Install LibModsecurity web application firewall with Nginx on CentOS 8

Install LibModsecurity web application firewall with Nginx on CentOS 8

LibModSecurity is a free, open source web application firewall that can be used to protect Nginx servers from various types of cyber attacks. It comes with a core set of rules, including SQL injection, cross-site scripting, Trojans, and more. It works through the OWASP ModSecurity Core rule set to monitor HTTP traffic in real time and combat vulnerabilities. It works with Apache, Nginx, and IIS, and is also compatible with Debian, Ubuntu, and CentOS.

In this tutorial, we will show you how to download and compile LibModSecurity with Nginx support on CentOS 8.

Claim

  • Server 8 running CentOS.
  • A root password is configured on the server.

getting Started

Before you start, use the following command to update the server to the latest version:

dnf update

After the server is updated, restart to apply the changes.

Install required repositories and dependencies

First, install the EPEL and REMI repositories on your system. You can install them using:

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm

Next, install all required dependencies using the following command:

dnf install gcc-c++ flex bison yajl curl-devel zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config wget openssl openssl-devel nano

Once all packages are installed, other dependencies can be installed using the PowerTool repository:

dnf --enablerepo=PowerTools install doxygen yajl-devel

Next, install GeoIP using the REMI repository by running the following command:

dnf --enablerepo=remi install GeoIP-devel

Once all packages are installed, you can proceed to the next step.

Download and compile LibModsecurity

First, you will need to download the LibModsecurity source and compile it on your system. To do this, change the directory to / opt and download the latest version of LibModsecurity from the Git repository:

cd /opt/ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

Next, change the directory to ModSecurity and download the libInjection code using the following command:

cd ModSecurity git submodule init git submodule update

Next, configure LibModsecurity using the following command:

./build.sh ./configure

Finally, compile and install LibModSecurity using the following command:

make make install

At this point, LibModsecurity has been installed on your system. You can now proceed to install Nginx with LibModsecurity support.

Download and compile Nginx with LibModsecurity support

First, you need to create a system user and group for Nginx. You can create it using:

useradd -r -M -s /sbin/nologin -d /usr/local/nginx nginx

Next, you will need to download Nginx and compile it with LibModsecurity support.

To do this, first download the ModSecurity-nginx connector from the Git repository using the following command:

cd /opt git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

Next, download the latest stable version of Nginx using the following command:

wget http://nginx.org/download/nginx-1.17.6.tar.gz

After downloading, use the following command to unzip the downloaded file:

tar -xvzf nginx-1.17.6.tar.gz

Next, change the Nginx directory and configure it with the following command:

cd nginx-1.17.6 ./configure --user=nginx --group=nginx --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx

Next, install Nginx using the following command:

make make install

So far, LibModsecurity support has been installed for Nginx. You can now continue to configure Nginx.

Configure Nginx with ModSecurity

First, you need to copy the sample ModSecurity configuration file from the Nginx source directory to the Nginx configuration directory.

You can copy them using:

cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf cp /opt/ModSecurity/unicode.mapping /usr/local/nginx/conf/

Next, create a symbolic link of the Nginx binary to the / usr / sbin / path using the following command:

ln -s /usr/local/nginx/sbin/nginx /usr/sbin/

Next, create the Nginx log directory using the following command:

mkdir /var/log/nginx

Next, open the Nginx configuration file using the following command:

nano /usr/local/nginx/conf/nginx.conf

Make the following changes:

user  nginx;
worker_processes  1;
pid  /run/nginx.pid;
events {
    worker_connections  1024;
}


http {
    include	  mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
	listen       80;
        server_name  your-server-ip;
        modsecurity  on;
        modsecurity_rules_file  /usr/local/nginx/conf/modsecurity.conf;
        access_log  /var/log/nginx/access.log;
        error_log  /var/log/nginx/error.log;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

Save and close the file when you are finished. Then, check for Nginx syntax errors using:

nginx -t

You should see the following output:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

So far, Nginx has been configured. You can continue to create systemd service files for Nginx.

Create a system service file for Nginx

Next, you will need to create a systemd file to manage the Nginx service. You can create it using:

nano /etc/systemd/system/nginx.service

Add the following lines:

[Unit]
Description=The nginx server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=mixed
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Save and close the file when you are finished. Then, reload the systemd daemon using the following command:

systemctl daemon-reload

Next, start the Nginx service and use the following command to start it after the system restarts:

systemctl start nginx systemctl enable --now nginx

You should see the following output:

Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /etc/systemd/system/nginx.service.

Next, verify the Nginx service using the following command:

systemctl status nginx

You should see the following output:

? nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-12-30 10:20:01 EST; 41s ago
  Process: 17730 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 17728 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 17727 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 17732 (nginx)
    Tasks: 2 (limit: 6102)
   Memory: 5.0M
   CGroup: /system.slice/nginx.service
           ??17732 nginx: master process /usr/sbin/nginx
           ??17733 nginx: worker process

Dec 30 10:20:00 nginx systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 30 10:20:00 nginx nginx[17728]: nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
Dec 30 10:20:00 nginx nginx[17728]: nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Dec 30 10:20:01 nginx systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Dec 30 10:20:01 nginx systemd[1]: Started The nginx HTTP and reverse proxy server.

At this point, Nginx has been up and running. You can now continue to configure ModSecurity.

Configuration mode security

By default, ModSecurity is set to detection only mode. Therefore, you will need to turn on the ModSecurity rules engine. You can do this by editing the file modsecurity.conf:

nano /usr/local/nginx/conf/modsecurity.conf

Find the following line:

SecRuleEngine DetectionOnly

And, replace it with the following line:

SecRuleEngine On

Also found the following lines:

/var/log/modsec_audit.log

And, replace it with the following line:

/var/log/nginx/modsec_audit.log

Save and close the file when you are finished.

Next, download the latest version of the ModSecurity Core rule set from the Git repository using the following command:

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/local/nginx/conf/owasp-crs

After the download is complete, use the following command to rename the CRS sample configuration file:

mv /usr/local/nginx/conf/owasp-crs/crs-setup.conf.example /usr/local/nginx/conf/owasp-crs/crs-setup.conf

Next, configure ModeSecurity to use these rules by editing the file /usr/local/nginx/conf/modsecurity.conf:

nano /usr/local/nginx/conf/modsecurity.conf

Add the following line at the end of the file:

Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf

Save and close the file when you are finished. Then, restart the Nginx service to implement the changes:

systemctl restart nginx

Testing ModSecurity

ModSecurity is now installed and configured. It’s time to test if it works.

To test ModSecurity for command injection, open a web browser and enter the URL http: //localhost/index.html? exec = / bin / bash. You should see a 403 Forbidden error on the following pages:

To test ModSecurity against CSS attacks, open your terminal and run the following command:

Curl http: // localhost /? q = ">%MINIFYHTML99985420625fab8525e059d467ca0a1f5%"

You should get the following output:


403 Forbidden

403 Forbidden


nginx/1.17.6

in conclusion

Congratulations! You have successfully downloaded and compiled LibModSecurity using Nginx. You can now protect your server from various attacks. For more information, you can visit the ModSecurity documentation at: ModSecurity file.

Sidebar