techbitsio/nginx_modsec_crs.sh Secret

## nginx_modsec_crs.sh
#!/bin/bash

################
#
# Nginx, ModSecurity & OWASP Core Rule Set demo build script for Ubuntu Server
#
# Created to accompany https://techbits.io/compile-modsecurity-nginx-ubuntu/
#
# V1.1 - Updated 09/09/2022: Tested on Ubuntu 22.04. Added check for available memory
# & creation/removal of swapfile if necessary. Work out CRS version using api.github.com
#
# V1.0 - Original release
#
################
#
## Download ##
# wget https://gist.githubusercontent.com/techbitsio/a564f7b7951de7c5963d78f0ffd08f69/raw/nginx_modsec_crs.sh
## Make executable ##
# chmod +x nginx_modsec_crs.sh
## Run ##
# ./nginx_modsec_crs.sh
#
## All in one ##
# wget https://gist.githubusercontent.com/techbitsio/a564f7b7951de7c5963d78f0ffd08f69/raw/nginx_modsec_crs.sh && chmod +x nginx_modsec_crs.sh && ./nginx_modsec_crs.sh
#
################
# MIT License
#
# Copyright (c) 2021-2022 techbits.io (https://github.com/techbitsio, https://techbits.io/compile-modsecurity-nginx-ubuntu/)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
################

# Set log file
scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
logname=`basename "$0"`
logname+=".log"
logfile=$scriptdir/$logname
touch "$logfile"

# Functions
logger(){
    echo "$(date): $@" >> $logfile
    echo "## $@"
}
logger "Starting script"

# Setup
## NeedRestart config change (automatically restart required services instead of prompting/blocking script. Revert at end).
sed -i 's/#$nrconf{restart} = '\''i'\'';/$nrconf{restart} = '\''a'\'';/' /etc/needrestart/needrestart.conf

# V1.1 - check available memory and add swap if required.
swapen=0
if [ $(awk '/^MemAvailable:/ { print $2; }' /proc/meminfo) -lt 500000 ]; then
    dd if=/dev/zero of=/swapfile bs=1024 count=512000
	chmod 600 /swapfile
	mkswap /swapfile
	swapon /swapfile
	swapen=1
fi

# Step 1 - Compile libmodsecurity
apt-get update
apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev make -y
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity/
git checkout -b v3/master origin/v3/master
./build.sh
git submodule init
git submodule update
./configure
make
make install

# Step 2 - Compile the ModSecurity Nginx module
cd /opt/
apt-get install libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev -y
if [ -x "$(command -v nginx)" ]; then
        logger "Nginx already installed"
else
        logger "Nginx not installed. Installing..."
        apt-get install nginx -y
fi

## Get installed Nginx version number
nginx_ver=$(nginx -v |& sed 's/nginx version: nginx\///' | sed 's/\s.*$//')
logger "Nginx version: $nginx_ver"

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-$nginx_ver.tar.gz
tar zxvf nginx-$nginx_ver.tar.gz
rm nginx-$nginx_ver.tar.gz
cd nginx-$nginx_ver
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules
cd ..

# Step 3 - Add modsecurity to the Nginx config
sed -i 's/events {/load_module modules\/ngx_http_modsecurity_module.so;\n\nevents {/' /etc/nginx/nginx.conf

# Step 4 - Create a ModSec config
mkdir /etc/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
cp ModSecurity/unicode.mapping /etc/nginx/modsec

# Test 1 - Before enabling ModSec blocking, check that Nginx is accepting all requests
logger "Test 1 should return a 200 status code:"
echo "### Test 1 should return a 200 status code:"
test=$(curl -s -H "User-Agent: nessustest" http://localhost/)
if echo "$test" | grep -q "Welcome"; then
        logger "200 found - Web server configuration is correct. PASS"
else
        logger "No 200 found - Web server configuration incorrect. FAIL"
fi

# Step 5 - Turn SecRuleEngine On
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

# Step 6 - Add ModSec rules
## Work out latest version

# V1.1
#crs_ver=$(curl https://github.com/coreruleset/coreruleset/releases/latest | grep -o -P '(?<=tag/v).*(?=">redirected)')
crs_ver=$(curl --silent "https://api.github.com/repos/coreruleset/coreruleset/releases/latest" | grep -oP '(?<=tag/v)[^"]*')

wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v$crs_ver.tar.gz
logger "Downloaded Core Rule Set version: $crs_ver"
tar -xzvf v$crs_ver.tar.gz
rm v$crs_ver.tar.gz
mv coreruleset-$crs_ver /usr/local
cp /usr/local/coreruleset-$crs_ver/crs-setup.conf.example /usr/local/coreruleset-$crs_ver/crs-setup.conf

# Step 7 - Enable modsecurity and add rules file to default site
sed -i 's/server_name _;/server_name _;\n\tmodsecurity on;\n\tmodsecurity_rules_file \/etc\/nginx\/modsec\/main.conf;/' /etc/nginx/sites-enabled/default
touch /etc/nginx/modsec/main.conf
echo "Include /etc/nginx/modsec/modsecurity.conf" >> /etc/nginx/modsec/main.conf
echo "Include /usr/local/coreruleset-$crs_ver/crs-setup.conf" >> /etc/nginx/modsec/main.conf
echo "Include /usr/local/coreruleset-$crs_ver/rules/*.conf" >> /etc/nginx/modsec/main.conf

# Step 8 - Restart Nginx
nginx -s reload
sleep 5 # Allow config to be reloaded before testing

# Test 2 - After enabling ModSec blocking & adding rules
logger "Test 2 should return a 403 status code:"
test2=$(curl -s -H "User-Agent: nessustest" http://localhost/)
if echo "$test2" | grep -q "403"; then
        logger "403 found - Blocking successful. PASS"
else
        logger "No 403 found - Blocking unsuccessful. FAIL"
fi

# Clean up

# V1.1 - remove swapfile if previously created
if [ "$swapen" -eq "1" ]; then
    swapoff -v /swapfile
	rm /swapfile
fi

## Revert NeedRestart config
sed -i 's/$nrconf{restart} = '\''a'\'';/#$nrconf{restart} = '\''i'\'';/' /etc/needrestart/needrestart.conf

logger "End script"

echo "## See $logname for details/test results."
	#!/bin/bash

	################
	#
	# Nginx, ModSecurity & OWASP Core Rule Set demo build script for Ubuntu Server
	#
	# Created to accompany https://techbits.io/compile-modsecurity-nginx-ubuntu/
	#
	# V1.1 - Updated 09/09/2022: Tested on Ubuntu 22.04. Added check for available memory
	# & creation/removal of swapfile if necessary. Work out CRS version using api.github.com
	#
	# V1.0 - Original release
	#
	################
	#
	## Download ##
	# wget https://gist.githubusercontent.com/techbitsio/a564f7b7951de7c5963d78f0ffd08f69/raw/nginx_modsec_crs.sh
	## Make executable ##
	# chmod +x nginx_modsec_crs.sh
	## Run ##
	# ./nginx_modsec_crs.sh
	#
	## All in one ##
	# wget https://gist.githubusercontent.com/techbitsio/a564f7b7951de7c5963d78f0ffd08f69/raw/nginx_modsec_crs.sh && chmod +x nginx_modsec_crs.sh && ./nginx_modsec_crs.sh
	#
	################
	# MIT License
	#
	# Copyright (c) 2021-2022 techbits.io (https://github.com/techbitsio, https://techbits.io/compile-modsecurity-nginx-ubuntu/)
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in all
	# copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	# SOFTWARE.
	################

	# Set log file
	scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
	logname=`basename "$0"`
	logname+=".log"
	logfile=$scriptdir/$logname
	touch "$logfile"

	# Functions
	logger(){
	echo "$(date): $@" >> $logfile
	echo "## $@"
	}
	logger "Starting script"

	# Setup
	## NeedRestart config change (automatically restart required services instead of prompting/blocking script. Revert at end).
	sed -i 's/#$nrconf{restart} = '\''i'\'';/$nrconf{restart} = '\''a'\'';/' /etc/needrestart/needrestart.conf

	# V1.1 - check available memory and add swap if required.
	swapen=0
	if [ $(awk '/^MemAvailable:/ { print $2; }' /proc/meminfo) -lt 500000 ]; then
	dd if=/dev/zero of=/swapfile bs=1024 count=512000
	chmod 600 /swapfile
	mkswap /swapfile
	swapon /swapfile
	swapen=1
	fi

	# Step 1 - Compile libmodsecurity
	apt-get update
	apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev make -y
	cd /opt/
	git clone https://github.com/SpiderLabs/ModSecurity
	cd ModSecurity/
	git checkout -b v3/master origin/v3/master
	./build.sh
	git submodule init
	git submodule update
	./configure
	make
	make install

	# Step 2 - Compile the ModSecurity Nginx module
	cd /opt/
	apt-get install libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev -y
	if [ -x "$(command -v nginx)" ]; then
	logger "Nginx already installed"
	else
	logger "Nginx not installed. Installing..."
	apt-get install nginx -y
	fi

	## Get installed Nginx version number
	nginx_ver=$(nginx -v \|& sed 's/nginx version: nginx\///' \| sed 's/\s.*$//')
	logger "Nginx version: $nginx_ver"

	git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
	wget http://nginx.org/download/nginx-$nginx_ver.tar.gz
	tar zxvf nginx-$nginx_ver.tar.gz
	rm nginx-$nginx_ver.tar.gz
	cd nginx-$nginx_ver
	./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
	make modules
	cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules
	cd ..

	# Step 3 - Add modsecurity to the Nginx config
	sed -i 's/events {/load_module modules\/ngx_http_modsecurity_module.so;\n\nevents {/' /etc/nginx/nginx.conf

	# Step 4 - Create a ModSec config
	mkdir /etc/nginx/modsec
	wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
	mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
	cp ModSecurity/unicode.mapping /etc/nginx/modsec

	# Test 1 - Before enabling ModSec blocking, check that Nginx is accepting all requests
	logger "Test 1 should return a 200 status code:"
	echo "### Test 1 should return a 200 status code:"
	test=$(curl -s -H "User-Agent: nessustest" http://localhost/)
	if echo "$test" \| grep -q "Welcome"; then
	logger "200 found - Web server configuration is correct. PASS"
	else
	logger "No 200 found - Web server configuration incorrect. FAIL"
	fi

	# Step 5 - Turn SecRuleEngine On
	sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

	# Step 6 - Add ModSec rules
	## Work out latest version

	# V1.1
	#crs_ver=$(curl https://github.com/coreruleset/coreruleset/releases/latest \| grep -o -P '(?<=tag/v).*(?=">redirected)')
	crs_ver=$(curl --silent "https://api.github.com/repos/coreruleset/coreruleset/releases/latest" \| grep -oP '(?<=tag/v)[^"]*')

	wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v$crs_ver.tar.gz
	logger "Downloaded Core Rule Set version: $crs_ver"
	tar -xzvf v$crs_ver.tar.gz
	rm v$crs_ver.tar.gz
	mv coreruleset-$crs_ver /usr/local
	cp /usr/local/coreruleset-$crs_ver/crs-setup.conf.example /usr/local/coreruleset-$crs_ver/crs-setup.conf

	# Step 7 - Enable modsecurity and add rules file to default site
	sed -i 's/server_name _;/server_name _;\n\tmodsecurity on;\n\tmodsecurity_rules_file \/etc\/nginx\/modsec\/main.conf;/' /etc/nginx/sites-enabled/default
	touch /etc/nginx/modsec/main.conf
	echo "Include /etc/nginx/modsec/modsecurity.conf" >> /etc/nginx/modsec/main.conf
	echo "Include /usr/local/coreruleset-$crs_ver/crs-setup.conf" >> /etc/nginx/modsec/main.conf
	echo "Include /usr/local/coreruleset-$crs_ver/rules/*.conf" >> /etc/nginx/modsec/main.conf

	# Step 8 - Restart Nginx
	nginx -s reload
	sleep 5 # Allow config to be reloaded before testing

	# Test 2 - After enabling ModSec blocking & adding rules
	logger "Test 2 should return a 403 status code:"
	test2=$(curl -s -H "User-Agent: nessustest" http://localhost/)
	if echo "$test2" \| grep -q "403"; then
	logger "403 found - Blocking successful. PASS"
	else
	logger "No 403 found - Blocking unsuccessful. FAIL"
	fi

	# Clean up

	# V1.1 - remove swapfile if previously created
	if [ "$swapen" -eq "1" ]; then
	swapoff -v /swapfile
	rm /swapfile
	fi

	## Revert NeedRestart config
	sed -i 's/$nrconf{restart} = '\''a'\'';/#$nrconf{restart} = '\''i'\'';/' /etc/needrestart/needrestart.conf

	logger "End script"

	echo "## See $logname for details/test results."