Modsecurity and bad bot blocker for Nginx
Install modsecurity and badbot blocker for nginx community edition
July 17, 2020
sysadmin
nginx
modsecurity
self hosting
So you want to self host part 3 ?
Now that you started self-hosting, you probably realized that a bunch of non sollicited traffic reach your server
Either one of those bots crawling your site, or those annoying automated scripts to exploit vulns on software you do not have…
Well, let’s install badbot blocker for nginx for getting rid of bots, and then modsecurity as a cherry on top.
Prerequisites:
- 1 server with nginx installed
Badbots blocker
This one is extremely simple, you do not even need a tutorial, just follow the readme on github here
Modsecurity
script to run on a debian buster with nginx 1.14.2:
This will install modsecurity, modsecurity nginx wrapper, and the modsecurity core ruleset.
sudo apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev libgd-dev libxslt1-dev
sudo apt-get remove -y libmodsecurity3 libmodsecurity-dev apache2-bin libmaxminddb-dev
mkdir ~/src -p
cd ~/src
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
sudo make install
cd ~/src
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
ver=`sudo nginx -v 2>&1 | cut -d : -f 2 | cut -d / -f 2`
wget http://nginx.org/download/nginx-$ver.tar.gz
tar xzvf nginx-$ver.tar.gz
cd nginx-$ver
# may need to be tweaked according to your installed nginx -V
# in case it differ from this one. You just have to removed the --add-dynamic-module to leave only the one about Modsecurity-nginx
./configure --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tBUzFN/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=../ModSecurity-nginx
make modules
# depends on the path nginx looks for module ( look for option --modules-path on nginx -V )
sudo cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules/
echo 'load_module modules/ngx_http_modsecurity_module.so;' | sudo tee -a /etc/nginx/modules-enabled/50-mod-security.conf
sudo mkdir /etc/nginx/modsec -p
sudo wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
sudo mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
sudo cp ~/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
cd /etc/nginx/modsec
# crs rules
sudo git clone https://github.com/coreruleset/coreruleset
sudo mv /etc/nginx/modsec/coreruleset/crs-setup.conf.example /etc/nginx/modsec/coreruleset/crs-setup.conf
# Create a configuration file that will be loaded by Nginx. This file will load the ModSec rules configuration file and the ModSec configuration file
echo "Include /etc/nginx/modsec/modsecurity.conf" | sudo tee -a /etc/nginx/modsec/main.conf
echo "Include /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf" | sudo tee -a /etc/nginx/modsec/main.conf
echo "Include /etc/nginx/modsec/owasp-modsecurity-crs/rules/*.conf" | sudo tee -a /etc/nginx/modsec/main.conf
echo "Now you can add:"
echo "modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;"
echo "to your virtualhosts config and restart nginx"
Conclusion:
There you go, modsecurity though probably needs some tweaking to adapt to what you are hosting, and you also should tweak badbots blocker as you see fit.