How to install and configure Nginx ModSecurity on Centos 7

How to install and configure Nginx ModSecurity on Centos 7

ModSecurity is an open source and great module to securing sites around the world.

ModSecurity protects against Layer 7 attacks.

It will prevent SQL injection (SQLi), local file inclusion (LFI), and cross‑site scripting (XSS).

There are repository from getpagespeed.com, however now they activated subscriptions.

You have a choice use their subscription for 10 USD a month per server or compile it your self.

This article write using official Nginx repository, latest stable version is 1.16.1.

Also Read: How to install and configure Nginx ModSecurity on Centos 7

How to install ModSecurity

Below is how to compile and install Nginx ModSecurity on CentOS 7

If you see error message fatal: No names found, cannot describe anything.”, you can ignore it.

ModSecurity will be installed on /usr/local/modsecurity

Compile and Install Nginx ModSecurity

Now you need to clone ModSecurity-nginx and compile as dynamic module.

First, check your Nginx version with command:

The out put will be like this:

Now you need to download Nginx source, depend on your Nginx version.

In this example is Nginx 1.16.1

Enable SecRuleEngine, edit /etc/nginx/modsecurity.conf and change

Compiled Nginx ModSecurity located in objs.

Configure Nginx to use ModSecurity module

To load ModSecurity on Nginx, edit /etc/nginx/nginx.conf and add this code in top of configuration.

And on your server block add this code:

Get OWASP ModSecurity Core Rule Set (CRS) from https://coreruleset.org or https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Create /etc/nginx/modsec_includes.conf and add code below

Check your Nginx configuration with

If no problem, restart nginx

Testing Nginx ModSecurity

Check on your rules for blacklist user agent, for Comodo rules is bl_agents

Example response

Nginx ModSecurity testing
Nginx ModSecurity testing

If the respons is forbidden, your Nginx ModSecurity is working.

Don’t forget to check /var/log/modsec/audit.log there is many rules is false positive.

Example, OWASP ModSecurity Core Rule Set rules will block your WordPress admin post.

Leave a Reply

Your email address will not be published. Required fields are marked *