ModSecurity: Instalasi untuk nginx

From OnnoWiki
Revision as of 05:54, 9 February 2016 by Onnowpurbo (talk | contribs) (New page: Sumber: https://www.howtoforge.com/tutorial/install-nginx-with-mod_security-on-ubuntu-15-04/ ModSecurity is an open-source Web Application Firewall (WAF) for Apache Nginx and IIS web s...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sumber: https://www.howtoforge.com/tutorial/install-nginx-with-mod_security-on-ubuntu-15-04/



ModSecurity is an open-source Web Application Firewall (WAF) for Apache Nginx and IIS web server. This application layer firewall is developed by Trustwave's SpiderLabs and released under Apache License 2.0. ModSecurity protects websites from hackers by using a set of regular expression rules to filter out commonly known exploits, it allows HTTP traffic monitoring, logging, real-time analysis, and attack detection. There are more than 16.000 rule available to detect attacks like SQL Injection, Cross-site Scripting (XSS), Local File Inclusion, Remote File Inclusion and application-specific rules for many web applications like Wordpress, Joomla, Drupal etc.

In this tutorial, I will show you how to install mod_security for the fast Nginx web server. I will configure ModSecurity as a standalone module and then build Nginx from source to include ModSecurity. Prerequisites 

   An Ubuntu 15.04 server, I will use the IP here 192.168.1.106.
   Root Privileges

What we will do in this tutorial: 

   Update the Ubuntu 15.04 System and Repository.
   Install required Dependencies to build Nginx and ModSecurity.
   Download ModSecurity and Nginx.
   Install ModSecurity and Nginx.
   Configure Nginx.
   Configure ModSecurity.
   Configure OWASP Core Rule Set(CRS).
   Testing.

All commands below have to be executed as root. Run:

sudo -i

to become root user on your server.

1. Update System and Repository

Before you start to install all dependencies, please update your system:

apt-get update apt-get upgrade 2. Install the build dependencies

Install all packages that are required to compile Nginx and ModSecurity with apt command below:

apt-get install git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-prefork-dev libxml2-dev libcurl4-openssl-dev 3. Download ModSecurity and Nginx

Go to directory "/usr/src/", then clone the ModSecurity repository from Github:

cd /usr/src/ git clone https://github.com/SpiderLabs/ModSecurity.git modsecurity

Download Nginx with the wget command, I will use the Nginx stable version 1.8 here. If you want to use another version, please go to Nginx download page to get a list of all available releases.

wget http://nginx.org/download/nginx-1.8.0.tar.gz 4. Install ModSecurity and Nginx

Now it's time to install ModSecurity, please go to the /usr/src/modsecurity directory:

cd /usr/src/modsecurity/

And compile ModSecurity as standalone module on your server, so we can include it to the Nginx:

./autogen.sh ./configure --enable-standalone-module --disable-mlogc make

Now go to the nginx directory, compile Nginx and include ModSecurity module:

cd ../nginx-1.8.0 ./configure \ 

 --user=www-data \
 --group=www-data \
 --with-debug \
 --with-ipv6 \
 --with-http_ssl_module \
 --add-module=/usr/src/modsecurity/nginx/modsecurity

The configure command explained:

Nginx will run under user and group "www-data", and we activate the debug, ipv6 and ssl modules. And finally we include the ModSecurity module into Nginx.

Now install Nginx:

make make install

When the make install command is finished, you can see that Nginx is installed in the "/usr/local/nginx" directory:

cd /usr/local/nginx/

ll drwxr-xr-x 2 root root 4096 Oct 3 07:21 conf/ drwxr-xr-x 2 root root 4096 Oct 3 07:21 html/ drwxr-xr-x 2 root root 4096 Oct 3 07:21 logs/ drwxr-xr-x 2 root root 4096 Oct 3 07:21 sbin/ 5. Configure Nginx

Edit the nginx configuration file with vi/vim and configure nginx to run under the user "www-data".

cd /usr/local/nginx/ vi conf/nginx.conf

On the first line, uncomment the "user" line and change the user to www-data:

user www-data;

Save and Exit.

Create a symlink for the nginx binary so we can use the command "nginx" by directly.

ln -s /usr/local/nginx/sbin/nginx /bin/nginx

Next we will create a systemd script for Nginx that is used to start / stop the Nginx daemon. Please go to the directory "/lib/systemd/system/" and create a new file "nginx.service" with vi:

cd /lib/systemd/system/ vi nginx.service

Paste the script below:

[Service] Type=forking ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload KillStop=/usr/local/nginx/sbin/nginx -s stop

KillMode=process Restart=on-failure RestartSec=42s

PrivateTmp=true LimitNOFILE=200000

[Install] WantedBy=multi-user.target

Save and Exit.

Now reload the systemd-daemon so that systemd loads our new Nginx service file.

systemctl daemon-reload

Test the nginx configuration and start nginx with systemctl command:

nginx -t systemctl start nginx 6. Configure ModSecurity

Copy the ModSecurity configuration file to the nginx directory and name it "modsecurity.conf":

cp /usr/src/modsecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf cp /usr/src/modsecurity/unicode.mapping /usr/local/nginx/conf/

Open the modsecurity.conf file with the vi editor:

cd /usr/Local/nginx/conf/ vi modsecurity.conf

In line 7, change "DetectionOnly" to "on".

SecRuleEngine On

In line 38, increase the value of "SecRequestBodyLimit" to "100000000".

SecRequestBodyLimit 100000000

In line 192, change the value of "SecAuditLogType" to "Concurrent" and comment out the line SecAuditLog and uncomment line 196.

SecAuditLogType Concurrent

  1. SecAuditLog /var/log/modsec_audit.log
  1. Specify the path for concurrent audit logging.

SecAuditLogStorageDir /opt/modsecurity/var/audit/

Save and Exit.

Now create new directory for the ModSecurity audit log and change the owner to www-data.

mkdir -p /opt/modsecurity/var/audit/ chown -R www-data:www-data /opt/modsecurity/var/audit/ 7. Configure OWASP Core Rule Set (CRS)

Download the OWASP Core Rule Set from github.

cd /usr/src/ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Go to directory "owasp-modsecurity-crs" and copy the directory "base_rules" to the nginx directory.

cd owasp-modsecurity-crs cp -R base_rules/ /usr/Local/nginx/conf/

Edit modsecurity.conf and add OWASP CRS.

cd /usr/Local/nginx/conf/ vi modsecurity.conf

Please go to the end of the file and add the following configuration:

  1. DefaultAction

SecDefaultAction "log,deny,phase:1"

  1. If you want to load single rule /usr/loca/nginx/conf
  2. Include base_rules/modsecurity_crs_41_sql_injection_attacks.conf
  1. Load all Rule

Include base_rules/*.conf

  1. Disable rule by ID from error message (for my wordpress)

SecRuleRemoveById 981172 981173 960032 960034 960017 960010 950117 981004 960015

Save and Exit.

As the last step, add the modsecurity.conf file to the Nginx configuration by editing the "nginx.conf" file.

vi conf/nginx.conf

Add the modsecurity.conf:

[.....]

  1. Enable ModSecurity

ModSecurityEnabled on; ModSecurityConfig modsecurity.conf;

root html; index index.php index.html index.htm;

[.....]

Save and exit.

Restart Nginx to apply the configuration changes:

systemctl restart nginx 8. Testing

I have a WordPress site running on Nginx and ModSecurity, it is working fine. For testing I will install a new plugin that is vulnerable for XSS and SQL Injection.

Here are the results:

XSS forbidden https://www.exploit-db.com/exploits/37107/




Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=ModSecurity:_Instalasi_untuk_nginx&oldid=45553"