Installation and configuration of ModSecurity on CentOS 7

Installation and configuration of ModSecurity on CentOS 7

Install Nginx

Install the prerequisites:

sudo yum install yum-utils

To set up the yum repository, create the file named /etc/yum.repos.d/nginx.repo with the following contents:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

By default, the repository for stable nginx packages is used. If you would like to use mainline nginx packages, run the following command:

sudo yum-config-manager --enable nginx-mainline

To install nginx, run the following command:

sudo yum install nginx

When prompted to accept the GPG key, verify that the fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, and if so, accept it.

Compile ModSecurity Dynamic Module

1. Install compile toolsets

   sudo yum groupinstall 'Development Tools' -y
   sudo yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel
   sudo yum install lmdb lmdb-devel libxml2 libxml2-devel ssdeep ssdeep-devel lua lua-devel
   

2. Compile from source code

   sudo git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
   cd ModSecurity
   sudo git submodule init
   sudo git submodule update
   sudo ./build.sh
   sudo ./configure
   sudo make
   sudo make install
   

3. Confirm nginx version

   nginx -v
   nginx version: nginx/1.19.2
   

4. Compile nginx connector from source code

   sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
   sudo wget http://nginx.org/download/nginx-1.15.7.tar.gz
   sudo tar zxvf nginx-1.19.2.tar.gz
   cd nginx-1.19.2
   sudo ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
   sudo make modules
   

5. install and enable module

   sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules
   sudo mkdir /etc/nginx/modsec
   sudo cp ~/ModSecurity/unicode.mapping /etc/nginx/modsec/
   

   Then add load_module instruction to /etc/nginx/nginx.conf in the main (top-level) context:

   load_module modules/ngx_http_modsecurity_module.so;
   

6. reload nginx

   nginx -s reload
   

Configure, Enable, and Test ModSecurity

The final step is to enable and test ModSecurity.

1. Set up the appropriate ModSecurity configuration file. Here we’re using the recommended ModSecurity configuration provided by TrustWave Spiderlabs, the corporate sponsors of ModSecurity.

   $ mkdir /etc/nginx/modsec
   $ wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
   $ mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
   

2. To guarantee that ModSecurity can find the unicode.mapping file (distributed in the top‑level ModSecurity directory of the GitHub repo), copy it to /etc/nginx/modsec

   $ cp ModSecurity/unicode.mapping /etc/nginx/modsec
   

3. Change the SecRuleEngine directive in the configuration to change from the default “detection only” mode to actively dropping malicious traffic.

   $ sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
   

4. Configure one or more rules. For the purposes of this blog we’re creating a single simple rule that drops a request in which the URL argument called testparam includes the string test in its value. Put the following text in /etc/nginx/modsec/main.conf:

   # From https://github.com/SpiderLabs/ModSecurity/blob/master/
   # modsecurity.conf-recommended
   #
   # Edit to set SecRuleEngine On
   Include "/etc/nginx/modsec/modsecurity.conf"
   
   # Basic test rule
   SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
   

   In a production environment, you presumably would use rules that actually protect against malicious traffic, such as the free OWASP core rule set.

5. Add the modsecurity and modsecurity_rules_file directives to the NGINX configuration to enable ModSecurity:

   server {
       # ...
       modsecurity on;
       modsecurity_rules_file /etc/nginx/modsec/main.conf;
   }
   

6. Issue the following curl command. The 403 status code confirms that the rule is working.

   $ curl localhost?testparam=test
   <html>
   <head><title>403 Forbidden</title></head>
   <body bgcolor="white">
   <center><h1>403 Forbidden</h1></center>
   <hr><center>nginx/1.13.1</center>
   </body>
   </html>
   

Including OWASP ModSecurity Core Rule Set

1. Dowdload CoreRuleset(CRS), find the latest version from https://github.com/coreruleset/coreruleset

   wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
   tar -zxvf v3.3.0.tar.gz
   cd coreruleset-3.3.0/
   cp crs-setup.conf.example crs-setup.conf
   

2. config modsecurity rule file

   vim /etc/nginx/modsec/main.conf
   

   include roles

   Include /etc/nginx/modsec/modsecurity.conf
   Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.conf
   Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/*.conf