How to Install & Configure ModSecurity in NGINX


configure modsecurity in nginx

ModSecurity is a powerful module that helps protect your website from malicious attacks and vulnerabilities. Let us take a look at how to install & configure ModSecurity in NGINX.

 

How to Install & Configure ModSecurity in NGINX

Here are the steps to install & configure ModSecurity in NGINX on Ubuntu. You can easily customize it for your Linux distribution.

 

1. Install Dependencies

Before we install dependencies, we need to stop Apache server, if it is running.


$ sudo systemctl stop apache2
$ ​sudo systemctl disable apache2

This will only stop Apache server and disable it from starting at boot.

Next, we install ModSecurity dependencies


$ sudo apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf

 

2. Compile ModSecurity

Next, we compile ModSecurity. We will directly download its source


$ cd /usr/src
$ ​git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git

 

Once the download is complete, you can compile ModSecurity with the following commands


cd ModSecurity
​./autogen.sh./configure --enable-standalone-module --disable-mlogcmake

 

3. Compile NGINX

Similarly, we will download and compile NGINX.


$ cd /usr/src
$ ​sudo wget http://nginx.org/download/nginx-1.13.4.tar.gz

 

Extract the downloaded tarball


$ sudo tar xvzf nginx-1.13.4.tar.gz

 

Before we compile NGINX, we will change to root user


$sudo -s

Then we compile NGINX


$cd nginx-1.13.4/
​$ ./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
​$ make
$ ​make install

 

Modify default NGINX user with the command


$ sed -i "s/#user nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf

 

Test the installation with the following command


$ /usr/local/nginx/sbin/nginx -t

 

You will see a message “…test is successful”

 

 

4. Create systemd unit file

To ensure that NGINX starts at boot, create the following systemd file with the command


$ sudo nano /lib/systemd/system/nginx.service

and add the following lines in it


[Service]
Type=forking
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
KillStop=/usr/local/nginx/sbin/nginx -s stop

KillMode=process
Restart=on-failure
RestartSec=42s

PrivateTmp=true
LimitNOFILE=200000

[Install]
WantedBy=multi-user.target

 

Save and close the file. You can start, stop & restart NGINX with the following commands


$ sudo systemctl start nginx.service
$ sudo systemctl stop nginx.service
$ sudo systemctl restart nginx.service

 

5. Configure ModSecurity and NGINX

Open NGINX config file


$ sudo nano /usr/local/nginx/conf/nginx.conf

 

Look for the following block of code


location / {
 root html;
 index index.html index.htm;
}

 

Change it to


location / {
 ModSecurityEnabled on;
 ModSecurityConfig modsec_includes.conf;
 root html;
 index index.html index.htm;
}

 

Save and close the file.

 

Next, we enable OWASPcore rules. Open ModSecurity config file


$ sudo nano /usr/local/nginx/conf/modsec_includes.conf

and add the commands


include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/*.conf

 

Save and close the file.

 

 

6. Import Necessary modules

Next we import all the required ModSecurity config files


$ sudo cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
$ sudo cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/

 

Enable SecRuleEngine option in modsecurity.conf


$ sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf

 

Add the OWASP ModSecurity Core Rule Set


$ cd /usr/local/nginx/conf
$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
$ sudo cd owasp-modsecurity-crs
$ sudo mv crs-setup.conf.example crs-setup.conf
$ sudo cd rules
$ sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
$ sudo mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

 

7. Open the Firewall

Add appropriate firewall rules


$ sudo ufw allow OpenSSH
$ sudo ufw allow 80
$ sudo ufw default deny
$ sudo ufw enable

 

8. Test the Setup

Test the setup with the command


$ sudo tail -f /usr/local/nginx/logs/error.log

 

Open a web browser and go to (replace SERVER_IP below with IP address of your server)


http://SERVER_IP/?param="><script>alert(1);</script>

 

Watch the output of your tail command above. You should see an error message from ModSecurity after blocking such a malicious request to your site

how to install and configure modsecurity in nginx

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!