November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  
«  
  »

Install Mod Security on Nginx for CentOS 6 and 7

Install Mod Security on Nginx for CentOS 6 and 7

4 Comments

Introduction

ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. you can consider it as an enabler, there are no hard rules telling you what to do, instead, it is up to you to choose your own path through the available features. The freedom to choose what to do is an essential part of ModSecurity’s identity and goes very well with its open source nature. With full access to the source code, your freedom to choose extends to the ability to customize and extend the tool itself to make it fit your needs.

We are assuming that you have root permission, otherwise, you may start commands with “sudo”.

 

Attention

Building a ModSecurity on a Nginx server is kinda hard because you have to download and compile both of them yourself and installing them through a package installer is not possible for now, meanwhile, you have to install previous releases of the Nginx web server.

Download Nginx and ModSecurity

You can download the compatible version of Nginx and ModSecurity easily with “Wget”:

wget http://nginx.org/download/nginx-1.8.0.tar.gz wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz

Extract them as well:

tar xvzf nginx-1.8.0.tar.gz tar xvzf modsecurity-2.9.1.tar.gz

And you should download some dependencies so you can compile them:

yum install gcc make automake autoconf libtool pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel

Compiling ModSecurity with Nginx

Enter the ModSecurity directory:

cd modsecurity-2.9.1 ./configure --enable-standalone-module make

Then we are going to install Nginx with ModSecurity module:

cd nginx-1.8.0
./configure \
> --user=nginx \
> --group=nginx \
> --sbin-path=/usr/sbin/nginx \
> --conf-path=/etc/nginx/nginx.conf \
> --pid-path=/var/run/nginx.pid \
> --lock-path=/var/run/nginx.lock \
> --error-log-path=/var/log/nginx/error.log \
> --http-log-path=/var/log/nginx/access.log \
> --add-module=../modsecurity-2.9.1/nginx/modsecurity

Now we can compile and install Nginx:

make make install

Configure Nginx and ModSecurity

We have to move the ModSecurity config files to Nginx main directory, execute the commands below:

cp modsecurity-2.9.1/modsecurity.conf-recommended /etc/nginx/ cp modsecurity-2.9.1/unicode.mapping /etc/nginx/

Now we have to rename the ModSecurity config file;

cd /etc/nginx/ mv modsecurity.conf-recommended modsecurity.conf

Open the “nginx.conf” and add the following lines under the directive “location /” it’s about line 47:

nano nginx.conf

ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;

Save and Exit

Create Nginx user with the command below:

useradd -r nginx

We can test our Nginx config file to check if everything is ok:

cd /usr/sbin/ ./nginx -t

You should get something like below:


nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Creating the Nginx Service

It’s time to create the Nginx Service so you can start, stop and see your service status:

Create the init.d script file with your text editor in the following path:

nano /etc/init.d/nginx

Paste the following script in your file then save and exit:


#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig:   - 85 15
# description:  NGINX is an HTTP(S) server, HTTP(S) reverse \
#               proxy and IMAP/POP3 proxy server
# processname: nginx
# config:      /etc/nginx/nginx.conf
# config:      /etc/sysconfig/nginx
# pidfile:     /var/run/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx="/usr/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/etc/nginx/nginx.conf"

[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

lockfile=/var/lock/subsys/nginx

make_dirs() {
   # make required directories
   user=`$nginx -V 2>&1 | grep "configure arguments:.*--user=" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
   if [ -n "$user" ]; then
      if [ -z "`grep $user /etc/passwd`" ]; then
         useradd -M -s /bin/nologin $user
      fi
      options=`$nginx -V 2>&1 | grep 'configure arguments:'`
      for opt in $options; do
          if [ `echo $opt | grep '.*-temp-path'` ]; then
              value=`echo $opt | cut -d "=" -f 2`
              if [ ! -d "$value" ]; then
                  # echo "creating" $value
                  mkdir -p $value && chown -R $user $value
              fi
          fi
       done
    fi
}

start() {
    [ -x $nginx ] || exit 5
    [ -f $NGINX_CONF_FILE ] || exit 6
    make_dirs
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
}

stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
}

restart() {
    configtest || return $?
    stop
    sleep 1
    start
}

reload() {
    configtest || return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
}

force_reload() {
    restart
}

configtest() {
  $nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
    status $prog
}

rh_status_q() {
    rh_status >/dev/null 2>&1
}

case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart|configtest)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    status)
        rh_status
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
            ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
        exit 2
esac

Create the “nginx.service” file in the following path:

nano /lib/systemd/system/nginx.service

Paste the following script then save and exit:

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Now you can easily use the following commands to control your Nginx service:

systemctl enable nginx systemctl start nginx systemctl restart nginx systemctl status nginx

Varify ModSecurity working with Nginx properly

 

cd /usr/sbin/ ./nginx -V

if you get something like below it means that your Nginx compiled with ModSecurity successfully:


built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
configure arguments: --user=nginx --group=nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --add-module=../modsecurity-2.9.1/nginx/modsecurity

If you want to check if the ModSecurity module has been loaded on your Nginx successfuly you have to check last lines of your Nginx’s error log:

cd /var/log/nginx/ tail error.log

You have to search for something like below:

[notice] 13285#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"

Rule-Set Recommendation

March 20th, 2018 | Category: Nginx

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>