ModSecurity is a free, open-source Web Application Firewall supported by different web servers like Apache, IIS, and Nginx. It is deployed as an external security layer to protect web servers.
In this tutorial, you will learn how to install ModSecurity firewall with pre-installed Nginx. We have used Ubuntu 20.04 server to demonstrate the process.
Pre-requisites
Nginx installed on Ubuntu server
Installation Guide
If you don’t have Nginx installed on your server, follow this guide to fulfill the Modsecurity installation requirement:
https://linuxways.net/ubuntu/how-to-install-nginx-on-ubuntu-20-04-lts-using-source-code/
Now that you have installed Nginx, let’s get started with installing ModSecurity.
Step 1: Install libmodsecurity3
First of all, install git on your machine so that you can clone the ModSecurity git repository. We can do it by running this command:
sudo apt install git -y

Now that git is installed, clone the repository by running this command:
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/

Step 2: Go to the Modsecurity directory
Now that you have cloned the modsecurity git repository, go the modsecurity directory following the path below:
cd /usr/local/src/ModSecurity/

Step 3: Install libmodsecurity3 dependencies
Now that we are inside the Modsecurity directory, we will install libmodsecurity3 dependencies in this step. Run this command:
sudo apt install gcc make build-essential autoconf automake libtool libcurl4-openssl-dev liblua5.3-dev libfuzzy-dev ssdeep gettext pkg-config libpcre3 libpcre3-dev libxml2 libxml2-dev libcurl4 libgeoip-dev libyajl-dev doxygen -y

Step 4: Install Git modules
Now, install git submodules with the help of this command:
git submodule init

Next, we will update the submodules:
git submodule update

Step 5: Build the modsecurity environment
It is time to build the modsecurity environment. To do that, run the following command:
./build.sh

Now configure using this command:
./configure

After this, you will get this error:

It is okay to ignore this and move on.
Step 6: Compile the modsecurity source code
Now we will compile the environment for libmodsecurity3 with this command:
make

If you want to increase the speed of compiling, you can specify -j <number of cpu>. I have 4 CPUs and I am going to use all 4 to compile as shown below:
make -j 4

Next, we will run the install command:
sudo make install

The installation is done in the /usr/local/modsecurity/.
Step 7: Install modsecurity-nginx connector
In this step, we will install Modsecurity-nginx connector. It is the connection and communication point between Nginx and ModSecurity.
First of all, we need to clone the connector repository. Do that by running this command:
sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
/usr/local/src/ModSecurity-nginx/

Step 8: Install modsecurity-nginx dependencies
First, go to Nginx source directory like this:
cd /usr/local/src/nginx/nginx-1.21.1

Make sure to replace the Nginx version in the command with your current Nginx version otherwise you will get an error.
To install the necessary dependencies, run this command:
sudo apt build-dep nginx && sudo apt install uuid-dev -y

Next, we will compile the Modsecurity-nginx connector module with the –with-compat flag by running this command:
sudo ./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx

Now run this command to create the dynamic modules:
sudo make modules

Now, copy the dynamic module you just created in the objs/ngx_http_modsecurity_module.so to /usr/share/nginx/modules with the help of this command:
sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

Step 9: Enable Modsecurity in Nginx configuration file
To enable Modsecurity in Nginx, you need to first specify the load-module and path to your modsecurity module in the configuration.
Open Nginx configuration file with the nano editor like this:
sudo nano /etc/nginx/nginx.conf

In the file, add this line on the top:
load_module modules/ngx_http_modsecurity_module.so;

Under the HTTP {} section, add the following code lines:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf;

Step 10: Configure directory and files for modsecurity
Create a directory with the name modsec. The path of the directory is mentioned in the command:
sudo mkdir /etc/nginx/modsec/

You will need this directory in the future to store configuration files and rules.
Now, copy the sample Modsecurity configuration file from cloned git directory with this command:
sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Now open the modsecurity configuration file:
sudo nano /etc/nginx/modsec/modsecurity.conf

Locate the SecRuleEngine directive in the file on line 7 and change it to DetectionOnly like this:
secruleEngine DetectionOnly

To enable Modsecurity, find change the following directive to On like this:
secRuleEngine on

Now locate the following directive on line 224:
secAuditLogParts ABIJDEFHZ

Change it to:
secAuditLogParts ABCDEFHJKZ

Now create modsec-config.conf file. Here you will add modsecurity.conf and other rules for modsecurity:
sudo nano /etc/nginx/modsec/modsec-config.conf

Inside the file you just created, add this line:
Include /etc/nginx/modsec/modsecurity.conf

Save the file and exit.
Step 11: Copy unicode.mapping file
Finally, copy the Modsecurity’s unicode.mapping file like this:
sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/

Step 12: Check Nginx configuration
Before restarting Nginx, check if the configuration is fine by running this command:
sudo nginx -t

If you get the following output, you are good to go:

Step 13: Reload Nginx
Now restart Nginx with this command:
sudo systemctl restart nginx

In this guide, we saw how we can install Modsecurity on an ubuntu server that already has pre-installed Nginx on it. We also saw how to configure ModSecurity and Nginx to connect them with the help of a few easy-to-follow commands.
 
			
 
							