Install ModSecurity with Nginx on Debian/Ubuntu
What is ModSecurity?
ModSecurity is the most well-known open-source web application firewall (WAF) which was originally built for Apache Web server that provides comprehensive protection for your web applications (like WordPress, Joomla, OpenCart, etc) against a wide range of Layer 7 (HTTP) attacks. ModSecurity can work as the Web Server module and can filter out attacks like SQL injection, cross-site scripting, local file inclusion, etc
cPGuard WAF
cPGuard WAF is a set of ModSecurity rules set that can block most of the generic web attacks against your web applications. It is powered by Malware.Expert Commercial ModSecurity rules for web hosting servers. It is a proprietary set of rules written in-house and provides protection against targeted and automated attacks and has explicit rules to protect CMS like WordPress, Joomla, etc.
Install ModSecurity with Nginx on Debian/Ubuntu
You need to install ModSecurity 3.0 ( libmodsecurity ) to enable ModSecurity module support with your Nginx Web Server. The ModSecurity 3 project is still under rapid development and lacks some features that is available in 2.9.x versions. But ModSecurity 3 is improving and come up with more features in all releases
Step 1. Install Nginx
If you do not have Nginx Web Server installed on your server already, install Nginx using the following command. If you have Nginx installed already, you can ignore this step.
1 sudo apt install nginx
Step 2 Download and Compile ModSecurity
If your server plicy allows adding third-party repositories, you may use DigitalWave package and can avoid compiling ModSecurity into Nginx. This is safe and recommended by OWASP . If you prefer to use the DigitalWave repo, install packages from it, and start confiuring Nginx following “Step 5. Install Nginx configuration”… you can skip Steps 2, 3, and 4 .
Install build dependencies using the following command
1 apt-get install libtool autoconf build-essential libpcre3-dev zlib1g-dev libssl-dev libxml2-dev libgeoip-dev liblmdb-dev libyajl-dev libcurl4-openssl-dev libpcre++-dev pkgconf libxslt1-dev libgd-dev automake
Now you need to download ModSecurity
1 cd /usr/local/src 2 git clone --depth 100 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity 3 cd ModSecurity 4 git submodule init 5 git submodule update
Now compile ModSecurity and install it on your server
1 # Generate configure file 2 sh build.sh 3 # Pre compilation step. Checks for dependencies 4 ./configure 5 # Compiles the source code 6 make 7 # Installs the Libmodsecurity to **/usr/local/modsecurity/lib/libmodsecurity.so** 8 make install
Step 3. Download and Compile ModSecurity v3 Nginx Connector Source Code
Run “nginx -V” and notice your Nginx server version. Now you need to download the matching Nginx source code and Nginx Connector Source Code into your server. The use the source code to generate Libmodsecurity module for your Nginx server. Refer following commands and run one by one in order.
1 mkdir /usr/local/src/cpg 2 cd /usr/local/src/cpg 3 #Make sure to change versoin number match it with your local Nginx server version 4 wget http://nginx.org/download/nginx-1.21.4.tar.gz 5 # Extract the downloaded source code...make sure to use the corerct Nginx version number that you have downloaded 6 tar -xvzf nginx-1.21.4.tar.gz 7 # Download the source code for ModSecurity-nginx connector 8 git clone https://github.com/SpiderLabs/ModSecurity-nginx
Compile Nginx
Next we need to compile Nginx with ModSecurity module. We will not compile/install Nginx itself but compile the Nginx module only. For this, make sure that your Nginx package is compiled with “–with-compat” flag. The –with-compat flag will make the module binary-compatible with your existing Nginx binary. You can use the following command to compile Nginx + ModSecurity compatible with your existing modules
1 # Compile the Nginx...make sure to use the corerct Nginx version number that you have downloaded 2 cd nginx-1.21.4 3 ./configure --with-compat --with-openssl=/usr/include/openssl/ --add-dynamic-module=/usr/local/src/cpg/ModSecurity-nginx
If your Nginx package is not compatible with “–with-compat” flag, you can check your existing compile flags and use it to build the package. Given below is an example command that you can use for CloudPanel.
1 # Compile the Nginx...make sure to use the corerct Nginx version number that you have downloaded 2 cd nginx-1.21.4 3 ./configure --with-cc-opt='-g -O2 -fdebug-prefix-map=/home/clp/packaging/nginx/tmp/nginx-1.21.4=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/usr/local/src/cpg/ModSecurity-nginx
Now we need to build the modules and copy it to the Nginx module directory
1 # Generate the module 2 make modules 3 # Copy the module to the Nginx module directory 4 cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
Step4. Load ModSecurity Module into Nginx
Open file /etc/nginx/modules-enabled/50-mod-http-modsecurity.conf and add the following contents to it.
1 load_module modules/ngx_http_modsecurity_module.so;
Step 5. Install Nginx configuration
1. Open /etc/nginx/nginx.conf and add the following line after including “/etc/nginx/sites-enabled/*.conf”
1 include /etc/nginx/cpguard_waf_load.conf;
2. Add the following contents to /etc/nginx/cpguard_waf_load.conf
1 modsecurity on; 2 modsecurity_rules_file /etc/nginx/nginx-modsecurity.conf;
3. Add following contents to /etc/nginx/nginx-modsecurity.conf
1 SecRuleEngine On 2 SecRequestBodyAccess On 3 SecDefaultAction "phase:2,deny,log,status:406" 4 SecRequestBodyLimitAction ProcessPartial 5 SecResponseBodyLimitAction ProcessPartial 6 SecRequestBodyLimit 13107200 7 SecRequestBodyNoFilesLimit 131072 8 9 SecPcreMatchLimit 250000 10 SecPcreMatchLimitRecursion 250000 11 12 SecCollectionTimeout 600 13 14 SecDebugLog /var/log/nginx/modsec_debug.log 15 SecDebugLogLevel 0 16 SecAuditEngine RelevantOnly 17 SecAuditLog /var/log/nginx/modsec_audit.log 18 SecUploadDir /tmp 19 SecTmpDir /tmp 20 SecDataDir /tmp 21 SecTmpSaveUploadedFiles on 22 23 # Include file for cPGuard WAF 24 Include /etc/nginx/cpguard_waf.conf 25
Step 6. Configure cPGuard WAF Parameters
Once the above steps are completed successfully, you can use the following parameter values in cPGuard Standalone configuration file
1 waf_server = nginx 2 3 waf_server_conf = /etc/nginx/cpguard_waf.conf 4 5 waf_server_restart_cmd = /usr/sbin/service nginx restart 6 7 waf_audit_log = /var/log/nginx/modsec_audit.log 8 9
That’s it
You should have ModSecurity enabled fine and once the cPGuard WAF is enabled, your server is protected against Web Attacks.
References
- https://berndklaus.at/posts/cloudpanel-io-modsecurity/
- https://www.linuxbabe.com/security/modsecurity-nginx-debian-ubuntu