×


Deploy Modsecurity with Nginx on Ubuntu 20.04 LTS

ModSecurity is a free, open-source Web Application Firewall supported by different web servers like Apache, IIS, and Nginx. It is deployed as an external security layer to protect web servers.

Here at Ibmi Media, we shall look into how to install ModSecurity firewall with pre-installed Nginx on Ubuntu 20.04 server.


Steps to Deploy Modsecurity with Nginx on Ubuntu 20

1. Install Nginx on the system

If you don't have Nginx installed on your server, follow this guide to fulfill the Modsecurity installation requirement: https://linuxapt.com/blog/1276-install-nginx-on-ubuntu-20-04-lts-using-source-code


2. Install libmodsecurity3

Now, install git on your machine so that you can clone the ModSecurity git repository. We can do it by running this command:

$ sudo apt install git -y

Now that git is installed, clone the repository by running this command:

$ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/


3. Go to the Modsecurity directory

Now that you have cloned the modsecurity git repository, go the modsecurity directory following the path below:

$ cd /usr/local/src/ModSecurity/


4. Install libmodsecurity3 dependencies

Now that we are inside the Modsecurity directory, we will install libmodsecurity3 dependencies in this step. Run this command:

$ sudo apt install gcc make build-essential autoconf automake libtool libcurl4-openssl-dev liblua5.3-dev libfuzzy-dev ssdeep gettext pkg-config libpcre3 libpcre3-dev libxml2 libxml2-dev libcurl4 libgeoip-dev libyajl-dev doxygen -y


5. Install Git modules

Now, install git submodules with the help of this command:

$ git submodule init

Next, we will update the submodules:

$ git submodule update


6. Build the modsecurity environment

It is time to build the modsecurity environment. To do that, run the following command:

$ ./build.sh

Now configure using this command:

$ ./configure

After this, you will get this error:

fatal: No names found, cannot describe anything.


7. Compile the modsecurity source code

Now we will compile the environment for libmodsecurity3 with this command:

$ make

If you want to increase the speed of compiling, you can specify -j <number of cpu>. I have 4 CPUs and I am going to use all 4 to compile as shown below:

$ make -j 4

Next, we will run the install command:

$ sudo make install

The installation is done in the /usr/local/modsecurity/.


8. Install modsecurity-nginx connector

Here, we will install Modsecurity-nginx connector. It is the connection and communication point between Nginx and ModSecurity.

First of all, we need to clone the connector repository. Do that by running this command:

$ sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/


9. Install modsecurity-nginx dependencies

First, go to Nginx source directory like this:

$ cd /usr/local/src/nginx/nginx-1.21.1

Make sure to replace the Nginx version in the command with your current Nginx version otherwise you will get an error.

To install the necessary dependencies, run this command:

$ sudo apt build-dep nginx && sudo apt install uuid-dev -y

Next, we will compile the Modsecurity-nginx connector module with the –with-compat flag by running this command:

$ sudo ./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx

Now run this command to create the dynamic modules:

$ sudo make modules

Now, copy the dynamic module you just created in the objs/ngx_http_modsecurity_module.so to /usr/share/nginx/modules with the help of this command:

$ sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/


10. Enable Modsecurity in Nginx configuration file

To enable Modsecurity in Nginx, you need to first specify the load-module and path to your modsecurity module in the configuration.

Open Nginx configuration file with the nano editor like this:

$ sudo nano /etc/nginx/nginx.conf

In the file, add this line on the top:

load_module modules/ngx_http_modsecurity_module.so;

Under the HTTP {} section, add the following code lines:

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf;


11. Configure directory and files for modsecurity

Create a directory with the name modsec. The path of the directory is mentioned in the command:

$ sudo mkdir /etc/nginx/modsec/

You will need this directory in the future to store configuration files and rules.

Now, copy the sample Modsecurity configuration file from cloned git directory with this command:

$ sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Now open the modsecurity configuration file:

$ sudo nano /etc/nginx/modsec/modsecurity.conf

Locate the SecRuleEngine directive in the file on line 7 and change it to DetectionOnly like this:

secruleEngine DetectionOnly

To enable Modsecurity, find change the following directive to On like this:

secRuleEngine on

Now locate the following directive on line 224:

secAuditLogParts ABIJDEFHZ

Change it to:

secAuditLogParts ABCDEFHJKZ

Now create modsec-config.conf file. Here you will add modsecurity.conf and other rules for modsecurity:

$ sudo nano /etc/nginx/modsec/modsec-config.conf

Inside the file you just created, add this line:

Include /etc/nginx/modsec/modsecurity.conf

Save the file and exit.


12. Copy unicode.mapping file

Finally, copy the Modsecurity's unicode.mapping file like this:

$ sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/


13. Check Nginx configuration

Before restarting Nginx, check if the configuration is fine by running this command:

$ sudo nginx -t


14. Reload Nginx

Now restart Nginx with this command:

$ sudo systemctl restart nginx


[Need help in fixing Nginx Configuration issues ? We can help you. ]


Conclusion

This article covers how we can install Modsecurity on an ubuntu server that already has pre-installed Nginx on it. In fact, the ModSecurity engine is deployed in front of the web application, allowing the engine to scan the incoming and outgoing HTTP connections. ModSecurity is most commonly used in conjunction with the OWASP Core Rule Set (CRS), an open-source set of rules written in ModSecurity's SecRules language and is highly regarded among the security industry.


OWASP Rule Set with ModSecurity can almost instantly help protect your server against:

  • Bad user agents
  • DDOS
  • Cross website scripting
  • SQL injection
  • Session hijacking
  • Other Threats