Installation and configuration of ModSecurity on CentOS 7
Install Nginx
Install the prerequisites:
sudo yum install yum-utils
To set up the yum repository, create the file named /etc/yum.repos.d/nginx.repo with the following contents:
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/ r e l e a s e v e r / releasever/ releasever/basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/ r e l e a s e v e r / releasever/ releasever/basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
By default, the repository for stable nginx packages is used. If you would like to use mainline nginx packages, run the following command:
sudo yum-config-manager --enable nginx-mainline
To install nginx, run the following command:
sudo yum install nginx
When prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.
Compile ModSecurity Dynamic Module
-
Install compile toolsets
sudo yum groupinstall 'Development Tools' -y sudo yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel sudo yum install lmdb lmdb-devel libxml2 libxml2-devel ssdeep ssdeep-devel lua lua-devel
-
Compile from source code
sudo git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity cd ModSecurity sudo git submodule init sudo git submodule update sudo ./build.sh sudo ./configure sudo make sudo make install
-
Confirm nginx version
nginx -v nginx version: nginx/1.19.2
-
Compile nginx connector from source code
sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git sudo wget http://nginx.org/download/nginx-1.15.7.tar.gz sudo tar zxvf nginx-1.19.2.tar.gz cd nginx-1.19.2 sudo ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx sudo make modules
-
install and enable module
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules sudo mkdir /etc/nginx/modsec sudo cp ~/ModSecurity/unicode.mapping /etc/nginx/modsec/
Then add load_module instruction to /etc/nginx/nginx.conf in the main (top-level) context:
load_module modules/ngx_http_modsecurity_module.so;
-
reload nginx
nginx -s reload
Configure, Enable, and Test ModSecurity
The final step is to enable and test ModSecurity.
-
Set up the appropriate ModSecurity configuration file. Here we’re using the recommended ModSecurity configuration provided by TrustWave Spiderlabs, the corporate sponsors of ModSecurity.
$ mkdir /etc/nginx/modsec $ wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended $ mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
-
To guarantee that ModSecurity can find the unicode.mapping file (distributed in the top‑level ModSecurity directory of the GitHub repo), copy it to /etc/nginx/modsec
$ cp ModSecurity/unicode.mapping /etc/nginx/modsec
-
Change the
SecRuleEngine
directive in the configuration to change from the default “detection only” mode to actively dropping malicious traffic.$ sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
-
Configure one or more rules. For the purposes of this blog we’re creating a single simple rule that drops a request in which the URL argument called
testparam
includes the stringtest
in its value. Put the following text in /etc/nginx/modsec/main.conf:# From https://github.com/SpiderLabs/ModSecurity/blob/master/ # modsecurity.conf-recommended # # Edit to set SecRuleEngine On Include "/etc/nginx/modsec/modsecurity.conf" # Basic test rule SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
In a production environment, you presumably would use rules that actually protect against malicious traffic, such as the free OWASP core rule set.
-
Add the
modsecurity
andmodsecurity_rules_file
directives to the NGINX configuration to enable ModSecurity:server { # ... modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; }
-
Issue the following
curl
command. The403
status code confirms that the rule is working.$ curl localhost?testparam=test <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.13.1</center> </body> </html>
Including OWASP ModSecurity Core Rule Set
-
Dowdload CoreRuleset(CRS), find the latest version from https://github.com/coreruleset/coreruleset
wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz tar -zxvf v3.3.0.tar.gz cd coreruleset-3.3.0/ cp crs-setup.conf.example crs-setup.conf
-
config modsecurity rule file
vim /etc/nginx/modsec/main.conf
include roles
Include /etc/nginx/modsec/modsecurity.conf Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.conf Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/*.conf