How to Install ModSecurity 3 with Nginx on Ubuntu 22.04

Website and Web application security can be a challenging task for any system administrator. There aremany open-source tools available to secure your website from DDoS attacks. ModSecurity is a free and open-source Web Application Firewall (WAF) that protects your website from several types of attacks, including cross-site scripting (XSS), SQL injection, session hijacking, and many more.

In this tutorial, I will show you how to install ModSecurity with Nginx on Ubuntu 22.04.

Prerequisites

  • A server running Ubuntu 22.04.
  • A root password is configured on the server.

Getting Started

First, it is recommended to update and upgrade all your software packages to the latest version. You can update all of them by running the following command:

apt update -y
apt upgrade -y

Once all the packages are updated, install other required packages with the following command:

apt install g++ flex bison curl apache2-dev doxygen libyajl-dev ssdeep liblua5.2-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev git liblmdb-dev libpkgconf3 lmdb-doc pkgconf zlib1g-dev libssl-dev -y

Once you are done, you can proceed to the next step.

Install ModSecurity on Ubuntu 22.04

By default, the ModSecurity package is not included in the Ubuntu default repository. So you will need to compile it from the source.

First, download the latest version of ModSecurity with the following command:

wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.8/modsecurity-v3.0.8.tar.gz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf modsecurity-v3.0.8.tar.gz

Next, navigate to the extracted directory and configure it with the following command:

cd modsecurity-v3.0.8
./build.sh
./configure

Next, install it with the following command:

make
make install

Install Nginx with ModSecurity 3 Support

Next, you will need to install the Nginx with ModSecurity support. First, download the ModSecurity-nginx connector with the following command:

cd ~
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

Next, download the Nginx source using the following command:

wget https://nginx.org/download/nginx-1.20.2.tar.gz

Next, extract the Nginx source with the following command:

tar xzf nginx-1.20.2.tar.gz

Next, create a user for Nginx with the following command:

useradd -r -M -s /sbin/nologin -d /usr/local/nginx nginx

Next, change the directory to the Nginx source and configure it with the following command:

cd nginx-1.20.2
./configure --user=nginx --group=nginx --with-pcre-jit --with-debug --with-compat --with-http_ssl_module --with-http_realip_module --add-dynamic-module=/root/ModSecurity-nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log

Next, install it with the following command:

make
make modules
make install

Next, create a symbolic link of Nginx with the following command:

ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/

Next, verify the Nginx version using the following command:

nginx -V

You will get the Nginx version in the following output:

nginx version: nginx/1.20.2
built by gcc 11.2.0 (Ubuntu 11.2.0-19ubuntu1) 
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --with-pcre-jit --with-debug --with-compat --with-http_ssl_module --with-http_realip_module --add-dynamic-module=/root/ModSecurity-nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log

Once you are done, you can proceed to configure Nginx with ModSecurity.

Configure Nginx with ModSecurity

Next, copy the sample configuration files with the following command:

cp ~/modsecurity-v3.0.8/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
cp ~/modsecurity-v3.0.8/unicode.mapping /usr/local/nginx/conf/

Next, backup the Nginx configuration file:

cp /usr/local/nginx/conf/nginx.conf{,.bak}

Next, edit the Nginx configuration file:

nano /usr/local/nginx/conf/nginx.conf

Remove default lines and add the following lines:

load_module modules/ngx_http_modsecurity_module.so;
user  nginx;
worker_processes  1;
pid        /run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        server_name  nginx.example.com;
        modsecurity  on;
        modsecurity_rules_file  /usr/local/nginx/conf/modsecurity.conf;
        access_log  /var/log/nginx/access_example.log;
        error_log  /var/log/nginx/error_example.log;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

Save and close the file, then enable the ModSecurity with the following command:

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /usr/local/nginx/conf/modsecurity.conf

Once you are done, you can proceed to the next step.

Install ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set provides a set of rules to detect and protect a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.

First, download the OWASP rule set with the following command:

cd
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/local/nginx/conf/owasp-crs

Next, rename crs-setup.conf.example to crs-setup.conf file:

cp /usr/local/nginx/conf/owasp-crs/crs-setup.conf{.example,}

Next, define the rules with the following command:

echo -e "Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf" >> /usr/local/nginx/conf/modsecurity.conf

Next, verify the Nginx for any configuration error with the following command:

nginx -t

If everything is fine, you will get the following output:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

Once you are done, you can proceed to the next step.

Create a Systemd Service File for Nginx

Next, you will need to create a systemd service file to manage the Nginx service. So that you can start and stop the Nginx service via systems. You can create it with the following command:

nano /etc/systemd/system/nginx.service

Add the following lines:

[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/local/nginx/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/local/nginx/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

Save and close the file, then reload the systemd daemon to apply the changes:

systemctl daemon-reload

Next, start and enable the Nginx with the following command:

systemctl start nginx
systemctl enable nginx

You can check the Nginx status using the following command:

systemctl status nginx

You should see the following output:

? nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/etc/systemd/system/nginx.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-10-11 15:40:39 UTC; 6s ago
       Docs: man:nginx(8)
    Process: 68438 ExecStartPre=/usr/local/nginx/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 68439 ExecStart=/usr/local/nginx/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 68440 (nginx)
      Tasks: 2 (limit: 4579)
     Memory: 20.0M
        CPU: 293ms
     CGroup: /system.slice/nginx.service
             ??68440 "nginx: master process /usr/local/nginx/sbin/nginx -g daemon on; master_process on;"
             ??68441 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" >

Oct 11 15:40:38 ubuntu2204 systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 11 15:40:39 ubuntu2204 systemd[1]: Started A high performance web server and a reverse proxy server.

Once you are finished, you can proceed to the next step.

Verify ModSecurity

After installing and configuring Modsecurity with Nginx. It's time to test it. Run the following command to test the Modsecurity against command injection:

curl localhost?doc=/bin/ls

If everything is fine, you will get the "403 Forbidden" massage.

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.2</center>
</body>
</html>

You can also check the Modesecurity log using the following command:

tail /var/log/modsec_audit.log

You should see the ModSecurity log in the following output:

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `/bin/ls' ) [file "/usr/local/nginx/conf/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/ls found within ARGS:doc: /bin/ls"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "127.0.0.1"] [uri "/"] [unique_id "166550286018.572845"] [ref "o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/nginx/conf/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/"] [unique_id "166550286018.572845"] [ref ""]

---IcTYGSZl---I--

---IcTYGSZl---J--

---IcTYGSZl---Z--

Conclusion

Congratulations! you have successfully installed ModSecurity with Nginx on Ubuntu 22.04. You can now implement ModSecurity in your production environment to defend against DDoS attacks. Feel free to ask me if you have any questions.

Share this page:

1 Comment(s)