Skip to content

Instantly share code, notes, and snippets.

@techbitsio
Last active Jul 12, 2021
Embed
What would you like to do?
Nginx, ModSecurity & OWASP Core Rule Set demo build script for Ubuntu 21.04
#!/bin/bash
################
#
# Nginx, ModSecurity & OWASP Core Rule Set demo build script for Ubuntu 21.04
#
# Created to accompany https://techbits.io/nginx-modsecurity-ubuntu-21-04/
#
################
#
## Download ##
# wget https://gist.githubusercontent.com/techbitsio/a564f7b7951de7c5963d78f0ffd08f69/raw/nginx_modsec_crs.sh
## Make executable ##
# chmod +x nginx_modsec_crs.sh
## Run ##
# ./nginx_modsec_crs.sh
#
## All in one ##
# wget https://gist.githubusercontent.com/techbitsio/a564f7b7951de7c5963d78f0ffd08f69/raw/nginx_modsec_crs.sh && chmod +x nginx_modsec_crs.sh && ./nginx_modsec_crs.sh
#
################
# MIT License
#
# Copyright (c) 2021 techbits.io (https://github.com/techbitsio, https://techbits.io/nginx-modsecurity-ubuntu-21-04/)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
################
# Set log file
scriptdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
logname=`basename "$0"`
logname+=".log"
logfile=$scriptdir/$logname
touch "$logfile"
# Functions
logger(){
echo "$(date): $@" >> $logfile
echo "## $@"
}
logger "Starting script"
# Setup
## NeedRestart config change (automatically restart required services instead of prompting/blocking script. Revert at end).
sed -i 's/#$nrconf{restart} = '\''i'\'';/$nrconf{restart} = '\''a'\'';/' /etc/needrestart/needrestart.conf
# Step 1 - Compile libmodsecurity
apt-get update
apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev make -y
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity/
git checkout -b v3/master origin/v3/master
./build.sh
git submodule init
git submodule update
./configure
make
make install
# Step 2 - Compile the ModSecurity Nginx module
cd /opt/
apt-get install libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev -y
if [ -x "$(command -v nginx)" ]; then
logger "Nginx already installed"
else
logger "Nginx not installed. Installing..."
apt-get install nginx -y
fi
## Get installed Nginx version number
nginx_ver=$(nginx -v |& sed 's/nginx version: nginx\///' | sed 's/\s.*$//')
logger "Nginx version: $nginx_ver"
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-$nginx_ver.tar.gz
tar zxvf nginx-$nginx_ver.tar.gz
rm nginx-$nginx_ver.tar.gz
cd nginx-$nginx_ver
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules
cd ..
# Step 3 - Add modsecurity to the Nginx config
sed -i 's/events {/load_module modules\/ngx_http_modsecurity_module.so;\n\nevents {/' /etc/nginx/nginx.conf
# Step 4 - Create a ModSec config
mkdir /etc/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
cp ModSecurity/unicode.mapping /etc/nginx/modsec
# Test 1 - Before enabling ModSec blocking, check that Nginx is accepting all requests
logger "Test 1 should return a 200 status code:"
echo "### Test 1 should return a 200 status code:"
test=$(curl -s -H "User-Agent: nessustest" http://localhost/)
if echo "$test" | grep -q "Welcome"; then
logger "200 found - Web server configuration is correct. PASS"
else
logger "No 200 found - Web server configuration incorrect. FAIL"
fi
# Step 5 - Turn SecRuleEngine On
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
# Step 6 - Add ModSec rules
## Work out latest version
crs_ver=$(curl https://github.com/coreruleset/coreruleset/releases/latest | grep -o -P '(?<=tag/v).*(?=">redirected)')
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v$crs_ver.tar.gz
logger "Downloaded Core Rule Set version: $crs_ver"
tar -xzvf v$crs_ver.tar.gz
rm v$crs_ver.tar.gz
mv coreruleset-$crs_ver /usr/local
cp /usr/local/coreruleset-$crs_ver/crs-setup.conf.example /usr/local/coreruleset-$crs_ver/crs-setup.conf
# Step 7 - Enable modsecurity and add rules file to default site
sed -i 's/server_name _;/server_name _;\n\tmodsecurity on;\n\tmodsecurity_rules_file \/etc\/nginx\/modsec\/main.conf;/' /etc/nginx/sites-enabled/default
touch /etc/nginx/modsec/main.conf
echo "Include /etc/nginx/modsec/modsecurity.conf" >> /etc/nginx/modsec/main.conf
echo "Include /usr/local/coreruleset-$crs_ver/crs-setup.conf" >> /etc/nginx/modsec/main.conf
echo "Include /usr/local/coreruleset-$crs_ver/rules/*.conf" >> /etc/nginx/modsec/main.conf
# Step 8 - Restart Nginx
nginx -s reload
sleep 5 # Allow config to be reloaded before testing
# Test 2 - After enabling ModSec blocking & adding rules
logger "Test 2 should return a 403 status code:"
test2=$(curl -s -H "User-Agent: nessustest" http://localhost/)
if echo "$test2" | grep -q "403"; then
logger "403 found - Blocking successful. PASS"
else
logger "No 403 found - Blocking unsuccessful. FAIL"
fi
# Clean up
## Revert NeedRestart config
sed -i 's/$nrconf{restart} = '\''a'\'';/#$nrconf{restart} = '\''i'\'';/' /etc/needrestart/needrestart.conf
logger "End script"
echo "## See $logname for details/test results."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment