Установить получилось только по инструкции https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes#centos-7-minimal
ModSecurity is an open source web application firewall (WAF) module which is great for protecting Apache, Nginx, and IIS from various cyber attacks that target potential vulnerabilities in various web applications
In this article, we will install and configure ModSecurity for Nginx on CentOS 7, Debian 8, and Ubuntu 16.04.
Section 1. Prerequisites
- An up-to-date installation of CentOS 7, Debian 8, or Ubuntu 16.04 64-bit.
- Logging in as
root
.
Section 2. Step 1: Update the system
Following this guide, update your server’s Kernel and Packages to the latest available version.
Section 3. Step 2: Install dependencies
Before you can compile Nginx and ModSecurity successfully, you need to install several software packages as follows.
a) On CentOS 7:
1 2 3 4 |
yum groupinstall -y "Development Tools" yum install -y httpd httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel shutdown -r now |
b) On Debian 8 or Ubuntu 16.04:
1 2 |
apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf |
Section 4. Step 3: Compile ModSecurity
Due to several instabilities reported on ModSecurity for Nginx master branch, for now, it is officially recommended to use the latest version of the nginx_refactoring
branch whenever possible.
Download the nginx_refactoring
branch of ModSecurity for Nginx:
1 2 3 |
cd /usr/src git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git |
Compile ModSecurity:
a) On CentOS 7:
1 2 3 4 5 6 7 |
cd ModSecurity sed -i '/AC_PROG_CC/a\AM_PROG_CC_C_O' configure.ac sed -i '1 i\AUTOMAKE_OPTIONS = subdir-objects' Makefile.am ./autogen.sh ./configure CFLAGS="-fPIC" --enable-standalone-module --disable-mlogc make |
Note: the two sed
commands above are used to prevent warning messages when using newer automake versions.
b) On Debian 8 or Ubuntu 16.04:
1 2 3 4 5 |
cd ModSecurity ./autogen.sh ./configure --enable-standalone-module --disable-mlogc make |
## Step 4: Compile Nginx
Download and unarchive the latest stable release of Nginx which is Nginx 1.10.3
at the time of writing:
1 2 3 4 |
cd /usr/src wget https://nginx.org/download/nginx-1.10.3.tar.gz tar -zxvf nginx-1.10.3.tar.gz && rm -f nginx-1.10.3.tar.gz |
a) On CentOS 7:
First, you need to create a dedicated user nginx
and a dedicated group nginx
for Nginx:
1 2 3 |
groupadd -r nginx useradd -r -g nginx -s /sbin/nologin -M nginx |
Then compile Nginx while enabling ModSecurity and SSL modules:
1 2 3 4 5 |
cd nginx-1.10.3/ ./configure --user=nginx --group=nginx --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module make make install |
Modify the default user of Nginx:
1 2 |
sed -i "s/#user nobody;/user nginx nginx;/" /usr/local/nginx/conf/nginx.conf |
b) On Debian 8 or Ubuntu 16.04:
First, you should use the existing user www-data
and the existing group www-data
.
Then compile Nginx while enabling ModSecurity and SSL modules:
1 2 3 4 5 |
cd nginx-1.10.3/ ./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module make make install |
Modify the default user of Nginx:
1 2 |
sed -i "s/#user nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf |
Having Nginx successfully installed, related files will be located at:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
nginx path prefix: "/usr/local/nginx" nginx binary file: "/usr/local/nginx/sbin/nginx" nginx modules path: "/usr/local/nginx/modules" nginx configuration prefix: "/usr/local/nginx/conf" nginx configuration file: "/usr/local/nginx/conf/nginx.conf" nginx pid file: "/usr/local/nginx/logs/nginx.pid" nginx error log file: "/usr/local/nginx/logs/error.log" nginx http access log file: "/usr/local/nginx/logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp" |
you can test the installation with:
1 2 |
/usr/local/nginx/sbin/nginx -t |
If nothing goes wrong, the output should be:
1 2 3 |
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful |
For your convenience, you can setup a systemd unit file for Nginx:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
cat <<EOF>> /lib/systemd/system/nginx.service [Service] Type=forking ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload KillStop=/usr/local/nginx/sbin/nginx -s stop KillMode=process Restart=on-failure RestartSec=42s PrivateTmp=true LimitNOFILE=200000 [Install] WantedBy=multi-user.target EOF |
Moving forward, you can start/stop/restart Nginx as follows:
1 2 3 4 |
systemctl start nginx.service systemctl stop nginx.service systemctl restart nginx.service |
Section 5. Step 4: Configure ModSecurity and Nginx
1) 4.1 Configure Nginx:
1 2 |
vi /usr/local/nginx/conf/nginx.conf |
Find the following segment within the http {}
segment:
1 2 3 4 5 |
location / { root html; index index.html index.htm; } |
Insert the below lines into the location / {}
segment:
1 2 3 4 5 |
ModSecurityEnabled on; ModSecurityConfig modsec_includes.conf; #proxy_pass http://localhost:8011; #proxy_read_timeout 180s; |
The final result should be:
1 2 3 4 5 6 7 8 9 |
location / { ModSecurityEnabled on; ModSecurityConfig modsec_includes.conf; #proxy_pass http://localhost:8011; #proxy_read_timeout 180s; root html; index index.html index.htm; } |
Save and quit:
1 2 |
:wq! |
Note: The Nginx config above is only a sample config for using Nginx as a web server rather than a reverse proxy. If you are using Nginx as a reverse proxy, remove the #
character in last two lines and make appropriate modifications to them.
2) 4.2 Create a file named /usr/local/nginx/conf/modsec_includes.conf
:
1 2 3 4 5 6 |
cat <<EOF>> /usr/local/nginx/conf/modsec_includes.conf include modsecurity.conf include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/*.conf EOF |
Note: The config above will apply all of the OWASP ModSecurity Core Rules in the owasp-modsecurity-crs/rules/
directory. If you want to apply selective rules only, you should remove the include owasp-modsecurity-crs/rules/*.conf
line, and then specify exact rules you need after step 4.5.
3) 4.3 Import ModSecurity configuration files:
1 2 3 |
cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/ |
4) 4.4 Modify the /usr/local/nginx/conf/modsecurity.conf
file:
1 2 |
sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf |
5) 4.5 Add OWASP ModSecurity CRS (Core Rule Set) files:
1 2 3 4 5 6 7 8 |
cd /usr/local/nginx/conf git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git cd owasp-modsecurity-crs mv crs-setup.conf.example crs-setup.conf cd rules mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf |
Section 6. Step 5: Test ModSecurity
Start Nginx:
1 2 |
systemctl start nginx.service |
Open port 80 in order to allow outside access:
a) On CentOS 7:
1 2 3 |
firewall-cmd --zone=public --permanent --add-service=http firewall-cmd --reload |
b) On Debian 8:
1 2 3 4 5 6 7 8 9 10 |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP touch /etc/iptables iptables-save > /etc/iptables |
c) On Ubuntu 16.04:
1 2 3 4 5 |
ufw allow OpenSSH ufw allow 80 ufw default deny ufw enable |
Point your web browser to:
1 2 |
http://203.0.113.1/?param="><script>alert(1);</script> |
Use grep
to fetch error messages as follows:
1 2 |
grep error /usr/local/nginx/logs/error.log |
The output should include several error messages which are similar to:
1 2 |
2017/02/15 14:07:54 [error] 10776#0: [client 104.20.23.240] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: found within ARGS:param: \x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/index.html"] [unique_id "ATAcAcAkucAchGAcPLAcAcAY"] |
That’s it. As you see, The ModSecurity module has successfully logged this attack in accordance with its default action policy. If you want to make more custom settings, please carefully review and edit /usr/local/nginx/conf/modsecurity.conf
and /usr/local/nginx/conf/owasp-modsecurity-crs/crs-setup.conf
files.