slug | description | keywords | tags | license | modified | modified_by | published | title | title_meta | aliases | image | relations | authors | |||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
securing-nginx-with-modsecurity |
ModSecurity is a free web application firewall that can prevent attacks like XSS and SQL Injection. This guide shows how to install ModSecurity with NGINX. |
|
|
[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0) |
2021-03-26 |
|
2021-03-26 |
Securing Nginx With ModSecurity |
How to Secure Nginx With ModSecurity |
|
SecureNginx_ModSecurity.png |
|
|
ModSecurity is a free and open source web application that started out as an Apache module and grew to a fully-fledged web application firewall. It works by inspecting requests sent to the web server in real time against a predefined rule set, preventing typical web application attacks like XSS and SQL Injection.
While originally an Apache module, ModSecurity can also be installed on Nginx as detailed in this guide.
In order to install and configure ModSecurity, you need to have a Linux server with the following services running:
- Nginx
For instructions, see our guide on How to Install NGINX on Ubuntu 18.04 LTS. Installation instructions for several other Linux distributions are also accessible from this guide.
{{< note respectIndent=false >}} This demonstration has been performed on Ubuntu 18.04. However, all techniques demonstrated are distribution agnostic with the exception of package names and package managers. {{< /note >}}
While ModSecurity is not officially supported as a module for Nginx, a workaround exists involving the ModSecurity-nginx connector. The ModSecurity-nginx connector is the connection point between Nginx and libmodsecurity (ModSecurity v3). Said another way, the ModSecurity-nginx connector provides a communication channel between Nginx and libmodsecurity.
The ModSecurity-nginx connector takes the form of an Nginx module that provides a layer of communication between Nginx and ModSecurity.
To begin the installation process, follow the steps outlined below:
-
Install all the dependencies required for the build and compilation process with the following command:
sudo apt-get install bison build-essential ca-certificates curl dh-autoreconf doxygen \ flex gawk git iputils-ping libcurl4-gnutls-dev libexpat1-dev libgeoip-dev liblmdb-dev \ libpcre3-dev libpcre++-dev libssl-dev libtool libxml2 libxml2-dev libyajl-dev locales \ lua5.3-dev pkg-config wget zlib1g-dev zlibc libxslt libgd-dev
-
Ensure that git is installed:
sudo apt install git
-
Clone the ModSecurity Github repository from the
/opt
directory:cd /opt && sudo git clone https://github.com/SpiderLabs/ModSecurity
-
Change your directory to the ModSecurity directory:
cd ModSecurity
-
Run the following git commands to initialize and update the submodule:
sudo git submodule init sudo git submodule update
-
Run the
build.sh
script:sudo ./build.sh
-
Run the
configure
file, which is responsible for getting all the dependencies for the build process:sudo ./configure
-
Run the
make
command to build ModSecurity:sudo make
-
After the build process is complete, install ModSecurity by running the following command:
sudo make install
Before compiling the ModSecurity module, clone the Nginx-connector from the /opt
directory:
cd /opt && sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
You can now build the ModSecurity module from a downloaded copy of your Nginx version by following the steps outlined below:
-
Enumerate the version of Nginx you have installed:
nginx -v
For example, the following output shows that Nginx version 1.14.0 is installed on the system:
{{< output >}} nginx version: nginx/1.14.0 (Ubuntu) {{< /output >}}
In each of the following commands, replace
1.14.0
with your version of Nginx. -
Download the exact version of Nginx running on your system into the
/opt
directory:cd /opt && sudo wget http://nginx.org/download/nginx-1.14.0.tar.gz
-
Extract the tarball:
sudo tar -xvzmf nginx-1.14.0.tar.gz
-
Change your directory to the tarball directory you just extracted:
cd nginx-1.14.0
-
Display the configure arguments used for your version of Nginx:
nginx -V
Here is an example output for Nginx 1.14.0:
{{< output >}} nginx version: nginx/1.14.0 (Ubuntu) built with OpenSSL 1.1.1 11 Sep 2018 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module {{< /output >}}
-
To compile the Modsecurity module, copy all of the arguments following
configure arguments:
from your output of the above command and paste them in place of<Configure Arguments>
in the following command:sudo ./configure --add-dynamic-module=../ModSecurity-nginx <Configure Arguments>
-
Build the modules with the following command:
sudo make modules
-
Create a directory for the Modsecurity module in your system's Nginx configuration folder:
sudo mkdir /etc/nginx/modules
-
Copy the compiled Modsecurity module into your Nginx configuration folder:
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules
Open the /etc/nginx/nginx.conf
file with a text editor such a vim and add the following line:
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
Here is an example portion of an Nginx configuration file that includes the above line:
{{< file "/etc/nginx/nginx.conf" nginx >}} user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; {{< /file >}}
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, and Local File Inclusion.
To set up the OWASP-CRS, follow the procedures outlined below.
-
First, delete the current rule set that comes prepackaged with ModSecurity by running the following command:
sudo rm -rf /usr/share/modsecurity-crs
-
Clone the OWASP-CRS GitHub repository into the
/usr/share/modsecurity-crs
directory:sudo git clone https://github.com/coreruleset/coreruleset /usr/local/modsecurity-crs
-
Rename the
crs-setup.conf.example
tocrs-setup.conf
:sudo mv /usr/local/modsecurity-crs/crs-setup.conf.example /usr/local/modsecurity-crs/crs-setup.conf
-
Rename the default request exclusion rule file:
sudo mv /usr/local/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/local/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
You should now have the OWASP-CRS set up and ready to be used in your Nginx configuration.
ModSecurity is a firewall and therefore requires rules to function. This section shows you how to implement the OWASP Core Rule Set. First, you must prepare the ModSecurity configuration file.
-
Start by creating a ModSecurity directory in the
/etc/nginx/
directory:sudo mkdir -p /etc/nginx/modsec
-
Copy over the unicode mapping file and the ModSecurity configuration file from your cloned ModSecurity GitHub repository:
sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
-
Remove the
.recommended
extension from the ModSecurity configuration filename with the following command:sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
-
With a text editor such as vim, open
/etc/modsecurity/modsecurity.conf
and change the value forSecRuleEngine
toOn
:{{< file "/etc/modsecurity/modsecurity.conf" aconf >}}
SecRuleEngine On ... {{< /file >}}
-
Create a new configuration file called
main.conf
under the/etc/nginx/modsec
directory:sudo touch /etc/nginx/modsec/main.conf
-
Open
/etc/nginx/modsec/main.conf
with a text editor such as vim and specify the rules and the Modsecurity configuration file for Nginx by inserting following lines:{{< file "/etc/modsecurity/modsecurity.conf" aconf >}} Include /etc/nginx/modsec/modsecurity.conf Include /usr/local/modsecurity-crs/crs-setup.conf Include /usr/local/modsecurity-crs/rules/*.conf {{< /file >}}
Now that you have configured ModSecurity to work with Nginx, you must enable ModSecurity in your site configuration file.
-
Open the
/etc/nginx/sites-available/default
with a text editor such as vim and insert the following lines in your server block:modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf;
Here is an example configuration file that includes the above lines:
{{< file "/etc/nginx/sites-available/default" nginx >}} server { listen 80 default_server; listen [::]:80 default_server;
root /var/www/html; modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; }
} {{< /file >}}
-
Restart the nginx service to apply the configuration:
sudo systemctl restart nginx
Test ModSecurity by performing a simple local file inclusion attack by running the following command:
curl http://<SERVER-IP/DOMAIN>/index.html?exec=/bin/bash
If ModSecurity has been configured correctly and is actively blocking attacks, the following error is returned:
{{< output >}}
<title>403 Forbidden</title>nginx/1.14.0 (Ubuntu) {{< /output >}}