How to Install Nginx with ModSecurity v2.9 from source

by

Introduction

ModSecurity is an open-source Web Application Firewall (WAF) for Apache, Nginx and IIS web server. This application layer firewall is developed by Trustwave’s SpiderLabs and released under Apache License 2.0. ModSecurity protects websites from hackers by using a set of regular expression rules to filter out commonly known exploits, it allows HTTP traffic monitoring, logging, real-time analysis, and attack detection.

If you are hosting your web applications on Nginx and concerned about security then one of the first thing you would like to implement is Web Application Firewall (WAF).

In this tutorial, I will show you how to install mod_security for the fast Nginx web server. I will configure ModSecurity as a standalone module and then build Nginx from source to include ModSecurity.

Update System and Repository

Redhat based servers:

# yum update
# yum upgrade

Debian/ubuntu based servers:

# apt-get update
# apt-get upgrade

Install the build dependencies

Redhat based servers:

# yum install gcc make automake autoconf libtool pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel

Debian/ubuntu based servers:

# apt-get install git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-prefork-dev libxml2-dev libcurl4-openssl-dev

Download Nginx and ModSecurity

Download the latest version nginx so look from below link first: http://nginx.org/en/download.html

At moment http://nginx.org/download/nginx-1.10.1.tar.gz is latest version in linux.

# cd /usr/src/
# wget http://nginx.org/download/nginx-1.10.1.tar.gz
# tar xvf nginx-1.10.1.tar.gz

Download the latest version of Mod Security so look from below link first: https://www.modsecurity.org/download.html

At moment https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz is latest version.

# wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
# tar xvf modsecurity-2.9.1.tar.gz

Install Nginx and ModSecurity

Now it’s time to install ModSecurity, please go to the /usr/src/modsecurity directory:

# cd /usr/src/modsecurity/
# ./autogen.sh
# ./configure --enable-standalone-module --disable-mlogc
# make

Next, install Nginx with Modsecurity module:

Debian/ubuntu based servers:

# cd /usr/src/nginx-1.10.1
# ./configure \
  --user=www-data \
  --group=www-data \
  --with-http_ssl_module \
  --add-module=/usr/src/modsecurity/nginx/modsecurity
# make
# make install

Redhat based servers:

# cd /usr/src/nginx-1.10.1
# ./configure --add-module=/usr/src/modsecurity/nginx/modsecurity
# make
# make install

Configure Nginx

Debian/ubuntu based servers:

Edit the nginx configuration file with vi/vim and configure nginx to run under the user “www-data”.

# nano -w /usr/local/nginx/conf/nginx.conf

On the first line, uncomment the “user” line and change the user to www-data

user www-data;

Next we will create a systemd script for Nginx that is used to start / stop the Nginx daemon. Please go to the directory “/lib/systemd/system/” and create a new file “nginx.service” with nano

# cd /lib/systemd/system/
# nano -w nginx.service

[Service]
Type=forking
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
KillStop=/usr/local/nginx/sbin/nginx -s stop

KillMode=process
Restart=on-failure
RestartSec=42s

PrivateTmp=true
LimitNOFILE=200000

[Install]
WantedBy=multi-user.target

Save and exit!

Now reload the systemd-daemon so that systemd loads our new Nginx service file.

# systemctl daemon-reload

Both Redhat / Debian:

Create a symlink for the nginx binary so we can use the command “nginx” by directly

# ln -s /usr/local/nginx/sbin/nginx /bin/nginx

Test the nginx configuration and start nginx with systemctl command:

# nginx -t
# systemctl start nginx

Configure Mod Security with Nginx

# cp /usr/src/modsecurity-2.9.1/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
# cp /usr/src/modsecurity-2.9.1/unicode.mapping /usr/local/nginx/conf/

Open /usr/local/nginx/conf/nginx.conf file and add following under “location /” directive

location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}

Open the /usr/local/nginx/conf/modsecurity.conf file with editor:

# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine On


# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072

# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction ProcessPartial

SecDefaultAction "phase:1,deny,log,status:406"
SecDefaultAction "phase:2,deny,log,status:406"
SecRemoteRulesFailAction Warn

# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
SecResponseBodyLimitAction ProcessPartial


SecTmpDir /tmp
SecDataDir /tmp
SecUploadDir /tmp
SecTmpSaveUploadedFiles on
SecUploadKeepFiles on
SecUploadFileMode 0644

#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3


# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#

# Specify the path for concurrent audit logging.
SecAuditLogType Concurrent
SecAuditLogStorageDir /opt/modsecurity/var/audit/

Now create new directory for the ModSecurity audit log and change the owner to www-data:

# mkdir -p /opt/modsecurity/var/audit/
# chown -R www-data:www-data /opt/modsecurity/var/audit/

Modsecurity Rules

Buy Modsecurity Rules from Malware Expert and use them!