Skip to content

ModSecurity

We have already compiled in the ModSecurity Nginx connector in the Nginx guide aswell as installing the ModSecurity library. The final step is to download the ModSecurity Core Ruleset (CRS).

Setting up the Core Ruleset

Create a new directory and load the OWASP CRS ModSecurity rules and configuration into it:

sudo mkdir /etc/nginx/modsec

cd /etc/nginx/modsec

sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Rename the example ModSecurity rules configuration file:

sudo mv /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf.example /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf

Copy the ModSecurity configuration file from the directory where we built libModSecurity and place into /etc/nginx/modsec/

sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Also copy the unicode.mapping file:

sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/

Now create the main configuration file:

sudo nano /etc/nginx/modsec/main.conf

And add the following three lines:

Include /etc/nginx/modsec/modsecurity.conf
Include /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf
Include /etc/nginx/modsec/owasp-modsecurity-crs/rules/*.conf

Now rename the example exclusion files:

sudo cp owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

sudo cp owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

To enable ModSecurity on a site, add the following lines to the server block:

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;

The central log file is located at /var/log/modsec_audit.log

To toggle ModSecurity from only logging malicious HTTP requests to actually blocking them, edit the line in /etc/nginx/modsec/modsecurity.conf from:

SecRuleEngine DetectionOnly

to:

SecRuleEngine On

Handling False Positives in Modsecurity

Important Reading:

Excellent tutorials can be found on configuring the OWASP CRS here: https://www.netnea.com/cms/nginx-tutorial-7_including-owasp-modsecurity-core-rule-set/

And a great in-depth guide on whitelisting and exclusions can be found here:
https://www.netnea.com/cms/nginx-tutorial-8_handling-false-positives-modsecurity-core-rule-set/

and here:
https://www.oreilly.com/ideas/how-to-tune-your-waf-installation-to-reduce-false-positives

Exceptions

There are built in exceptions to deal with Wordpress, but they're disabled by default. To enable them, edit the CRS setup file:

nano /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf

and add the following rule:

SecRule REQUEST_HEADERS:Host "@rx ^(www\.)?(example|anotherexample).+$" \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1"

As I have multiple wordpress sites on different domains, I have set the rule up to include the wordpress exclusions for the domains example and anotherexample.

It's also possible to whitelist an IP Address, for example a static IP address that you use at home. To do this, edit the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file:

nano /etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

and add the following, replacing the dummy IP address with your own:

SecRule REMOTE_ADDR "@ipMatch 123.123.123.123" \
    "id:900001,\
    phase:1,\
    pass,\
    nolog,\
    ctl:ruleEngine=Off"

You can add multiple IP addresses by seperating them with a comma.

Once finished, reload Nginx

service nginx reload

The standard Nginx config check will also check for errors in your rules files:

nginx -t