now proceed with installing Nginx with LibModsecurity support.

Download Nginx and translate it using LibModsecurity support

First, you will need to create a system user and group for Nginx. You can create it with the following command:

useradd -r -M -s /sbin/nologin -d /usr/local/nginx nginx

Next, you need to download Nginx and compile it with LibModsecurity support.

To do this, first download the ModSecurity-nginx connector from the Git repository with the following command:

cd /opt
 git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

After that, download the latest version of Nginx with the following command:

wget http://nginx.org/download/nginx-1.17.6.tar.gz

Once downloaded, extract the downloaded files with the following command:

tar -xvzf nginx-1.17.6.tar.gz

Next, go to the Nginx directory and configure it with the following command:

cd nginx-1.17.6
./configure --user=nginx --group=nginx --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx

Then install Nginx with the following command:

make
 make install

At this point, Nginx has been installed with LibModsecurity support. You may now proceed to configure Nginx.

Configure Nginx with ModSecurity

First you need to copy the ModSecurity sample configuration file from the source Nginx directory to the Nginx configuration directory.

You can copy it with the following command:

cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
 cp /opt/ModSecurity/unicode.mapping /usr/local/nginx/conf/

Next, create a symbolic link from the Nginx binary to the /usr/sbin/ With the following command:

ln -s /usr/local/nginx/sbin/nginx /usr/sbin/

Next, create the Nginx log directory, this directory functions to log all the accesses and errors in Nginx, to create the Nginx log directory, use the following command:

mkdir /var/log/nginx

Next, open the Nginx configuration file with the following command:

nano /usr/local/nginx/conf/nginx.conf

Make the following changes:

user  nginx;
worker_processes  1;
pid  /run/nginx.pid;
events {
    worker_connections  1024;
}


http {
    include	  mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
	listen       80;
        server_name  ganti_dengan_alamat_IP_atau_hostname_atau_domain;
        modsecurity  on;
        modsecurity_rules_file  /usr/local/nginx/conf/modsecurity.conf;
        access_log  /var/log/nginx/access.log;
        error_log  /var/log/nginx/error.log;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

If you have multiple domains and want to make your own settings for each, please see our guide on how to create server blocks in Nginx.

Save and close the file when done. Next, check Nginx for any syntax errors with the following command:

nginx -t

You will see the following result:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

At this point, Nginx is configured. You can proceed to create a systemd file for Nginx.

Create a Systemd Service File for Nginx

Next, you need to create a systemd file to manage the Nginx service. You can create it with the following command:

nano /etc/systemd/system/nginx.service

Add the following line:

[Unit]
Description=The nginx server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=mixed
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Save and close the file when done. After that, restart the systemd daemon with the following command:

systemctl daemon-reload

After that, start the Nginx service and enable it to start after restarting the system with the following command:

systemctl start nginx
 systemctl enable --now nginx

You will see the following result:

Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /etc/systemd/system/nginx.service.

After that, check the Nginx service with the following command:

systemctl status nginx

You will see the following result:

? nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-12-30 10:20:01 EST; 41s ago
  Process: 17730 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 17728 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 17727 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 17732 (nginx)
    Tasks: 2 (limit: 6102)
   Memory: 5.0M
   CGroup: /system.slice/nginx.service
           ??17732 nginx: master process /usr/sbin/nginx
           ??17733 nginx: worker process

Dec 30 10:20:00 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 30 10:20:00 nginx nginx[17728]: nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
Dec 30 10:20:00 nginx nginx[17728]: nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Dec 30 10:20:01 nginx systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Dec 30 10:20:01 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.

At this point, Nginx is up and running. You can now proceed to configure ModSecurity.

Configure safe mode

By default, ModSecurity is set to detection mode only. Therefore, you have to make some changes to the ModSecurity rules. You can do this by editing a file modsecurity.conf:

nano /usr/local/nginx/conf/modsecurity.conf

Find the following line:

SecRuleEngine DetectionOnly

And replace it with the following line:

SecRuleEngine On

And replace it with the following line:

/var/log/modsec_audit.log

And replace it with the following line:

/var/log/nginx/modsec_audit.log

Save and close the file when done.

After that, download the latest version of ModSecurity Core Rule Set from the Git repository with the following command:

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/local/nginx/conf/owasp-crs

After downloading the file, rename the configuration file crs-setup.conf.example Become crs-setup.conf With the following command:

mv /usr/local/nginx/conf/owasp-crs/crs-setup.conf.example /usr/local/nginx/conf/owasp-crs/crs-setup.conf

Next, configure ModeSecurity to use these rules by editing the file /usr/local/nginx/conf/modsecurity.conf:

nano /usr/local/nginx/conf/modsecurity.conf

Add the following line at the end of the file:

Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf

Save and close the file when done. After that, restart the Nginx service to implement the changes:

systemctl restart nginx

ModSecurity settings and performance test

ModSecurity is installed and configured. It’s time to test whether our settings are working or not.

To test ModSecurity against Driving injection-Open a web browser and type the URL http://localhost/index.html?exec=/bin/bash. You will see a 403 Forbidden Error like this:

To test ModSecurity’s response to XSS (cross-site scripting) attacks, open a terminal and run the command curl Together with the XSS payload.

curl http://localhost/?q="><script>alert(1)</script>"

If you get the following output, it means that ModSecurity has successfully detected the attack and blocked it.

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.6</center>
</body>
</html>

Conclusion

Congratulations! You have successfully downloaded and compiled LibModSecurity with Nginx. Your server is now protected from various attacks. For more information, you can visit the ModSecurity documentation at ModSecurity Doc.