ModSecurity is toolkit for real time web application monitoring, logging, and access control. This open source Web Application (WAF) module does an outstanding job of protecting web servers (Apache, , and IIS) from attacks that target potential vulnerabilities in various web applications. ModSecurity handles tasks like:

  • Real-time application monitoring and access control
  • Full HTTP traffic logging
  • Continuous passive security assessment
  • Web application hardening

1: Update

  1. Create the EPEL repo:
    sudo yum  epel-release -y
  2. Perform the update, and then restart the system:
    sudo yum update -y && sudo shutdown -r now

2: Install dependencies

Install the following packages:

yum groupinstall -y "Development Tools"
yum install -y httpd httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel
shutdown -r now

3: Compile ModSec

ModSec for the Nginx master branch has been reported as currently being unstable; therefore, use the nginx_refactoring branch as directed below:

  1. the nginx_refactoring branch of ModSecurity for Nginx:
    cd /usr/src
    git clone -b nginx_refactoring
  2. Compile ModSec: Attention: The two sed commands below prevent warning messages when using newer automake versions.
    cd ModSecurity
    sed -i '/AC_PROG_CC/a\AM_PROG_CC_C_O'
    sed -i '1 i\AUTOMAKE_OPTIONS = subdir-objects'
    ./configure --enable-standalone-module ---mlogc

4: Compile Nginx

  1. Download and unarchive the latest stable release of Nginx. Currently, this is Nginx 1.14.0:
    cd /usr/src
     -zxvf nginx-1.14.0.tar.gz && rm -f nginx-1.14.0.tar.gz
  2. Create a dedicated nginx user and group for Nginx:
    groupadd -r nginx
    useradd -r -g nginx -s /sbin/nologin -M nginx
  3. Compile Nginx and enable ModSecurity and SSL modules:
    cd nginx-1.14.0/
    ./configure --user=nginx --group=nginx --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
    make install
  4. Modify the default Nginx user:
    sed -i "s/#user  nobody;/user nginx nginx;/" /usr/local/nginx/conf/nginx.conf

5: Configure ModSec and Nginx

  1. Configure Nginx:

    a. Issue:

       vi /usr/local/nginx/conf/nginx.conf

    b. Find the following segment within the http {} segment:

            location / {
                root   html;
                index  index.html index.htm;

    Add the lines below so the final result should be:

       location / {
        ModSecurityEnabled on;
        ModSecurityConfig modsec_includes.conf;
        root   html;
        index  index.html index.htm;

    c. You also need to change the location of the default PID to match the script you will make in the following steps. Find the line #pid logs/ and change it to the following by removing the # and changing the path:

       pid  /var/run/

    d. Save and quit:

  2. Create the file /usr/local/nginx/conf/modsec_includes.confAttention: The config below applies all of the OWASP ModSecurity Core Rules in the owasp-modsecurity-crs/rules/ directory. If you want to apply selective rules only, you should remove the include owasp-modsecurity-crs/rules/*.conf line, and then specify exact rules you need after step 5 of this section.
    cat <<EOF>> /usr/local/nginx/conf/modsec_includes.conf
    include modsecurity.conf
    include owasp-modsecurity-crs/crs-.conf
    include owasp-modsecurity-crs/rules/*.conf
  3. Import the ModSec config files:
    cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
    cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/
  4. Modify the file /usr/local/nginx/conf/modsecurity.conf:
    sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf
    sed -i "s/SecAuditLogType Serial/SecAuditLogType Concurrent/" /usr/local/nginx/conf/modsecurity.conf
    sed -i "s|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /usr/local/nginx/logs/modsec_audit.log|"        /usr/local/nginx/conf/modsecurity.conf
  5. Allow Nginx to create Modsec logs in the Nginx log directory:
    chown nginx.root /usr/local/nginx/logs
  6. Add OWASP ModSecurity Core Rule Set (CRS) files:
    cd /usr/local/nginx/conf
    git clone
    cd owasp-modsecurity-crs
    mv crs-setup.conf.example crs-setup.conf
    cd rules

6: Create Systemd Script

  1. Create the file /lib/systemd/system/nginx.service and add the script:
    cat <<EOF>> /lib/systemd/system/nginx.service
    Description=The NGINX HTTP and reverse proxy server
    ExecStartPre=/usr/local/nginx/sbin/nginx -t
    ExecReload=/bin/kill -s HUP $MAINPID
    ExecStop=/bin/kill -s QUIT $MAINPID
  2. Reload systemd services:
    systemctl daemon-reload

7: Test ModSec

  1. Start Nginx:
    systemctl start nginx.service
  2. Point your web browser to http://<YourServersIP>/?param="><script>alert(1);</script> (Be sure to replace with the IP address of your server)
  3. Use grep to fetch error messages:
    grep error /usr/local/nginx/logs/error.log

    The output should include error messages resembling the following:

    2017/02/15 14:07:54 [error] 10776#0: [client] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data:  found within ARGS:param: \x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/index.html"] [unique_id "ATAcAcAkucAchGAcPLAcAcAY"]
  4. The procedure is complete. To customize your settings, review and edit the following files:
  5. /usr/local/nginx/conf/modsecurity.conf
  6. /usr/local/nginx/conf/owasp-modsecurity-crs/crs-setup.conf
Print Friendly, PDF & Email



Bài viết liên quan