Install Modsecurity + OWASP CRS for Nginx Webserver on Centos 7

Update Package & Install Libraries

First, update the package and install some libraries that we need.

sudo yum update

sudo yum groupinstall 'Development Tools' -y
sudo yum install epel-release -y

yum install yajl yajl-devel curl-devel GeoIP-devel zlib-devel lmdb lmdb-devel libxml2-devel ssdeep ssdeep-devel lua-devel pcre-devel wget nano

When we build with this library installed, we got error, to prevent this error g++: error: unrecognized command line option '-std=c++17' , we need to install latest env for gcc :

# 1. Install a package with repository for your system:
# On CentOS, install package centos-release-scl available in CentOS repository:
$ sudo yum install centos-release-scl -y

# On RHEL, enable RHSCL repository for you system:
$ sudo yum-config-manager --enable rhel-server-rhscl-7-rpms

# 2. Install the collection:
$ sudo yum install devtoolset-8 -y

# 3. Start using software collections:
$ scl enable devtoolset-8 bash

Install Modsecurity

cd /opt && sudo git clone https://github.com/owasp-modsecurity/ModSecurity.git
cd ModSecurity
sudo git submodule init
sudo git submodule update
sudo ./build.sh
sudo ./configure
sudo make
sudo make install

Modsecurity-nginx

Download modsecurity-nginx connector

cd /opt && sudo git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git

We will need this when we configure nginx with modsecurity module later.

Install Nginx with latest version

First, we need to make repository list for nginx :

sudo nano /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

choose witch one to use (stable or mainline)

sudo yum-config-manager --enable nginx-mainline
or
sudo yum-config-manager --enable nginx-stable

sudo yum install nginx -y

Set enable on nginx to start when the server up/runing, start the nginx service and check the status of the nginx service.

sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx

Download nginx source code

Download source code with the same version with currently installed on Centos 7.

cd /opt && sudo wget https://nginx.org/download/nginx-1.24.0.tar.gz
sudo tar -xzvf nginx-1.24.0.tar.gz
cd nginx-1.24.0

Then, we configure nginx with dynamic module, that is modsecurity, we added --add-dynamic-module=/opt/ModSecurity-nginx to make this happen.

sudo ./configure --with-compat --add-dynamic-module=/opt/ModSecurity-nginx
sudo make
sudo make modules

after successfully build the nginx from source with modsecurity then copy the module file to folder nginx modules.

sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/

Enable ModSecurity in nginx.conf

Copy configuration from modsecurity source code to nginx :

sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf

sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/unicode.mapping

Edit nginx main configuration to load modsecurity module :

sudo nano /etc/nginx/nginx.conf

add this line on main row on nginx configuration file :

load_module modules/ngx_http_modsecurity_module.so;

and, add this code inside http {} or inside your custom server block for spesific site/domain :

modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

Edit Modsecurity config

Edit modsecurity configuration to active engine :

sudo nano /etc/nginx/modsecurity.conf

Search for SecRuleEngine and set to On.

SecRuleEngine On

save the configuration.

Update Rule with CORE RULE SET (CRS)

sudo git clone https://github.com/coreruleset/coreruleset.git /etc/nginx/owasp-crs

Rename file crs-setup :

sudo cp /etc/nginx/owasp-crs/crs-setup.conf{.example,}

Add crs rule of CRS to modsecurity.conf :

sudo nano /etc/nginx/modsecurity.conf

add this 2 lines on the bottom of the modsecurity.conf

Include owasp-crs/crs-setup.conf
Include owasp-crs/rules/*.conf

Then, check configuration of nginx again :

sudo nginx -t

if the configuration is ok/success then restart nginx service.

sudo service nginx restart

Test Modsecurity + Nginx with browser

Access to your server with browser or curl and add some shell code :

https://ip_address/as.php?s=/bin/bash

If everything working as expected, forbidden access will show, with code 403. this mean we have success deploy our nginx server with modsecurity module.

To view detail about those error, we can see the log file of the modsecurity.

sudo tail -f /var/log/modsec_audit.log
sudo tail -f /var/log/nginx/error.log

Hope this post help you secure your site even more.

Found this post useful, please give us some love!

Comments

[Ramon Roibas]

Thank you @henri_sekeladi it works perfectly.

Im implementing on prepro environment, and for now, its works perfectly.

OS: AlmaLinux 9.