Debian nginx ModSecurity HOWTO
2018 - Ervin Hegedus <airween@digitalwave.hu>


This module provides the WAF (Web Application Firewall) feature for nginx.

Copy these files from the /usr/share/nginx/modsecurity to the destination:

cp /usr/share/nginx/modsecurity/default /etc/nginx/sites-available/
cp /usr/share/nginx/modsecurity/modsecurity.conf /etc/nginx/
cp /usr/share/nginx/modsecurity/modsecurity_includes.conf /etc/nginx/
cp /usr/share/nginx/modsecurity/unicode.mapping /etc/nginx

Normally, the nginx-extra package configuration step makes it.

To activate the module, find the line with word "modsecurity" in file
/etc/nginx/sites-available/default, and remove the comment:

    # Enable ModSecurity WAF, if need
    modsecurity on;

To load the SpiderLab's Core Rule Set (from package modsecurity-crs), find
the line with "modsecurity_rules_file", and remove the comment:

        # Load ModSecurity CRS, if need
        modsecurity_rules_file /etc/nginx/modsecurity_includes.conf;

Restart nginx - now your nginx instance is ready.

Log in to your system, and start to read the log file with tail command
as root:

sudo tail -f /var/log/nginx/modsec_audit.log

Note, that this logfile configured in /etc/nginx/modsecurity.conf:

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log

Note, that the original location is /var/log/modsec_audit.log.

You can modify it if need, but please check the permissions (and your
security modules config, eg. Apparmor or SELinux).

Try to load this page:

lynx "http://127.0.0.1/index.nginx-debian.html?a=%3Cscript%3Ealert(%27Foo%27);%3C/srcipt%3E"

The default nginx index page showed.

In the modsec_audit.log, you can see that ModSecurity catches the XSS attack,
but only detects it, not denies. The relevant lines are these:

---fXnEy53n---F--
HTTP/1.0 200
Server: nginx/1.14.2
...

---fXnEy53n---H--
ModSecurity: Warning....
ModSecurity: Warning. detected XSS using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"]

The first block shows that nginx replies the HTTP 200, the seconds
shows it detects the attack.

Now if everything is right, you can turn on the engine. Find the "SecRuleEngine"
word in /etc/nginx/modsecurity.conf. There are two lines:

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine DetectionOnly
#SecRuleEngine On

Remove the comment from the second place, put one to the first, and restart
your nginx. Then load the index page again:

lynx "http://127.0.0.1/index.nginx-debian.html?a=%3Cscript%3Ealert(%27Foo%27);%3C/srcipt%3E"

Now you got an HTTP 403 error, and in modsec_audit.log:

---HsR8PRsN---F--
HTTP/1.0 403
Server: nginx/1.14.2
...

---HsR8PRsN---H--
ModSecurity: Warning....
ModSecurity: Warning. detected XSS using libinjection....


Now your set up is complete.

For more information, check the ModSecurity sites:

https://github.com/SpiderLabs/ModSecurity-nginx
https://github.com/SpiderLabs/ModSecurity
https://github.com/SpiderLabs/ModSecurity/wiki
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#OWASP_ModSecurity_Core_Rule_Set_CRS_Project


Regards,
Ervin

