ModSecurity is toolkit for real time web application monitoring, logging, and access control. This open source Web Application Firewall (WAF) module does an outstanding job of protecting web servers (, NGINX, and IIS) from attacks that target potential vulnerabilities in various web applications. ModSecurity handles tasks like:

  • Real-time application monitoring and access control
  • Full HTTP traffic logging
  • Continuous passive security assessment
  • Web application hardening

1: Update

  1. Create the EPEL YUM repo:
    sudo yum  epel-release -y
  2. Perform the update, and then restart the system:
    sudo yum update -y && sudo shutdown -r now

2: Install dependencies

Install the following packages:

yum groupinstall -y "Development Tools"
yum install -y  httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel
shutdown -r now

3: Compile ModSec

ModSec for the Nginx master branch has been reported as currently being unstable; therefore, use the nginx_refactoring branch as directed below:

  1. the nginx_refactoring branch of ModSecurity for Nginx:
    cd /usr/src
    git clone -b nginx_refactoring
  2. Compile ModSec: Attention: The two  commands below prevent warning messages when using newer automake versions.
    cd ModSecurity
    sed -i '/AC_PROG_CC/a\AM_PROG_CC_C_O'
    sed -i '1 i\AUTOMAKE_OPTIONS = subdir-objects'
    ./configure --enable-standalone-module ---mlogc

4: Compile Nginx

  1. Download and unarchive the latest stable release of Nginx. Currently, this is Nginx 1.14.0:
    cd /usr/src
    tar -zxvf nginx-1.14.0.tar.gz && rm -f nginx-1.14.0.tar.gz
  2. Create a dedicated nginx user and group for Nginx:
    groupadd -r nginx
    useradd -r -g nginx -s /sbin/nologin -M nginx
  3. Compile Nginx and enable ModSecurity and SSL modules:
    cd nginx-1.14.0/
    ./configure --user=nginx --group=nginx --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
    make install
  4. Modify the default Nginx user:
    sed -i "s/#user  nobody;/user nginx nginx;/" /usr/local/nginx/conf/nginx.conf

5: Configure ModSec and Nginx

  1. Configure Nginx:

    a. Issue:

       vi /usr/local/nginx/conf/nginx.conf

    b. Find the following segment within the http {} segment:

            location / {
                index  index.html index.htm;

    Add the lines below so the final result should be:

       location / {
        ModSecurityEnabled on;
        ModSecurityConfig modsec_includes.conf;
        root   html;
        index  index.html index.htm;

    c. You also need to change the location of the default PID file to match the script you will make in the following steps. Find the line #pid logs/ and change it to the following by removing the # and changing the path:

       pid  /var/run/

    d. Save and quit:

  2. Create the file /usr/local/nginx/conf/modsec_includes.confAttention: The config below applies all of the OWASP ModSecurity Core Rules in the owasp-modsecurity-crs/rules/ directory. If you want to apply selective rules only, you should remove the include owasp-modsecurity-crs/rules/*.conf line, and then specify exact rules you need after step 5 of this section.
    cat <<EOF>> /usr/local/nginx/conf/modsec_includes.conf
    include modsecurity.conf
    include owasp-modsecurity-crs/crs-setup.conf
    include owasp-modsecurity-crs/rules/*.conf
  3. Import the ModSec config files:
    cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
    cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/
  4. Modify the file /usr/local/nginx/conf/modsecurity.conf:
    sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf
    sed -i "s/SecAuditLogType Serial/SecAuditLogType Concurrent/" /usr/local/nginx/conf/modsecurity.conf
    sed -i "s|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /usr/local/nginx/logs/modsec_audit.log|"        /usr/local/nginx/conf/modsecurity.conf
  5. Allow Nginx to create Modsec logs in the Nginx log directory:
    chown nginx.root /usr/local/nginx/logs
  6. Add OWASP ModSecurity Core Rule Set (CRS) files:
    cd /usr/local/nginx/conf
    git clone
    cd owasp-modsecurity-crs
    mv crs-setup.conf.example crs-setup.conf
    cd rules

6: Create Systemd Script

  1. Create the file /lib/systemd/system/nginx.service and add the script:
    cat <<EOF>> /lib/systemd/system/nginx.service
    Description=The NGINX HTTP and reverse
    ExecStartPre=/usr/local/nginx/sbin/nginx -t
    ExecReload=/bin/kill -s HUP $MAINPID
    ExecStop=/bin/kill -s QUIT $MAINPID
  2. Reload systemd services:
    systemctl daemon-reload

7: Test ModSec

  1. Start Nginx:
    systemctl start nginx.service
  2. Point your web browser to http://<YourServersIP>/?param="><script>alert(1);</script> (Be sure to replace with the IP address of your server)
  3. Use grep to fetch error messages:
    grep error /usr/local/nginx/logs/error.log

    The output should include error messages resembling the following:

    2017/02/15 14:07:54 [error] 10776#0: [client] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data:  found within ARGS:param: \x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/index.html"] [unique_id "ATAcAcAkucAchGAcPLAcAcAY"]
  4. The procedure is complete. To customize your settings, review and edit the following files:
  5. /usr/local/nginx/conf/modsecurity.conf
  6. /usr/local/nginx/conf/owasp-modsecurity-crs/crs-setup.conf
Print Friendly, PDF & Email



Bài viết liên quan