ModSecurity is the most widely-used and respected web application firewall for open source web servers. It can be used with both Apache and NGINX to provide protection from a number of HTTP attacks (such as SQL injections and cross-site scripting) against web-based applications like WordPress and Nextcloud. In other words, this module should be considered a must-use.

ModSecurity cannot be enabled with an instance of NGINX installed with apt-get, so you must do it manually. I want to walk you through the process of getting this security feature added to your NGINX web servers.

SEE: Identity theft protection policy (TechRepublic Premium)

What you’ll need

• A running instance of Ubuntu Server 
• A user with sudo privileges

How to install the necessary dependencies

The first thing to be done is in the installation of the necessary dependencies. This can be done with the single command:

sudo apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf zlib1g-dev -y

If you already have NGINX installed (from the standard repositories) remove it with the command:

sudo apt-get purge nginx -y

Remove any leftover dependencies with the command:

sudo apt-get autoremove -y

Once that’s complete, we can move on to ModSecurity.

How to compile ModSecurity

We have to compile ModSecurity manually. First, change in to the src directory with the command:

cd /usr/src

Next, clone the latest version of ModSecurity with the command:

git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git

Change into the newly-created directory with the command:

cd ModSecurity

Configure ModSecurity using the autogen script like so:

./autogen.sh./configure --enable-standalone-module --disable-mlogc

Make and install ModSecurity with the commands:

make
sudo make install

How to compile NGINX

Unfortunately, we cannot use the NGINX installation found in the standard repositories because it must be compiled with NGINX support. Change back into the src directory with the command:

cd /usr/src

Download the latest release of NGINX; currently it’s 1.18.0, but make sure you check on the latest version and change the command accordingly. The command to download the source is:

wget http://nginx.org/download/nginx-1.18.0.tar.gz

Extract the compressed file with the command:

tar xvzf nginx-1.18.0.tar.gz

Change into the newly-created directory with the command:

cd nginx-1.18.0

Configure NGINX with ModSecurity support with the command:

​./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module

Finally, make and install NGINX with the commands:

make
​sudo make install

How to configure NGINX

We now have to modify the default NGINX configuration file, so it knows which user to run under with the command:

sed -i "s/#user nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf

Next, we need to configure NGINX so it knows to use ModSecurity. Open the NGINX configuration file with the command:

sudo nano /usr/local/nginx/conf/nginx.conf

In that file, replace the following section:

location / { root html; index index.html index.htm; }

With:

location / { ModSecurityEnabled on; ModSecurityConfig modsec_includes.conf; root html; index index.html index.htm; }

Enable the OWASP core rules by creating a rules file with the command:

sudo nano /usr/local/nginx/conf/modsec_includes.conf

In that file, paste the following:

include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/*.conf

Save and close the file.

Import the necessary ModSecurity configuration files with the following two commands:

sudo cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
sudo cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/

Enable the SecRuleEngine option in the modsecurity.conf file by issuing the following command:

sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf

Now we can add the OWASP ModSecurity core rule set by issuing the following seven commands:

cd /usr/local/nginx/conf
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo cd owasp-modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
sudo cd rules
sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
sudo mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

How to create a systemd startup file for NGINX

In order for us to be able to control NGINX, we must create a systemd startup file. Create the file with the command:

sudo nano /lib/systemd/system/nginx.service

In the file, paste the following:

[Service] Type=forking ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload KillStop=/usr/local/nginx/sbin/nginx -s stop KillMode=process Restart=on-failure RestartSec=42s PrivateTmp=true LimitNOFILE=200000 [Install] WantedBy=multi-user.target

Save and close the file.

Start NGINX with the command:

sudo systemctl start nginx

Enable the web server to start at boot with the command:

sudo systemctl enable nginx

How to test ModSecurity

We can finally test our ModSecurity setup. To do this we’re going to use tail to following the NGINX error log with the command:

sudo tail -f /usr/local/nginx/logs/error.log

With that running, open a web browser and point it to: http://SERVER/?param=”>

Where SERVER is the IP address or domain of your NGINX server. Back in the tail command you should see a number of Permission Denied Errors (Figure A).

Figure A

Congratulations, you now have ModSecurity running with the latest version of NGINX on Ubuntu Server 20.04.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see