So you want to self host part 3 ?

Now that you started self-hosting, you probably realized that a bunch of non sollicited traffic reach your server

Either one of those bots crawling your site, or those annoying automated scripts to exploit vulns on software you do not have…

Well, let’s install badbot blocker for nginx for getting rid of bots, and then modsecurity as a cherry on top.

Prerequisites:

• 1 server with nginx installed

Badbots blocker

This one is extremely simple, you do not even need a tutorial, just follow the readme on github here

Modsecurity

script to run on a debian buster with nginx 1.14.2:

This will install modsecurity, modsecurity nginx wrapper, and the modsecurity core ruleset.

sudo apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev libgd-dev libxslt1-dev
sudo apt-get remove -y libmodsecurity3 libmodsecurity-dev apache2-bin libmaxminddb-dev


mkdir ~/src -p
cd ~/src

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
sudo make install

cd ~/src
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git


ver=`sudo nginx -v 2>&1 | cut -d : -f 2 | cut -d / -f 2`
wget http://nginx.org/download/nginx-$ver.tar.gz
tar xzvf nginx-$ver.tar.gz

cd nginx-$ver

# may need to be tweaked according to your installed nginx -V
# in case it differ from this one. You just have to removed the --add-dynamic-module to leave only the one about Modsecurity-nginx
./configure --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tBUzFN/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=../ModSecurity-nginx
make modules

# depends on the path nginx looks for module ( look for option --modules-path on nginx -V )
sudo cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules/

echo 'load_module modules/ngx_http_modsecurity_module.so;' | sudo tee -a /etc/nginx/modules-enabled/50-mod-security.conf

sudo mkdir /etc/nginx/modsec -p
sudo wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
sudo mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
sudo cp ~/src/ModSecurity/unicode.mapping /etc/nginx/modsec/

cd /etc/nginx/modsec

# crs rules
sudo git clone https://github.com/coreruleset/coreruleset
sudo mv /etc/nginx/modsec/coreruleset/crs-setup.conf.example /etc/nginx/modsec/coreruleset/crs-setup.conf

# Create a configuration file that will be loaded by Nginx. This file will load the ModSec rules configuration file and the ModSec configuration file
echo "Include /etc/nginx/modsec/modsecurity.conf" | sudo tee -a /etc/nginx/modsec/main.conf
echo "Include /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf" | sudo tee -a  /etc/nginx/modsec/main.conf
echo "Include /etc/nginx/modsec/owasp-modsecurity-crs/rules/*.conf" | sudo tee -a  /etc/nginx/modsec/main.conf


echo "Now you can add:"
echo "modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;"
echo "to your virtualhosts config and restart nginx"

Conclusion:

There you go, modsecurity though probably needs some tweaking to adapt to what you are hosting, and you also should tweak badbots blocker as you see fit.