0

I'm using NginX and want to incorporate ModSec as a module. After doing some research, there only was one link that talked about how "ModSecurity must be compiled with the source code of the main server." I'm assuming that means it needs to compiled with Apache? (not really sure since I'm new to this)

Is ModSec compatible with NginX?

Are there an alternative to ModSec if not?

Please provide insights/links if possible!

Thanks!

Update Answer from ModSec lead developer:

This implementation contains 3 parts, ModSec, NginX, and a ModSec-NginX connector.

tutorial can be found here for Ubuntu 16.04: [link]https://www.howtoforge.com/tutorial/nginx-with-libmodsecurity-and-owasp-modsecurity-core-rule-set-on-ubuntu-1604/

PS. make sure when you're download the latest stable code for NginX

Dyl
  • 15
  • 7

4 Answers4

1

ModSecurity was originally created for Apache however has been made (somewhat) available for other webservers.

So it is possible to install it on Nginx and there multiple blog posts on that on Google. For example: https://geekflare.com/install-modsecurity-on-nginx/

However the current version of ModSecurity (2.9.1) still has a lot of legacy Apache code and dependencies and some features only work on Apache. The next version (3.0) will be a cleaner separation and will have the common core (called libmodsecurity) and an Nginx specific connector: https://github.com/SpiderLabs/ModSecurity-nginx. No ETA on that yet though and not tried it myself so can't talk to how good it is.

Nginx also offer a paid version of Nginx with ModSecurity as detailed here: https://www.nginx.com/blog/modsecurity-waf-released/ and it uses the newer version. I'm not sure if it's the exact code as is on GitHub (where version 3 is still marked as "not... stable") or if Nginx have modified it further.

The other option is to run ModSecurity on Apache as a proxy in front of Nginx. But probably better to just move everything to Apache if considering that.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • is there documentation on what "features only work on Apache" for ModSecurity 2.9.x? I'm trying to output a variable set from setenv to an nginx access log but it doesn't look like it's working. – user2910265 Aug 21 '17 at 18:56
  • The Reference Manual dies state that's an Apache only option (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Logging_in_Apache_via_mod_log_config). In general it's pretty good about stating whether something is Apache only but I'm sure it could be improved by raising an issue on GitHub if you find errors. Also any option which states "Supported on libModSecurity: TBI" is still To Be Implemented in that. – Barry Pollard Aug 21 '17 at 19:11
0

ModSec not compatible with NginX

but there some rules you can set at fastcgi_params that will help

location ~* union.*select.*\( {    deny all; }
location ~* union.*all.*select.* {   deny all; }
location ~* concat.*\( {   deny all; }
## Block common exploits
location ~* (<|%3C).*script.*(>|%3E) {   deny all; }
location ~* base64_(en|de)code\(.*\) {   deny all; }
location ~* (%24&x) {   deny all; }
location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) {   deny all; }
location ~* \.\.\/  {   deny all; }
location ~* ~$ {   deny all; }
location ~* proc/self/environ {   deny all; }
location ~* /\.(htaccess|htpasswd|svn) {   deny all; }
## Block file injections
location ~* [a-zA-Z0-9_]=(\.\.//?)+ {   deny all; }
location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ {   deny all; }
## wordpress security
location ~* wp-config.php {   deny all; }
location ~* wp-admin/includes {   deny all; }
location ~* wp-app\.log {   deny all; }
location ~* (licence|readme|license)\.(html|txt) {   deny all; }

 set $block_common_status 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_status 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_status 1;
    }
    if ($block_common_status = 1) {
        return 403;
    }



 if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
     {
         # return 404;
         return 403;
     }

    ## Block SQL injections 
    set $block_sql_injections 0; 
    if ($query_string ~ "union.*select.*\(") { 
        set $block_sql_injections 1; 
    } 
    if ($query_string ~ "union.*all.*select.*") { 
        set $block_sql_injections 1; 
    } 
    if ($query_string ~ "concat.*\(") { 
        set $block_sql_injections 1; 
    } 
    if ($block_sql_injections = 1) { 
        return 403; 
    } 

    ## Block file injections 
    set $block_file_injections 0; 
    if ($query_string ~ "[a-zA-Z0-9_]=http://") { 
        set $block_file_injections 1; 
    } 
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { 
        set $block_file_injections 1; 
    } 
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { 
        set $block_file_injections 1; 
    } 
    if ($block_file_injections = 1) { 
        return 403; 
    } 

    ## Block common exploits 
    set $block_common_exploits 0; 
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { 
        set $block_common_exploits 1; 
    } 
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { 
        set $block_common_exploits 1; 
    } 
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { 
        set $block_common_exploits 1; 
    } 
    if ($query_string ~ "proc/self/environ") { 
        set $block_common_exploits 1; 
    } 
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { 
        set $block_common_exploits 1; 
    } 
    if ($query_string ~ "base64_(en|de)code\(.*\)") { 
        set $block_common_exploits 1; 
    } 
    if ($block_common_exploits = 1) { 
        return 403; 
    } 

    ## Block spam 
    set $block_spam 0; 
    if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { 
        set $block_spam 1; 
    } 
    if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { 
        set $block_spam 1; 
    } 
    if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { 
        set $block_spam 1; 
    } 
    if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { 
        set $block_spam 1; 
    } 
    if ($block_spam = 1) { 
        return 403; 
    } 

    ## Block user agents 
    set $block_user_agents 0; 


    # Disable Akeeba Remote Control 2.5 and earlier 
    if ($http_user_agent ~ "Indy Library") { 
        set $block_user_agents 1; 
    } 

    # Common bandwidth hoggers and hacking tools. 
    if ($http_user_agent ~ "libwww-perl") { 
        set $block_user_agents 1; 
    } 
    if ($http_user_agent ~ "GetRight") { 
        set $block_user_agents 1; 
    } 
    if ($http_user_agent ~ "GetWeb!") { 
        set $block_user_agents 1; 
    } 
    if ($http_user_agent ~ "Go!Zilla") { 
        set $block_user_agents 1; 
    } 
    if ($http_user_agent ~ "Download Demon") { 
        set $block_user_agents 1; 
    } 
    if ($http_user_agent ~ "Go-Ahead-Got-It") { 
        set $block_user_agents 1; 
    } 
    if ($http_user_agent ~ "TurnitinBot") { 
        set $block_user_agents 1; 
    } 
    if ($http_user_agent ~ "GrabNet") { 
        set $block_user_agents 1; 
    } 

    if ($block_user_agents = 1) { 
        return 403; 
    }
Mikel Tawfik
  • 658
  • 3
  • 9
  • 23
0



Ubuntu server + Nginx

To skip this manual lengthy installation progress, I have created scripit that takes care of downloading required files, respective nginx version source code downloading and compiling and all. Just follow below simple steps to get ModSecurity installed and configured:

# DOWNLOAD INSTALLATION SCRIPT
wget https://gist.githubusercontent.com/Chetan07j/edc16d6a55a25475cafeb6995f9c0857/raw/011f5f07b1b22366fee2b5fb8f4f2adc69b3e3ed/libModSecurity.sh
​
# MAKE THIS FILE EXECUTABLE
sudo chmod +x libModSecurity.sh
​
# RUN THIS FILE
./libModSecurity.sh
​
# DONE

Installation is done now you need to add few lines in nginx.conf and in your server config in sites-available folder.

In /etc/nginx/nginx.conf file add this line immediate after pid line:

...
pid /run/nginx.pid;
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; # ADD THIS LINE

and then in your server config file under /etc/nginx/sites-available/

server {
    # ...
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

Thank you.

Chetan Patil
  • 31
  • 5
-1

If you are using ubuntu 20.04, just follow these steps:

Install nginx: . http://nginx.org/en/linux_packages.html#Ubuntu (all steps)

Install libmodsecurity3: . https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ (Only step 2) Run: #sudo apt-get install libmodsecurity3 libmodsecurity-dev

Install modsecurity-nginx-connector: . https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ (Starting from step 4)

There is no need to compile libmodsecurity3 at ubuntu 20.04, just install it running: #sudo apt-get install libmodsecurity3 libmodsecurity-dev

I was trying to compile for several days without success, until I figured out there is no need to compile.

R.E.L.
  • 1
  • 1
  • 1