Nginx with libmodsecurity (ModSecurity 3.x) and OWASP ModSecurity Core Rule Set (CRS) on Ubuntu 16.04

Ubuntu Linux Specific Guides
Post Reply
User avatar
dedwards
Site Admin
Posts: 69
Joined: Wed Mar 15, 2006 8:28 pm
Contact:

Nginx with libmodsecurity (ModSecurity 3.x) and OWASP ModSecurity Core Rule Set (CRS) on Ubuntu 16.04

Post by dedwards » Fri Apr 21, 2017 9:52 am

This guide assumes you already have a brand new updated instance of Ubuntu 16.04 64-bit. We are going to be installing and compiling the latest version of Nginx with libmodsecurity a.k.a Modsecurity 3.x which is NOT to be confused with ModSecurity 2.x. Additionally, we are going to be integrating OWASP ModSecurity Core Rule Set (CRS).

Install pre-requisites:

Code: Select all

apt-get install \
  apache2-dev \
  autoconf \
  automake \
  build-essential \
  bzip2 \
  checkinstall \
  devscripts \
  flex \
  g++ \
  gcc \
  git \
  graphicsmagick-imagemagick-compat \
  graphicsmagick-libmagick-dev-compat \
  libaio-dev \
  libaio1 \
  libass-dev \
  libatomic-ops-dev \
  libavcodec-dev \
  libavdevice-dev \
  libavfilter-dev \
  libavformat-dev \
  libavutil-dev \
  libbz2-dev \
  libcdio-cdda1 \
  libcdio-paranoia1 \
  libcdio13 \
  libcurl4-openssl-dev \
  libfaac-dev \
  libfreetype6-dev \
  libgd-dev \
  libgeoip-dev \
  libgeoip1 \
  libgif-dev \
  libgpac-dev \
  libgsm1-dev \
  libjack-jackd2-dev \
  libjpeg-dev \
  libjpeg-progs \
  libjpeg8-dev \
  liblmdb-dev \
  libmp3lame-dev \
  libncurses5-dev \
  libopencore-amrnb-dev \
  libopencore-amrwb-dev \
  libpam0g-dev \
  libpcre3 \
  libpcre3-dev \
  libperl-dev \
  libpng12-dev \
  libpng12-0 \
  libpng12-dev \
  libreadline-dev \
  librtmp-dev \
  libsdl1.2-dev \
  libssl-dev \
  libssl1.0.0 \
  libswscale-dev \
  libtheora-dev \
  libtiff5-dev \
  libtool \
  libva-dev \
  libvdpau-dev \
  libvorbis-dev \
  libxml2-dev \
  libxslt-dev \
  libxslt1-dev \
  libxslt1.1 \
  libxvidcore-dev \
  libxvidcore4 \
  libyajl-dev \
  make \
  openssl \
  perl \
  pkg-config \
  tar \
  texi2html \
  unzip \
  zip \
  zlib1g-dev 
Git clone Modsecurity, checkout and build libmodsecurity

Code: Select all

cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make
make install
Git clone the Modsecurity-nginx connector

Code: Select all

cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
You should now have the following directory which contains the Modsecurity-nginx connector

Code: Select all

/opt/ModSecurity-nginx
Download latest Nginx stable source

Goto http://nginx.org/en/download.html and get the link to the latest stable version of Nginx. As of this writing, the latest stable version was nginx-1.12.0.tar.gz. Adjust instructions below for your specific version. Download and extract

Code: Select all

cd /opt
wget http://nginx.org/download/nginx-1.12.0.tar.gz
tar -zxf nginx-1.12.0.tar.gz
cd nginx-1.12.0
Configure Nginx with the Modsecurity-nginx connector and install

Code: Select all

./configure --user=www-data --group=www-data --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx
make
make install
The ModSecurity source code that we downloaded earlier includes a sample modsecurity.conf file with some recommended settings. Copy this file to the folder with the Nginx configuration files

Code: Select all

cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
Create a symlink from /usr/local/nginx/sbin/nginx to /bin/nginx

Code: Select all

ln -s /usr/local/nginx/sbin/nginx /bin/nginx
Create the following directories:

Code: Select all

mkdir /usr/local/nginx/conf/sites-available
mkdir /usr/local/nginx/conf/sites-enabled
mkdir /usr/local/nginx/conf/ssl
mkdir /etc/nginx
Crete a symlink to from /usr/local/nginx/conf/ssl /etc/nginx/ssl

Code: Select all

ln -s /usr/local/nginx/conf/ssl /etc/nginx/ssl
Make a backup copy of the conf/nginx.conf file

Code: Select all

cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.bak
Configure the /usr/local/nginx/conf/nginx.conf file

Code: Select all

vi /usr/local/nginx/conf/nginx.conf
Locate and remove all the entries starting with "server {" and ending with the second to the last closing curly brace "}". In other words, leave the last curly brace intact.

Right above the last curly brace, insert the following. This will instruct Nginx to look for our site configs in the "/usr/local/nginx/conf/sites-enabled" directory

Code: Select all

include /usr/local/nginx/conf/sites-enabled/*;
So the end of the file should look like below:

Code: Select all

include /usr/local/nginx/conf/sites-enabled/*;
}
Enable the "user" directive by removing the "#" prefix if disabled and ensure it's set to user "www-data" instead of the default "nobody" so it looks like below:

Code: Select all

user  www-data;
Save the file

Download Jason Giedymin's Nginx init script for managing nginx service and configure it as a service

Code: Select all

wget https://raw.github.com/JasonGiedymin/nginx-init-ubuntu/master/nginx -O /etc/init.d/nginx
chmod +x /etc/init.d/nginx
update-rc.d nginx defaults
This script provides the following options for managing the Nginx service:

Code: Select all

# service nginx start|stop|restart|force-reload|reload|
  status|configtest|quietupgrade|terminate|destroy
Git clone and copy the current version of the OWASP ruleset and config to Nginx

Code: Select all

cd /opt/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /usr/local/nginx/conf/
cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf
Configure Nginx with OWASP ModSecuirty Core Rule Set

Edit /usr/local/nginx/conf/modsecurity.conf

Code: Select all

vi /usr/local/nginx/conf/modsecurity.conf
At the end of the file, paste the following:

Code: Select all

#Load OWASP Config
Include crs-setup.conf

#Load all other Rules
Include rules/*.conf

#Disable rule by ID from error message 
#SecRuleRemoveById 920350
In your Nginx modsecurity.conf file or your individual server conf files enter the following in either the server or location blocks. The example below, shows a combination of adding the entries in both the server and the location blocks:

Code: Select all

server {
        .....
        modsecurity on;
location / {
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;

.....
}
}
Test your Nginx config

Code: Select all

service nginx configtest
If not errors, reload or restart your Nginx

Code: Select all

service nginx reload
You can now view the /var/log/modsec_audit.log for any ModSecurity events

Code: Select all

tail -f /var/log/modsec_audit.log
If you are satisfied, edit the /usr/local/nginx/conf/modsecurity.conf file and set "SecRuleEngine" from "DetectionOnly" to "On" like below

Code: Select all

SecRuleEngine On
Post Reply