{"id":18234,"date":"2023-08-07T22:10:06","date_gmt":"2023-08-07T19:10:06","guid":{"rendered":"https:\/\/kifarunix.com\/?p=18234"},"modified":"2024-03-10T10:43:33","modified_gmt":"2024-03-10T07:43:33","slug":"install-modsecurity-3-with-nginx-on-debian-12","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-modsecurity-3-with-nginx-on-debian-12\/","title":{"rendered":"Install ModSecurity 3 with Nginx on Debian 12"},"content":{"rendered":"\n<p>Welcome to our guide on how to install ModSecurity 3 with Nginx on Debian 12. <a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">Modsecurity<\/a> is an open source, cross platform web application firewall (WAF) which provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc. It also allows for HTTP traffic monitoring, logging and real-time analysis.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-mod-security-3-with-nginx-on-debian-12\">Installing ModSecurity 3 with Nginx on Debian 12<\/a><ul><li><a href=\"#install-required-build-tools-and-dependencies\">Install Required Build Tools and Dependencies<\/a><\/li><li><a href=\"#compile-and-install-mod-security-on-debian-12\">Compile and Install ModSecurity on Debian 12<\/a><ul><li><a href=\"#download-mod-security-source-code\">Download ModSecurity Source Code<\/a><\/li><li><a href=\"#extract-the-mod-security-source-code\">Extract the ModSecurity source code.<\/a><\/li><li><a href=\"#configure-mod-security-3-source-code-on-debian-12\">Configure ModSecurity 3 Source Code on Debian 12<\/a><\/li><li><a href=\"#compile-and-install-mod-security-3-on-debian-12\">Compile and Install ModSecurity 3 on Debian 12<\/a><\/li><\/ul><\/li><li><a href=\"#install-nginx-with-mod-security-3-support-on-debian-12\">Install Nginx with ModSecurity 3 Support on Debian 12<\/a><\/li><li><a href=\"#confgure-nginx-with-mod-security-3-on-debian-12\">Confgure Nginx with ModSecurity 3 on Debian 12<\/a><\/li><li><a href=\"#install-owasp-mod-security-core-rule-set-crs\">Install OWASP ModSecurity Core Rule Set (CRS)<\/a><\/li><li><a href=\"#testing-modsecurity\">Testing Modsecurity<\/a><\/li><li><a href=\"#reference\">Reference:<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-mod-security-3-with-nginx-on-debian-12\">Installing ModSecurity 3 with Nginx on Debian 12<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-required-build-tools-and-dependencies\">Install Required Build Tools and Dependencies<\/h3>\n\n\n\n<p>To install ModSecurity 3 with Nginx, you need to build it from source.<\/p>\n\n\n\n<p>You will also need to build Nginx from the source code in order to enable suppport for ModSecurity.<\/p>\n\n\n\n<p>Hence, you need to install some required build tools and dependencies for a successful build.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\napt install g++ \\\n\tflex \\\n\tbison \\\n\tcurl \\\n\tapache2-dev \\\n\tdoxygen \\\n\tlibyajl-dev \\\n\tssdeep \\\n\tliblua5.2-dev \\\n\tlibgeoip-dev \\\n\tlibtool \\\n\tdh-autoreconf \\\n\tlibcurl4-gnutls-dev \\\n\tlibxml2 \\\n\tlibpcre3-dev \\\n\tlibxml2-dev \\\n\tzlib1g \\\n\tzlib1g-dev \\\n\tlibssl-dev \\\n\tgit -y\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"compile-and-install-mod-security-on-debian-12\">Compile and Install ModSecurity on Debian 12<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"download-mod-security-source-code\">Download ModSecurity Source Code<\/h4>\n\n\n\n<p>Navigate to&nbsp;<a class=\"rank-math-link\" href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/\" target=\"_blank\" rel=\"noreferrer noopener\">ModSecurity releases page<\/a>&nbsp;and download the source code for ModSecurity 3. You can simply use wget to pull it.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=3.0.10<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v${VER}\/modsecurity-v${VER}.tar.gz<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"extract-the-mod-security-source-code\">Extract the ModSecurity source code.<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf modsecurity-v${VER}.tar.gz<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-mod-security-3-source-code-on-debian-12\">Configure ModSecurity 3 Source Code on Debian 12<\/h4>\n\n\n\n<p>Navigate to ModSecurity 3.x source directory and configure it;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd modsecurity-v${VER}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/build.sh<\/code><\/pre>\n\n\n\n<p>You can safely ignore the&nbsp;<code><strong>fatal: not a git repository (or any of the parent directories): .git<\/strong><\/code> error and the obsolete warning messages.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/configure<\/code><\/pre>\n\n\n\n<p>Be sure to fix any dependency issue, if any, before you can proceed to compile and install ModSecurity 3 with Nginx.<\/p>\n\n\n\n<p>If the configure script above completes with no error, proceed to compile and install ModSecurity 3 with Nginx.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"compile-and-install-mod-security-3-on-debian-12\">Compile and Install ModSecurity 3 on Debian 12<\/h4>\n\n\n\n<p>From within each ModSecurity version source directory, execute the commands below to install them;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>make install<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-nginx-with-mod-security-3-support-on-debian-12\">Install Nginx with ModSecurity 3 Support on Debian 12<\/h3>\n\n\n\n<p>Next, you need to compile Nginx with support for Modsecurity.<\/p>\n\n\n\n<p>Therefore, download the ModSecurity-nginx connector which provides a communication channel between Nginx and LibModsecurity by cloning its git repository.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/SpiderLabs\/ModSecurity-nginx.git<\/code><\/pre>\n\n\n\n<p>Next, download the latest staple version of Nginx from&nbsp;<a href=\"http:\/\/nginx.org\/en\/download.html\" target=\"_blank\" rel=\"noopener\">Nginx downloads<\/a>. The latest version as of this writing is version&nbsp;<a href=\"http:\/\/nginx.org\/download\/nginx-1.24.0.tar.gz\" target=\"_blank\" rel=\"noopener\">nginx-1.24.0.tar.gz<\/a>.<\/p>\n\n\n\n<p>Replace the value of E_VER below with the version of Nginx release;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>E_VER=1.24.0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/nginx.org\/download\/nginx-${E_VER}.tar.gz<\/code><\/pre>\n\n\n\n<p>Extract the archive.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf nginx-${E_VER}.tar.gz<\/code><\/pre>\n\n\n\n<p>Remove any installed versions of Nginx;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt remove --purge --auto-remove nginx -y<\/code><\/pre>\n\n\n\n<p>Create a non-privileged Nginx system user and group.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">useradd -r -M -s \/sbin\/nologin -d \/usr\/local\/nginx nginx<\/pre>\n\n\n\n<p>Navigate to Nginx source directory and configure it.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd nginx-${E_VER}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n.\/configure --user=nginx \\\n\t--group=nginx \\\n\t--with-pcre-jit \\\n\t--with-debug \\\n\t--with-compat \\\n\t--with-http_ssl_module \\\n\t--with-http_realip_module \\\n\t--add-dynamic-module=\/root\/ModSecurity-nginx \\\n\t--http-log-path=\/var\/log\/nginx\/access.log \\\n\t--error-log-path=\/var\/log\/nginx\/error.log\n<\/code><\/pre>\n\n\n\n<p>Configuration summary;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\ncreating objs\/Makefile\n\nConfiguration summary\n  + using system PCRE2 library\n  + using system OpenSSL library\n  + using system zlib library\n\n  nginx path prefix: \"\/usr\/local\/nginx\"\n  nginx binary file: \"\/usr\/local\/nginx\/sbin\/nginx\"\n  nginx modules path: \"\/usr\/local\/nginx\/modules\"\n  nginx configuration prefix: \"\/usr\/local\/nginx\/conf\"\n  nginx configuration file: \"\/usr\/local\/nginx\/conf\/nginx.conf\"\n  nginx pid file: \"\/usr\/local\/nginx\/logs\/nginx.pid\"\n  nginx error log file: \"\/var\/log\/nginx\/error.log\"\n  nginx http access log file: \"\/var\/log\/nginx\/access.log\"\n  nginx http client request body temporary files: \"client_body_temp\"\n  nginx http proxy temporary files: \"proxy_temp\"\n  nginx http fastcgi temporary files: \"fastcgi_temp\"\n  nginx http uwsgi temporary files: \"uwsgi_temp\"\n  nginx http scgi temporary files: \"scgi_temp\"\n<\/code><\/pre>\n\n\n\n<p>Compile and install Nginx on Ubuntu 22.05.<\/p>\n\n\n\n<pre id=\"block-0f9ebcac-cbb0-49af-8c54-8931cd4b83fa\" class=\"wp-block-code\"><code>make<\/code><\/pre>\n\n\n\n<p>Create dynamic modules;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make modules<\/code><\/pre>\n\n\n\n<p>Install Nginx;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make install<\/code><\/pre>\n\n\n\n<p>You can check nginx version, compiler version, and configure script parameters with the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ln -s \/usr\/local\/nginx\/sbin\/nginx \/usr\/local\/sbin\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>nginx -V<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nnginx version: nginx\/1.24.0\nbuilt by gcc 12.2.0 (Debian 12.2.0-14) \nbuilt with OpenSSL 3.0.9 30 May 2023\nTLS SNI support enabled\nconfigure arguments: --user=nginx --group=nginx --with-pcre-jit --with-debug --with-compat --with-http_ssl_module --with-http_realip_module --add-dynamic-module=\/root\/ModSecurity-nginx --http-log-path=\/var\/log\/nginx\/access.log --error-log-path=\/var\/log\/nginx\/error.log\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"confgure-nginx-with-mod-security-3-on-debian-12\">Confgure Nginx with ModSecurity 3 on Debian 12<\/h3>\n\n\n\n<p>Copy the sample ModSecurity configuration file on the source directory to Nginx configuration directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp ~\/modsecurity-v${VER}\/modsecurity.conf-recommended \/usr\/local\/nginx\/conf\/modsecurity.conf<\/code><\/pre>\n\n\n\n<p>Copy the <strong><code>unicode.mapping<\/code><\/strong> file from ModSecurity source directory to Nginx configuration directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp ~\/modsecurity-v${VER}\/unicode.mapping \/usr\/local\/nginx\/conf\/<\/code><\/pre>\n\n\n\n<p>Next, edit Nginx configuration file and make the changes as shown below.<\/p>\n\n\n\n<p>Create a backup of the Nginx configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/usr\/local\/nginx\/conf\/nginx.conf{,.bak}<\/code><\/pre>\n\n\n\n<p>Configure Nginx such that your configuration may look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/usr\/local\/nginx\/conf\/nginx.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n<strong>load_module modules\/ngx_http_modsecurity_module.so;<\/strong>\nuser  nginx;\nworker_processes  1;\npid        \/run\/nginx.pid;\nevents {\n    worker_connections  1024;\n}\nhttp {\n    include       mime.types;\n    default_type  application\/octet-stream;\n    sendfile        on;\n    keepalive_timeout  65;\n    server {\n        listen       80;\n        server_name  nginx.kifarunix-demo.com;\n        <strong>modsecurity  on;\n        modsecurity_rules_file  \/usr\/local\/nginx\/conf\/modsecurity.conf;<\/strong>\n        access_log  \/var\/log\/nginx\/access_kifarunix-demo.log;\n        error_log  \/var\/log\/nginx\/error_kifarunix-demo.log;\n        location \/ {\n            root   html;\n            index  index.html index.htm;\n        }\n        error_page   500 502 503 504  \/50x.html;\n        location = \/50x.html {\n            root   html;\n        }\n    }\n}\n<\/code><\/pre>\n\n\n\n<p>The lines below turns on Modsecurity on the root web document and specific the location of the Modsecurity rules.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>modsecurity on;<br>modsecurity_rules_file \/usr\/local\/nginx\/conf\/modsecurity.conf;<\/code><\/pre>\n\n\n\n<p>Note that ModSecurity 3 can be turned on per directory basis.<\/p>\n\n\n\n<p>The line below loads the Modsecurity Nginx modules;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>load_module modules\/ngx_http_modsecurity_module.so;<\/code><\/pre>\n\n\n\n<p>Create Nginx log directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91; -d \/var\/log\/nginx ] || mkdir \/var\/log\/nginx <\/code><\/pre>\n\n\n\n<p>Turn on ModSecurity by changing the value of <code>SecRuleEngine<\/code> to <code>On<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/usr\/local\/nginx\/conf\/modsecurity.conf<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-owasp-mod-security-core-rule-set-crs\">Install OWASP ModSecurity Core Rule Set (CRS)<\/h3>\n\n\n\n<p>The&nbsp;<strong>OWASP ModSecurity Core Rule Set (CRS)<\/strong>&nbsp;is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.<\/p>\n\n\n\n<p>Download the CRS from&nbsp;<a href=\"https:\/\/github.com\/coreruleset\/coreruleset\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub repository<\/a>&nbsp;to&nbsp;<code>\/usr\/local\/nginx\/conf\/<\/code>&nbsp;as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/github.com\/coreruleset\/coreruleset\/archive\/refs\/tags\/v3.3.5.tar.gz<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/usr\/local\/nginx\/conf\/owasp-crs<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf v3.3.5.tar.gz --strip-components=1 -C \/usr\/local\/nginx\/conf\/owasp-crs\/<\/code><\/pre>\n\n\n\n<p>Next, rename&nbsp;<code>crs-setup.conf.example<\/code>&nbsp;to&nbsp;<code>crs-setup.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo cp \/usr\/local\/nginx\/conf\/owasp-crs\/crs-setup.conf{.example,}<\/code><\/pre>\n\n\n\n<p>Once the OWASP rules are in place, configure ModSecurity to use these rules. You therefore need to enter the following lines on the ModSecurity configuration file to tell it where to find the rules.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo -e \"Include owasp-crs\/crs-setup.conf\nInclude owasp-crs\/rules\/*.conf\" &gt;&gt; \/usr\/local\/nginx\/conf\/modsecurity.conf<\/code><\/pre>\n\n\n\n<p>This command will append the lines below on&nbsp;<code>\/usr\/local\/nginx\/conf\/modsecurity.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Include owasp-crs\/crs-setup.conf\nInclude owasp-crs\/rules\/*.conf<\/code><\/pre>\n\n\n\n<p>Enable Modsecurity Self-contained mode. In this configuration the default disruptive action becomes &#8216;deny&#8217;. After a rule triggers, it will stop processing the request and return an error 403.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/usr\/local\/nginx\/conf\/owasp-crs\/crs-setup.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n<strong>#SecDefaultAction \"phase:1,log,auditlog,pass\"\n#SecDefaultAction \"phase:2,log,auditlog,pass\"<\/strong>\n\n...\n#\n<strong>SecDefaultAction \"phase:1,log,auditlog,deny,status:403\"\nSecDefaultAction \"phase:2,log,auditlog,deny,status:403<\/strong>\"\n...\n<\/code><\/pre>\n\n\n\n<p>Save the changes and exit the file.<\/p>\n\n\n\n<p>Verify Nginx configuration file again.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nginx -t<\/pre>\n\n\n\n<p>Output should be;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nginx: the configuration file \/usr\/local\/nginx\/conf\/nginx.conf syntax is ok\nnginx: configuration file \/usr\/local\/nginx\/conf\/nginx.conf test is successful<\/code><\/pre>\n\n\n\n<p>Next, create Nginx Systemd service unit.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/systemd\/system\/nginx.service << 'EOL'\n[Unit]\nDescription=A high performance web server and a reverse proxy server\nDocumentation=man:nginx(8)\nAfter=network.target nss-lookup.target\n\n[Service]\nType=forking\nPIDFile=\/run\/nginx.pid\nExecStartPre=\/usr\/local\/nginx\/sbin\/nginx -t -q -g 'daemon on; master_process on;'\nExecStart=\/usr\/local\/nginx\/sbin\/nginx -g 'daemon on; master_process on;'\nExecReload=\/usr\/local\/nginx\/sbin\/nginx -g 'daemon on; master_process on;' -s reload\nExecStop=-\/sbin\/start-stop-daemon --quiet --stop --retry QUIT\/5 --pidfile \/run\/nginx.pid\nTimeoutStopSec=5\nKillMode=mixed\n\n[Install]\nWantedBy=multi-user.target\nEOL\n<\/code><\/pre>\n\n\n\n<p>Reload system;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<p>Then Start Nginx;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl enable --now nginx<\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status nginx<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf nginx.service - A high performance web server and a reverse proxy server\n     Loaded: loaded (\/etc\/systemd\/system\/nginx.service; enabled; preset: enabled)\n     Active: active (running) since Mon 2023-08-07 15:00:56 EDT; 1min 14s ago\n       Docs: man:nginx(8)\n    Process: 33618 ExecStartPre=\/usr\/local\/nginx\/sbin\/nginx -t -q -g daemon on; master_process on; (code=exited, status=0\/SUCCESS)\n    Process: 33619 ExecStart=\/usr\/local\/nginx\/sbin\/nginx -g daemon on; master_process on; (code=exited, status=0\/SUCCESS)\n   Main PID: 33620 (nginx)\n      Tasks: 2 (limit: 2307)\n     Memory: 19.7M\n        CPU: 213ms\n     CGroup: \/system.slice\/nginx.service\n             \u251c\u250033620 \"nginx: master process \/usr\/local\/nginx\/sbin\/nginx -g daemon on; master_process on;\"\n             \u2514\u250033621 \"nginx: worker process\"\n\nAug 07 15:00:56 debian systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server...\nAug 07 15:00:56 debian systemd[1]: nginx.service: Failed to parse PID from file \/run\/nginx.pid: Invalid argument\nAug 07 15:00:56 debian systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-modsecurity\">Testing Modsecurity<\/h3>\n\n\n\n<p>Next, test the effectiveness of Modsecurity, for example, command injection. Run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl localhost?doc=\/bin\/ls<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n&lt;html>\n&lt;head>&lt;title>403 Forbidden&lt;\/title>&lt;\/head>\n&lt;body>\n&lt;center>&lt;h1>403 Forbidden&lt;\/h1>&lt;\/center>\n&lt;hr>&lt;center>nginx\/1.24.0&lt;\/center>\n&lt;\/body>\n&lt;\/html>\n<\/code><\/pre>\n\n\n\n<p>Check Modsecurity logs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail \/var\/log\/modsec_audit.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\n---kpenmi6q---H--\nModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) &#91;file \"\/usr\/local\/nginx\/conf\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] &#91;line \"496\"] &#91;id \"932160\"] &#91;rev \"\"] &#91;msg \"Remote Command Execution: Unix Shell Code Found\"] &#91;data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] &#91;severity \"2\"] &#91;ver \"OWASP_CRS\/3.2.0\"] &#91;maturity \"0\"] &#91;accuracy \"0\"] &#91;tag \"application-multi\"] &#91;tag \"language-shell\"] &#91;tag \"platform-unix\"] &#91;tag \"attack-rce\"] &#91;tag \"paranoia-level\/1\"] &#91;tag \"OWASP_CRS\"] &#91;tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] &#91;tag \"WASCTC\/WASC-31\"] &#91;tag \"OWASP_TOP_10\/A1\"] &#91;tag \"PCI\/6.5.2\"] &#91;hostname \"127.0.0.1\"] &#91;uri \"\/\"] &#91;unique_id \"16914349490.619224\"] &#91;ref \"o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\n\n---kpenmi6q---I--\n\n---kpenmi6q---J--\n\n---kpenmi6q---Z--<\/code><\/pre>\n\n\n\n<p>Access the site from browser and test command injection attack, <code><strong>http:\/\/domain.name\/?exec=\/bin\/bash<\/strong><\/code>.<\/p>\n\n\n\n<html>\n<head><title>403 Forbidden<\/title><\/head>\n<body>\n<center><h1>403 Forbidden<\/h1><\/center>\n<hr><center>nginx\/1.20.2<\/center>\n<\/body>\n<\/html>\n\n\n\n<p>Check Nginx Error log;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail \/var\/log\/nginx\/error_kifarunix-demo.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>2023\/08\/07 15:02:29 &#91;error] 33621#0: *1 &#91;client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) &#91;file \"\/usr\/local\/nginx\/conf\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] &#91;line \"496\"] &#91;id \"932160\"] &#91;rev \"\"] &#91;msg \"Remote Command Execution: Unix Shell Code Found\"] &#91;data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] &#91;severity \"2\"] &#91;ver \"OWASP_CRS\/3.2.0\"] &#91;maturity \"0\"] &#91;accuracy \"0\"] &#91;tag \"application-multi\"] &#91;tag \"language-shell\"] &#91;tag \"platform-unix\"] &#91;tag \"attack-rce\"] &#91;tag \"paranoia-level\/1\"] &#91;tag \"OWASP_CRS\"] &#91;tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] &#91;tag \"WASCTC\/WASC-31\"] &#91;tag \"OWASP_TOP_10\/A1\"] &#91;tag \"PCI\/6.5.2\"] &#91;hostname \"127.0.0.1\"] &#91;uri \"\/\"] &#91;unique_id \"16914349490.619224\"] &#91;ref \"o1,<\/code><\/pre>\n\n\n\n<p>Similarly, install Nikto on Ubuntu and use it to scan the server to test the modsecurity rules;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-use-nikto-web-scanner-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Use Nikto Web Scanner on Ubuntu<\/a><\/p>\n\n\n\n<p>As a result, this confirms that the Modsecurity is functioning as expected.<\/p>\n\n\n\n<p>That is just about it on our guide on how to install ModSecurity with Nginx on Debian 12.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reference\">Reference:<\/h3>\n\n\n\n<p><a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity-nginx\" target=\"_blank\" rel=\"noreferrer noopener\">ModSecurity-nginx<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\" target=\"_blank\" rel=\"noopener\">ModSecurity<\/a><\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/process-modsecurity-logs-using-wazuh\/\" target=\"_blank\" rel=\"noreferrer noopener\">Process ModSecurity Logs using Wazuh<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-modsecurity-with-apache-on-debian-12\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ModSecurity with Apache on Debian 12<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our guide on how to install ModSecurity 3 with Nginx on Debian 12. Modsecurity is an open source, cross platform web application firewall<\/p>\n","protected":false},"author":10,"featured_media":10111,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,1207,304,253],"tags":[7157,7154,7156,7158,7155],"class_list":["post-18234","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-modsecurity","category-nginx","category-web-servers","tag-debian-12-libmodsecurity","tag-install-modsecurity-3-debian-12","tag-libmodsecurity3-nginx","tag-modsecurity-3-debian-12","tag-secure-nginx-with-modsecurity-3","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18234"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=18234"}],"version-history":[{"count":4,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18234\/revisions"}],"predecessor-version":[{"id":20838,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18234\/revisions\/20838"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10111"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=18234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=18234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=18234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}