ajikamaludin · March 31, 2021 06:59
diff --git a/SECURE INSTALLED NGINX WITH MODSECURITY3 CENTOS 7.txt b/SECURE INSTALLED NGINX WITH MODSECURITY3 CENTOS 7.txt
 #remainder to disable selinux 

 install mod_security 3:
 yum groupinstall 'Development Tools' -y
 yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel
 yum install lmdb lmdb-devel libxml2 libxml2-devel ssdeep ssdeep-devel lua lua-devel 
 yum install gd gd-devel libxslt-devel perl-ExtUtils-Embed gperftools wget zip unzip
 git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
 cd ModSecurity
 git submodule init
 git submodule update
 ./build.sh
 ./configure
 make
 make install

 install mod_security3 nginx :
 git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git


 check nginx version #nginx -V
 [root@ip-172-26-11-94 ~]# nginx -V
 nginx version: nginx/1.16.1
 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
 built with OpenSSL 1.1.1c FIPS  28 May 2019 (running with OpenSSL 1.1.1g FIPS  21 Apr 2020)
 TLS SNI support enabled
 configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

 wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz && tar xzvf openssl-1.1.1c.tar.gz

 wget http://nginx.org/download/nginx-1.16.1.tar.gz && tar zxvf nginx-1.16.1.tar.gz
 cd nginx-1.16.1

 ./configure \
 --with-openssl=../openssl-1.1.1c \
 --add-dynamic-module=../ModSecurity-nginx \
 --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

 make modules
 mkdir /etc/nginx/{modules,modsec}
 cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

 #add line to /etc/nginx/nginx.conf
 load_module "/etc/nginx/modules/ngx_http_modsecurity_module.so";

 #install owasp rules :
 wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
 mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
 cp ../ModSecurity/unicode.mapping /etc/nginx/modsec/
 sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

 cd && wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz && tar -xzvf v3.2.0.tar.gz
 mv owasp-modsecurity-crs-3.2.0 owasp-modsecurity-crs
 mv owasp-modsecurity-crs /usr/local
 cd /usr/local/owasp-modsecurity-crs
 cp crs-setup.conf.example crs-setup.conf


 vi /etc/nginx/modsec/main.conf
 # From https://github.com/SpiderLabs/ModSecurity/blob/master/
 # modsecurity.conf-recommended
 #
 # Edit to set SecRuleEngine On
 Include "/etc/nginx/modsec/modsecurity.conf"
 Include "/usr/local/owasp-modsecurity-crs/crs-setup.conf"
 #Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"
 Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"
 #Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"

 #on server config add line :
 server {
    # ...
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
 }

 #test
 nginx -t

 #restart 
 systemctl restart nginx

 references :
 https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
 https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
 https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x#centos-7-minimal
 https://github.com/SpiderLabs/ModSecurity-nginx/issues/117#issuecomment-495350465
 https://www.vultr.com/docs/how-to-compile-nginx-from-source-on-centos-7


 advanced with enable selinux for more secure : https://www.nginx.com/blog/using-nginx-plus-with-selinux/
	#remainder to disable selinux

	install mod_security 3:
	yum groupinstall 'Development Tools' -y
	yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel
	yum install lmdb lmdb-devel libxml2 libxml2-devel ssdeep ssdeep-devel lua lua-devel
	yum install gd gd-devel libxslt-devel perl-ExtUtils-Embed gperftools wget zip unzip
	git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
	cd ModSecurity
	git submodule init
	git submodule update
	./build.sh
	./configure
	make
	make install

	install mod_security3 nginx :
	git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git


	check nginx version #nginx -V
	[root@ip-172-26-11-94 ~]# nginx -V
	nginx version: nginx/1.16.1
	built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
	built with OpenSSL 1.1.1c FIPS 28 May 2019 (running with OpenSSL 1.1.1g FIPS 21 Apr 2020)
	TLS SNI support enabled
	configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

	wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz && tar xzvf openssl-1.1.1c.tar.gz

	wget http://nginx.org/download/nginx-1.16.1.tar.gz && tar zxvf nginx-1.16.1.tar.gz
	cd nginx-1.16.1

	./configure \
	--with-openssl=../openssl-1.1.1c \
	--add-dynamic-module=../ModSecurity-nginx \
	--prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

	make modules
	mkdir /etc/nginx/{modules,modsec}
	cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

	#add line to /etc/nginx/nginx.conf
	load_module "/etc/nginx/modules/ngx_http_modsecurity_module.so";

	#install owasp rules :
	wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
	mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
	cp ../ModSecurity/unicode.mapping /etc/nginx/modsec/
	sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

	cd && wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz && tar -xzvf v3.2.0.tar.gz
	mv owasp-modsecurity-crs-3.2.0 owasp-modsecurity-crs
	mv owasp-modsecurity-crs /usr/local
	cd /usr/local/owasp-modsecurity-crs
	cp crs-setup.conf.example crs-setup.conf


	vi /etc/nginx/modsec/main.conf
	# From https://github.com/SpiderLabs/ModSecurity/blob/master/
	# modsecurity.conf-recommended
	#
	# Edit to set SecRuleEngine On
	Include "/etc/nginx/modsec/modsecurity.conf"
	Include "/usr/local/owasp-modsecurity-crs/crs-setup.conf"
	#Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"
	#Include "/usr/local/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"

	#on server config add line :
	server {
	# ...
	modsecurity on;
	modsecurity_rules_file /etc/nginx/modsec/main.conf;
	}

	#test
	nginx -t

	#restart
	systemctl restart nginx

	references :
	https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
	https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
	https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x#centos-7-minimal
	https://github.com/SpiderLabs/ModSecurity-nginx/issues/117#issuecomment-495350465
	https://www.vultr.com/docs/how-to-compile-nginx-from-source-on-centos-7


	advanced with enable selinux for more secure : https://www.nginx.com/blog/using-nginx-plus-with-selinux/