[HowTo] Nginx with libmodsecurity and OWASP ModSecurity Core Rule Set on Ubuntu 16.04

[xorro]

Install Prerequisites

Install pre-requisites

Code: Select all

apt-get install apache2-dev autoconf automake build-essential bzip2 checkinstall devscripts flex g++ gcc git graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat libaio-dev libaio1 libass-dev libatomic-ops-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libbz2-dev libcdio-cdda1 libcdio-paranoia1 libcdio13 libcurl4-openssl-dev libfaac-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 libgif-dev libgpac-dev libgsm1-dev libjack-jackd2-dev libjpeg-dev libjpeg-progs libjpeg8-dev liblmdb-dev libmp3lame-dev libncurses5-dev libopencore-amrnb-dev libopencore-amrwb-dev libpam0g-dev libpcre3 libpcre3-dev libperl-dev libpng12-dev libpng12-0 libpng12-dev libreadline-dev librtmp-dev libsdl1.2-dev libssl-dev libssl1.0.0 libswscale-dev libtheora-dev libtiff5-dev libtool libva-dev libvdpau-dev libvorbis-dev libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libxvidcore-dev libxvidcore4 libyajl-dev make openssl perl pkg-config tar texi2html unzip zip zlib1g-dev

Download ModSecurity

Git clone Modsecurity, checkout and build libmodsecurity

Code: Select all

cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make
make install

Git clone the Modsecurity-nginx connector

Code: Select all

cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

You should now have the following directory which contains the Modsecurity-nginx connector

Code: Select all

/opt/ModSecurity-nginx

Download Nginx

Download latest Nginx stable source if not already installed

Goto http://nginx.org/en/download.html and get the link to the latest stable version of Nginx. As of this writing, the latest stable version was nginx-1.12.0.tar.gz. Adjust instructions below for your specific version. Download and extract

Code: Select all

cd /opt
wget http://nginx.org/download/nginx-1.12.0.tar.gz
tar -zxf nginx-1.12.0.tar.gz
cd nginx-1.12.0

Configure and Install Nginx

Configure Nginx with the Modsecurity-nginx connector and install

Code: Select all

./configure --user=www-data --group=www-data --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx
make
make install

The ModSecurity source code that we downloaded earlier includes a sample modsecurity.conf file with some recommended settings. Copy this file to the folder with the Nginx configuration files

Code: Select all

cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf

Create a symlink from /usr/local/nginx/sbin/nginx to /bin/nginx

Code: Select all

ln -s /usr/local/nginx/sbin/nginx /bin/nginx

Create the following directories:

Code: Select all

mkdir /usr/local/nginx/conf/sites-available
mkdir /usr/local/nginx/conf/sites-enabled
mkdir /usr/local/nginx/conf/ssl
mkdir /etc/nginx

Crete a symlink to from /usr/local/nginx/conf/ssl /etc/nginx/ssl

Code: Select all

ln -s /usr/local/nginx/conf/ssl /etc/nginx/ssl

Make a backup copy of the conf/nginx.conf file

Code: Select all

cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.bak

Configure the /usr/local/nginx/conf/nginx.conf file

Code: Select all

vi /usr/local/nginx/conf/nginx.conf

Locate and remove all the entries starting with "server {" and ending with the second to the last closing curly brace "}". In other words, leave the last curly brace intact.

Right above the last curly brace, insert the following. This will instruct Nginx to look for our site configs in the "/usr/local/nginx/conf/sites-enabled" directory

Code: Select all

include /usr/local/nginx/conf/sites-enabled/*;

So the end of the file should look like below (ensure the closing } is present):

Code: Select all

include /usr/local/nginx/conf/sites-enabled/*;
}

Enable the "user" directive by removing the "#" prefix if disabled and ensure it's set to user "www-data" instead of the default "nobody" so it looks like below:

Code: Select all

user www-data;

Save the file.

Download Jason Giedymin's Nginx init script for managing nginx service and configure it as a service

Code: Select all

wget https://raw.github.com/JasonGiedymin/nginx-init-ubuntu/master/nginx -O /etc/init.d/nginx
chmod +x /etc/init.d/nginx
update-rc.d nginx defaults

This script provides the following options for managing the Nginx service:

Code: Select all

# service nginx start|stop|restart|force-reload|reload|status|configtest|quietupgrade|terminate|destroy

Install OWASP ModSecuirty Core Rule Set

Git clone and copy the current version of the OWASP ruleset and config to Nginx

Code: Select all

cd /opt/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /usr/local/nginx/conf/
cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf

Configure Nginx with OWASP ModSecuirty Core Rule Set

Edit /usr/local/nginx/conf/modsecurity.conf

Code: Select all

vi /usr/local/nginx/conf/modsecurity.conf

At the end of the file, paste the following:

Code: Select all

#Load OWASP Config
Include crs-setup.conf
#Load all other Rules
Include rules/*.conf
#Disable rule by ID from error message
#SecRuleRemoveById 920350

In your Nginx modsecurity.conf file or your individual server conf files enter the following in either the server or location blocks. The example below, shows a combination of adding the entries in both the server and the location blocks:

Code: Select all

server {
.....
modsecurity on;
location / {
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
.....
}
}

Test your Nginx config

Code: Select all

service nginx configtest

If no errors, reload or restart your Nginx

Code: Select all

service nginx reload

You can now view the /var/log/modsec_audit.log for any ModSecurity events

Code: Select all

tail -f /var/log/modsec_audit.log

If you are satisfied, edit the /usr/local/nginx/conf/modsecurity.conf file and set "SecRuleEngine" from "DetectionOnly" to "On" like below

Code: Select all

SecRuleEngine On

This concludes this guide.