Cela faisait un long moment que je n’avais pas publié sur le site, pardon G… Un petit article court pour expliquer aux amateurs de sécurité en herbe (perdus sur le plateau des Millevaches) comment installer le module modsecurity NGINX, par défaut dans la version payante NGINX+, que l’on retrouve dans des WAF, les pare-feux applicatifs, mais également dans l’Ingress Nginx de Kubernetes. Après quelques déboires pour trouver les librairies adaptées, j’ai pu testé cette installation sur un serveur virtuel Fedora 34 sur le cloud Openstack d’OVH. Cela fonctionne parfaitement.
Installation des outils de compilation :
sudo dnf group install "Development Tools"
sudo dnf install vim git libtool gcc-c++ pcre-devel GeoIP-devel libxml2-devel
mkdir download && cd download
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
sudo make install
L’installation est dans: /usr/local/modsecurity/
Télécharger et compiler le connecteur NGINX pour ModSecurity
Bien vérifier sa version de nginx avant toutes choses:
$ sudo nginx -v
nginx version: nginx/1.20.1
cd /home/$USER/download
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
sudo mkdir /etc/nginx/modules
curl http://nginx.org/download/nginx-1.20.1.tar.gz -o nginx-1.20.1.tar.gz
tar zxvf nginx-1.20.1.tar.gz
cd nginx-1.20.1
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules
cd ..
Charger le module du connecteur dans la conf NGINX
Dans votre fichier de configuration principal /etc/nginx/nginx.conf
, insérer en première ligne:
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
Configurer et permettre le lancement de ModSecurity
mkdir /etc/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
cp /home/$USER/download/ModSecurity/unicode.mapping /etc/nginx/modsec
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
Ajouter dans /etc/nginx/modsec/main.conf
:
# From https://github.com/SpiderLabs/ModSecurity/blob/master/
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"
# Un test basique:
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
Dans la balise server de votre serveur web, charger le lancement du module et sa configuration:
server {
# ...
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf
# ...
}
Configurer les règles OWASP
je prends ici les dernières (v3.2.0)
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz
tar -xzvf v3.2.0.tar.gz
sudo mv owasp-modsecurity-crs-3.2.0 /usr/local
cd /usr/local/owasp-modsecurity-crs-3.2.0
sudo cp crs-setup.conf.example crs-setup.conf
Ajouter ensuite dans /etc/nginx/modsec/main.conf:
# Include the recommended configuration
Include /etc/nginx/modsec/modsecurity.conf
# OWASP CRS v3.2.0 rules
Include /usr/local/owasp-modsecurity-crs-3.2.0/crs-setup.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-901-INITIALIZATION.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-910-IP-REPUTATION.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-912-DOS-PROTECTION.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-913-SCANNER-DETECTION.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-980-CORRELATION.conf
Include /usr/local/owasp-modsecurity-crs-3.2.0/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
sudo nginx -t
sudo nginx -s reload
Et voilà, avec en sus des réponses headers spécifiques bien configurées, votre site web est dorénavant un peu plus tranquille.