Introduction
libModSecurity is a major rewrite of ModSecurity. It preserves the rich syntax and feature set of ModSecurity while delivering improved performance, stability, and a new experience in easy integration. Even though ModSecurity 2.9.x was offered for different platforms, it really favored deploying with Apache and deploying with other platforms required various 3rd party dependencies at the cost of performance. LibModSecurity changes all that by being a rewrite from scratch.
In this tutorial, we will show you how to compile the latest version of Nginx with libModSecurity We will also be integrating the OWASP ModSecurity Core Rule Set (CRS).
Install Dependencies
As we are going to Compile both Nginx and libModSecurity from the source we are going to need following dependencies installed, so before start installing the dependencies:
yum groupinstall 'Development tools'
Now execute the following command to install all of the needed libraries:
yum install autoconf automake bzip2 flex gcc git httpd-devel libaio-devel libass-devel libjpeg-turbo-devel libpng12-devel libtheora-devel libtool libva-devel libvdpau-devel libvorbis-devel libxml2-devel libxslt-devel perl texi2html unzip zip openssl openssl-devel geoip geoip-devel
Download and Install libModSecurity
In this section we are going to clone the ModSecurity source form it’s official Git repository then checkout and build the libModSecurity so execute the following commands one by one to get it done:
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
If you have done everything right, you will not see any errors during the configuration, so you can go ahead and start compiling with the following command (It’s going to take a few minutes):
make && make install
After the installation process is finished, it’s a good idea to check if everything has been installed correctly with the following command:
make check
Download the ModSecurity Nginx connector
Switch back to the “opt” directory and clone the ModSecurity-nginx connector with the command below:
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
Download and Install Nginx
In this section, we are going to download the latest stable version of Nginx which is “1.12.2” at the time of the writing. you can always go to Nginx official website to get the latest stable version.
Download the source file in the “opt” directory using Wget:
cd /opt/
wget http://nginx.org/download/nginx-1.12.2.tar.gz
Extract the source files with the command below:
tar xvzf nginx-1.12.2.tar.gz
Now execute the following commands one by one to compile and install Nginx:
cd nginx-1.12.2
./configure --user=www-data --group=www-data --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx
make && make install
The ModSecurity source code that we downloaded earlier includes a sample ModSecurity.conf file with some recommended settings. Copy this file to the folder with the Nginx configuration files:
cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
Create a symlink from the Nginx binary to our executable path:
ln -s /usr/local/nginx/sbin/nginx /bin/nginx
Configuring Nginx
In order to get libModSecurity working with your Nginx, you have to do some configuration first. so open the Nginx global configuration file with the command below:
nano /usr/local/nginx/conf/nginx.conf
At the very beginning of the file, you can see a line that refers to “user”, uncomment it and change its value like below:
user www-data;
Find the “pid” line and make it looks like below:
pid /var/run/nginx.pid;
Find the “server” directive and delete everything within the two curly braces “{}” and add the following lines in it:
listen 80;
server_name localhost;
modsecurity on;
location / {
root html;
index index.html index.htm;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
}
Save and Exit the editor.
Now we are going to create a “systemd” service for Nginx. Create a “nginx.service” file in the proper path with the following command:
nano /etc/systemd/system/nginx.service
Paste the following lines into the file then save and exit:
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/bin/nginx -t
ExecStart=/bin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Execute the following command to take effect:
systemctl daemon-reload
You can check if your Nginx configurations are ok with the following command:
nginx -t
You have to see something like below:
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Install OWASP Core Rule Set (CRS)
Clone and copy the latest version of OWASP rules and configurations to Nginx:
cd /opt/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /usr/local/nginx/conf/
cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf
Edit the ModSecurity config file to include the OWASP rule set files:
nano /usr/local/nginx/conf/modsecurity.conf
Paste the following lines at the end of the file:
#Load OWASP Config
Include crs-setup.conf
#Load all other Rules
Include rules/*.conf
#Disable rule by ID from error message
#SecRuleRemoveById 920350
At last, Restart your Nginx to take effect with the command below:
systemctl restart nginx
You can view the following log file to see all of the ModSecurity events:
Hope this article helpful for you. Thank You
If You Appreciate What We Do Here On Hackonology, You Should Consider:
Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.
Let's be a part of Hacker's Community! Join our Hacking Team
We Are Indian We Are Great
tail -f /var/log/modsec_audit.log