How To Install ModSecurity with Nginx on CentOS 7

ModSecurity is toolkit for real time web application monitoring, logging, and access control. This open source Web Application Firewall (WAF) module does an outstanding job of protecting web servers (Apache, NGINX, and IIS) from attacks that target potential vulnerabilities in various web applications. ModSecurity handles tasks like:

  • Real-time application monitoring and access control
  • Full HTTP traffic logging
  • Continuous passive security assessment
  • Web application hardening

1: Update

  1. Create the EPEL repo:
    sudo yum  epel-release -y
    
  2. Perform the update, and then restart the system:
    sudo yum update -y && sudo shutdown -r now

2: Install dependencies

Install the following packages:

yum groupinstall -y "Development Tools"
yum install -y httpd httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel
shutdown -r now

3: Compile ModSec

ModSec for the Nginx master branch has been reported as currently being unstable; therefore, use the nginx_refactoring branch as directed below:

  1. Download the nginx_refactoring branch of ModSecurity for Nginx:
    cd /usr/src
    git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git
    
  2. Compile ModSec: Attention: The two  commands below prevent warning messages when using newer automake versions.
    cd ModSecurity
    sed -i '/AC_PROG_CC/a\AM_PROG_CC_C_O' configure.ac
    sed -i '1 i\AUTOMAKE_OPTIONS = subdir-objects' Makefile.am
    ./autogen.sh
    ./configure --enable-standalone-module --disable-mlogc
    make
    

4: Compile Nginx

  1. Download and unarchive the latest stable release of Nginx. Currently, this is Nginx 1.14.0:
    cd /usr/src
    wget http://nginx.org/download/nginx-1.14.0.tar.gz
    tar -zxvf nginx-1.14.0.tar.gz && rm -f nginx-1.14.0.tar.gz
    
  2. Create a dedicated nginx user and group for Nginx:
    groupadd -r nginx
    useradd -r -g nginx -s /sbin/nologin -M nginx
    
  3. Compile Nginx and enable ModSecurity and SSL modules:
    cd nginx-1.14.0/
    ./configure --user=nginx --group=nginx --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
    make
    make install
    
  4. Modify the default Nginx user:
    sed -i "s/#user  nobody;/user nginx nginx;/" /usr/local/nginx/conf/nginx.conf
    

5: Configure ModSec and Nginx

  1. Configure Nginx:

    a. Issue:

       vi /usr/local/nginx/conf/nginx.conf
    

    b. Find the following segment within the http {} segment:

            location / {
                   ;
                index  index.html index.htm;
            }
    

    Add the lines below so the final result should be:

       location / {
        ModSecurityEnabled on;
        ModSecurityConfig modsec_includes.conf;
        root   html;
        index  index.html index.htm;
        }
    

    c. You also need to change the location of the default PID to match the script you will make in the following steps. Find the line #pid logs/nginx.pid and change it to the following by removing the # and changing the path:

       pid  /var/run/nginx.pid
    

    d. Save and quit:

       :wq!
    
  2. Create the file /usr/local/nginx/conf/modsec_includes.confAttention: The config below applies all of the OWASP ModSecurity Core Rules in the owasp-modsecurity-crs/rules/ directory. If you want to apply selective rules only, you should remove the include owasp-modsecurity-crs/rules/*.conf line, and then specify exact rules you need after step 5 of this section.
    cat <<EOF>> /usr/local/nginx/conf/modsec_includes.conf
    include modsecurity.conf
    include owasp-modsecurity-crs/crs-.conf
    include owasp-modsecurity-crs/rules/*.conf
    EOF
    
  3. Import the ModSec config files:
    cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
    cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/
    
  4. Modify the file /usr/local/nginx/conf/modsecurity.conf:
    sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf
    sed -i "s/SecAuditLogType Serial/SecAuditLogType Concurrent/" /usr/local/nginx/conf/modsecurity.conf
    sed -i "s|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /usr/local/nginx/logs/modsec_audit.log|"        /usr/local/nginx/conf/modsecurity.conf
    
  5. Allow Nginx to create Modsec logs in the Nginx log directory:
    chown nginx.root /usr/local/nginx/logs
    
  6. Add OWASP ModSecurity Core Rule Set (CRS) files:
    cd /usr/local/nginx/conf
    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
    cd owasp-modsecurity-crs
    mv crs-setup.conf.example crs-setup.conf
    cd rules
    mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
    mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
    

6: Create Systemd Script

  1. Create the file /lib/systemd/system/nginx.service and add the script:
    cat <<EOF>> /lib/systemd/system/nginx.service
    [Unit]
    Description=The NGINX HTTP and reverse  server
    After=syslog.target network.target remote-fs.target nss-lookup.target
    [Service]
    Type=forking
    PIDFile=/var/run/nginx.pid
    ExecStartPre=/usr/local/nginx/sbin/nginx -t
    ExecStart=/usr/local/nginx/sbin/nginx
    ExecReload=/bin/kill -s HUP $MAINPID
    ExecStop=/bin/kill -s QUIT $MAINPID
    PrivateTmp=true
    [Install]
    WantedBy=multi-user.target
    EOF
    
  2. Reload systemd services:
    systemctl daemon-reload
    

7: Test ModSec

  1. Start Nginx:
    systemctl start nginx.service
    
  2. Point your web browser to http://<YourServersIP>/?param="><script>alert(1);</script> (Be sure to replace with the address of your server)
  3. Use grep to fetch error messages:
    grep error /usr/local/nginx/logs/error.log
    

    The output should include error messages resembling the following:

    2017/02/15 14:07:54 [error] 10776#0: [client 104.20.23.240] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data:  found within ARGS:param: \x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/index.html"] [unique_id "ATAcAcAkucAchGAcPLAcAcAY"]
    
  4. The procedure is complete. To customize your settings, review and edit the following files:
  5. /usr/local/nginx/conf/modsecurity.conf
  6. /usr/local/nginx/conf/owasp-modsecurity-crs/crs-setup.conf
Print Friendly, PDF & Email

Comments

comments

Bài viết liên quan

Be the first to comment

Để lại lời nhắn