How to configure NGINX for ModSecurity support on Ubuntu Server 20.04

1640288204 How to configure NGINX for ModSecurity support on Ubuntu Server

Jack Wallen will walk you through the manual process of installing ModSecurity for NGINX on Ubuntu Server 20.04.

Image: iStock / sdecoret

ModSecurity is the most widely used and respected web application firewall for open source web servers. It can be used with both Apache and NGINX to provide protection from various HTTP attacks (such as SQL injection and cross-site scripting) against web-based applications such as WordPress and Nextcloud. In other words, this model should be considered a necessary necessity.

ModSecurity cannot be enabled with an instance of NGINX installed with apt-get, so you have to do it manually. I want to walk you through the process of adding this security feature to your NGINX web servers.

SEE: Identity theft protection policy (Premium TechRepublic)

Index

    What you need

    • Example running Ubuntu Server
    • User with sudo privileges

    How to install the required dependencies

    The first thing to do is to install the necessary dependencies. This can be done with the same command:

    sudo apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf zlib1g-dev -y

    If you already have NGINX installed (from normal sources) remove it with the command:

    sudo apt-get purge nginx -y

    Remove any remaining dependencies with the command:

    sudo apt-get autoremove -y

    When that is done, we can move on to ModSecurity.

    How to add ModSecurity

    We need to manually compile ModSecurity. First, switch into the src directory with the command:

    cd /usr/src

    Next, clone the latest version of ModSecurity with the command:

    git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git

    Switch into the newly created directory with the command:

    cd ModSecurity

    Configure ModSecurity using the autogen script thus:

    ./autogen.sh./configure --enable-standalone-module --disable-mlogc

    Make and install ModSecurity with the commands:

    make
    sudo make install

    How to compile NGINX

    Unfortunately, the NGINX installation cannot be found in the default repositories because it has to be compiled with NGINX support. Switch back to the src directory with the command:

    cd /usr/src

    Download the latest release of NGINX; currently it's 1.18.0, but be sure to check for the latest version and change the command accordingly. The command to download the source is:

    wget http://nginx.org/download/nginx-1.18.0.tar.gz

    Export the compressed file with the command:

    tar xvzf nginx-1.18.0.tar.gz

    Switch into the newly created directory with the command:

    cd nginx-1.18.0

    Configure NGINX with ModSecurity support with the command:

    ​./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module

    Finally, make and install NGINX with the commands:

    make
    ​sudo make install

    How to set up NGINX

    We now need to modify the default NGINX configuration file, so that it knows which user is running with the command:

    sed -i "s/#user nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf

    Next, we need to configure NGINX so that it knows how to use ModSecurity. Open the NGINX configuration file with the command:

    sudo nano /usr/local/nginx/conf/nginx.conf

    In that file, replace the following section:

    location / {
    
        root   html;
    
        index  index.html index.htm;
    
    }

    By:

    location / {
    
        ModSecurityEnabled on;
    
        ModSecurityConfig modsec_includes.conf;
    
        root   html;
    
        index  index.html index.htm;
    
    }

    Enable OWASP main rules by creating a rules file with the command:

    sudo nano /usr/local/nginx/conf/modsec_includes.conf

    In that file, enter the following:

    include modsecurity.conf
    include owasp-modsecurity-crs/crs-setup.conf
    include owasp-modsecurity-crs/rules/*.conf

    Save and close the file.

    READ  Apple 's biggest scandal in 2022 is already happening - TechCrunch

    Enter the required ModSecurity configuration files with the following two commands:

    sudo cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
    sudo cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/

    Enable the SecRuleEngine option in the modsecurity.conf file by issuing the following command:

    sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf

    Now we can add the main OWASP ModSecurity rule by executing the following seven commands:

    cd /usr/local/nginx/conf
    sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
    sudo cd owasp-modsecurity-crs
    sudo mv crs-setup.conf.example crs-setup.conf
    sudo cd rules
    sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
    sudo mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

    How to create a systemd startup file for NGINX

    In order to take control of NGINX, we need to create a systemd boot file. Create file with the command:

    sudo nano /lib/systemd/system/nginx.service

    In the file, include the following:

    [Service]
    
    Type=forking
    
    ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
    
    ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
    
    ExecReload=/usr/local/nginx/sbin/nginx -s reload
    
    KillStop=/usr/local/nginx/sbin/nginx -s stop
    
    KillMode=process
    
    Restart=on-failure
    
    RestartSec=42s
    
    PrivateTmp=true
    
    LimitNOFILE=200000
    
    [Install]
    
    WantedBy=multi-user.target

    Save and close the file.

    Start NGINX with the command:

    sudo systemctl start nginx

    Enable web server to boot at the command prompt:

    sudo systemctl enable nginx

    How to Test ModSecurity

    We can finally test our ModSecurity setup. To do this we are going to use tail follow NGINX error log with command:

    sudo tail -f /usr/local/nginx/logs/error.log

    With that running, open a web browser and point it to: http: // SERVER /? param = ">

    Where SERVER is the IP address or domain of your NGINX server. Back in the tail command you should see a number of allowed permissions errors (Figure A.).

    Figure A.

    modseca.jpg

    The NGINX log file shows us that ModSecurity works.

    Congratulations, your ModSecurity is now running with the latest version of NGINX on Ubuntu Server 20.04.

    Subscribe to TechRepublic's How To Make Tech Work on YouTube for all the latest tech tips for business benefits from Jack Wallen.

    See also

    Related Posts

    Deja una respuesta

    Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

    Subir

    We use cookies to ensure that we give the best user experience on our website. If you continue to use this site we will assume that you agree. More information