Securing NGINX Server Using ModSecurity OSWAF
In This Post We Will Teach You How To Use ModSecurity: Open Source Web Application Firewall To Secure NGINX Server From Top Ten OWASP Most Critical Web Applications Security Risks.
ModSecurity: Free & Open-source Web Application Firewall
In my last post I talked about what is modsecurity & how to use this with apache to secure server to prevent OWASP top ten attacks. Now I'm gonna show you how to use it with NGINX.
PS: I suggest you to go to the apache tutorial first where I explained about modsecurity in details so it will be easy to understand this NGINX part.
In this tutorial, we’re gonna take a look at how to secure NGINX with ModSecurity or how to configure ModSecurity to work with NGINX. Now in the previous blog where I introduced ModSecurity and its relationship with Apache in fact It is a native module that was designed for the Apache web server technology.
NGINX is not officially supported by ModSecurity as a module so the installation is not as straight forward & the reason is that ModSecurity is not officially supported by NGINX but ModSecurity has actually created a connector
The ModSecurity-nginx connector is the connection point between nginx and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between nginx and libmodsecurity. This connector is required to use LibModSecurity with nginx.
The ModSecurity-nginx connector takes the form of an nginx module. The module simply serves as a layer of communication between nginx and ModSecurity.
Now you can get started by setting up an Ubuntu server.
The first thing we gonna do is apt update && apt upgrade to make sure we’ve latest repositories and latest packages because it’s always important to ensure that your all the packages are updated whenever you get started with a new server.
Now, we have to install NGINX. The installation process of NGINX on Ubuntu is really simple.
We can install nginx by running command apt install nginx
The key thing is to take consideration in here is the version of NGINX which is being installed here.
Right now, I’m using Ubuntu 20.04 on AWS and the latest version of NGINX we get on this version is NGINX 1.18.0–6ubuntu14.1.
Now we need to install all the tools and utility that we’re going to require
To begin the installation process, follow the below steps:
- We need to Install all the dependencies required for the build and compilation process with the following command:
sudo apt-get install bison build-essential ca-certificates curl dh-autoreconf doxygen flex gawk git iputils-ping libcurl4-gnutls-dev libexpat1-dev libgeoip-dev liblmdb-dev libpcre3-dev libpcre++-dev libssl-dev libtool libxml2 libxml2-dev libyajl-dev locales liblua5.3-dev pkg-config wget zlib1g-dev zlibc libxslt-dev libgd-dev
2. Now we need to download and compile ModSecurity manually:
cd /opt && sudo git clone https://github.com/SpiderLabs/ModSecurity
3. Now before we start the build process, we need to make sure that sub-modules are Initialized & updated, we can do this by following command:
sudo git submodule init
sudo git submodule update
4. Now we need to get started with the build process:
sudo ./build.sh
5. Then we need to configure the environment:
sudo ./configure
6. Now Run the make command to build ModSecurity, This will probably gonna 5–10 mins:
sudo make
7. After the build process is complete, install ModSecurity by running the following command:
make install
This is how we compile ModSecurity manually.
Now the next thing we need to do is download the ModSecurity-NGINX-Connector
1. We can do this by running the following command:
cd /opt && sudo git clone — depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
2. Now we have to compile the ModSecurity Module for NGINX. We can do this by downloading Version of NGINX which has been already installed on the Ubuntu. We can check the version of installed NGINX by running the following command:
nginx -v
then download the exact version of Nginx running on your system into the /opt directory, in my case it is ver. 1.18.0:
3. Now extracting the nginx tar file:
tar -xzvf nginx-1.18.0.tar.gz
4. Now we need to configure the environment for NGINX & once it’s done it will give us all the modules that is required, in this case the NGINX ModSecurity Module.
To do this, we need to run the configure command but before we do that, we need to run the configure command with particular arguments & in this particular case we’re going to use the ModSecurity-Connector.
However, one of the arguments that is required is the actual arguments & dependencies that were used to compile this (1.18.0 in my case) version of NGINX. We can display this by following command:
nginx -V
5. Now we need to copy the configure arguments, also do remember that this will be different on based on whatever distribution you’re running or whatever the version of NGINX you’re running on your system so it is very important that you copy your particular configure arguments.
In my case, the configure arguments are:
6. To compile the Modsecurity module, copy all of the arguments following configure arguments: from your output of the above command and paste them in place of <Configure Arguments> in the following command:
sudo ./configure — add-dynamic-module=../ModSecurity-nginxc <Configure Arguments>
Here we have also included dynamic modules which are included withing ModSecurity-NGINX connector directory which is in the /opt directory.
7. Now we can type make modules which will start making the modules.
sudo make modules
8. Now we need to copy the modules which is created for Nginx and this particular module is going to facilitate the connection between modsecurity and nginx.
All the modules are stored within /objs folder.
The modules which we’re looking for is
ngx_http_modsecurity_module.so
Now we need to copy this to local nginx modules directory. Since we don’t have any specific folder for this, we need to create one inside /etc/nginx or wherever you like.
And then copy the module to that directory.
9. New we need to load that particular module into the NGINX default configuration file.
sudo nano /etc/nginx/nginx.conf
And then save.
10. Before we start using ModSecurity module, we need to get OWASP Core Rule Set, we can get this from this link: https://coreruleset.org/installation/ & clone in a directory.
11. Now we need to rename the default configuration file from the modsecurity-crs which is crs-setup.conf
After we’ve done this, we need to modify some of the rules to get it working for eg, REQUEST EXCLUSION RULES.
also we’re going to move the modsecurity-crs to local user directory.
12. Now we can move to configuring modsecurity, we can start this by creating a folder inside /etc/nginx with name modsec.
Now we have to copy few configuration files to this directory from the default modsecurity github repo to the /etc/nginx/modsec
Remember: we also need to rename the default configuration file modsecurity.conf before copying.
13. Now we need to Turn on the SecRuleEngine, we can do this by editing the modsecurity.conf file from /etc/nginx/modsec/modsecurity.conf directory.
14. Now we need to make main.conf configuration file for the modsecurity.
In this file, we need to define all the various configurations files & core rule set.
Now we have all the configuration files for modsecurity and modules.
15. Now let me explain what we’ve done here,
We compiled the modules that we required and also compiled installed modsecurity itself not in relation to nginx yet cause to do that we used nginx-connector to build our modules and then we got modsecurity module which we copied into /etc/nginx/modules/, then we created our configuration files all under the /etc/nginx/modsec/ directory. So, we have a modsecurity configuration file and a main configuration file which will used to load the actual other configuration files and the core rule set.
So, to activate all of this we need to enable this and specify the rule files withing our sites configuration files.
This can be done by editing /etc/nginx/sites-available/default and adding following lines,
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
Now we need to restart the nginx to apply the new configurations and modsecurity.
Now we can test if this working or not by doing some small pen test,
Before ModSecurity:
After ModSecurity:
That’s pretty much it regards modSecurity with NGINX. If you wanna know how to configure with apache click this link,
remember #SharingIsCaring ;)
