Setting up LibModsecurity and Nginx on CentOS 8 requires careful configuration to enhance your web server’s security. This guide walks you through the process.
First, ensure your system is up-to-date by running the command:
sudo dnf update -y
Next, install the necessary development tools and packages. These are essential for compiling and building software from source, which may be required for ModSecurity. Use the command:
sudo dnf groupinstall “Development Tools” -y
sudo dnf install -y git autoconf automake libtool libcurl-devel redhat-rpm-config pcre2-devel gd-devel libxml2-devel openssl-devel geoip-devel
You will need to install the ModSecurity library itself. For this, we typically use the official repository or compile from source. Assuming installation via a package manager is possible or source is preferred, you might need to add specific repositories or follow compilation steps detailed in the source documentation. A common approach involves fetching the source code and building it.
After the LibModsecurity library is installed on your system, the next critical step is setting up the Nginx connector. This module allows Nginx to communicate with the ModSecurity library. The connector usually needs to be compiled with your Nginx installation or configured as a dynamic module.
To compile the connector, you’ll typically download the Nginx source code that matches your installed Nginx version and the ModSecurity Nginx connector source code. When configuring Nginx before compilation, you will use the –add-dynamic-module flag pointing to the connector’s source directory.
For example, the configuration command might look something like:
./configure –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx … –add-dynamic-module=/path/to/modsecurity-nginx
Remember to include all your original Nginx configuration flags to maintain your existing setup. After configuring, compile and install:
make
sudo make install
Alternatively, if installing Nginx from packages, you might look for a modsecurity or modsecurity-nginx package specifically built for your CentOS 8 distribution’s Nginx.
Once the connector is in place, you need to configure Nginx to load the ModSecurity module and enable its core rules.
Edit your main Nginx configuration file, typically /etc/nginx/nginx.conf. Inside the http block, add the line to load the dynamic module if compiled as one:
loadmodule modules/ngxhttpmodsecuritymodule.so;
Then, within the http block or inside specific server or location blocks where you want to enable ModSecurity, add the directives:
modsecurity on;
modsecurityrulesfile /etc/nginx/modsec/modsecurity.conf;
This points Nginx to the main ModSecurity configuration file. You will need to create the directory /etc/nginx/modsec/ and place the configuration file modsecurity.conf there. A minimal modsecurity.conf might contain:
Include /etc/nginx/modsec/owasp-crs/crs-setup.conf
Include /etc/nginx/modsec/owasp-crs/rules/*.conf
This assumes you are using the widely recommended OWASP ModSecurity Core Rule Set (CRS). You will need to download and place the CRS files into the /etc/nginx/modsec/owasp-crs/ directory. Ensure the paths in your modsecurity.conf match where you place the CRS files.
Before restarting Nginx, test the configuration for syntax errors:
sudo nginx -t
If the test is successful, restart Nginx to apply the changes:
sudo systemctl restart nginx
To verify ModSecurity is working, you can try triggering a rule. For example, sending a request with a string known to trigger a basic CRS rule (like a common SQL injection pattern) should result in a ModSecurity log entry or a blocked request, depending on your CRS configuration’s paranoia level and action. Check the Nginx error logs and the ModSecurity debug logs (if configured) for confirmation.
Setting up logging is crucial for monitoring ModSecurity activity. In your modsecurity.conf, configure the logging directives, such as SecAuditLog and SecDebugLog, specifying where logs should be written.
This setup provides a robust layer of security for your Nginx web server on CentOS 8 using Libmodsecurity and the OWASP CRS. Remember to regularly update the CRS rules and monitor logs for potential threats and false positives.
Source: https://kifarunix.com/configure-libmodsecurity-with-nginx-on-centos-8/
