“Cara Instal ModSecurity dengan Nginx di Rocky Linux 8”
Daftar Isi
Pengantar
ModSecurity adalah firewall aplikasi web sumber terbuka yang populer dan gratis yang digunakan untuk melindungi aplikasi web dari beberapa jenis serangan termasuk injeksi SQL, skrip lintas situs, dan penyertaan file lokal. Ini sering digunakan untuk melindungi situs web, cPanel, dan panel kontrol hosting lainnya. Sementara ModSecurity terutama dirancang untuk server web Apache, ModSecurity juga dapat bekerja dengan server web Nginx.
Persyaratan
Cara Instal ModSecurity dengan Nginx di Rocky Linux 8
- Update OS
dnf update -y
- Install dependensi
dnf install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config git wget openssl openssl-devel vim
dnf --enablerepo=powertools install doxygen yajl-devel -y dnf install epel-release https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y dnf --enablerepo=remi install GeoIP-devel -y
- Install Mod Security
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity - Ganti directory cd ModSecurity git submodule init git submodule update - compile /configure make make install
- Install nginx
cd ../ git clone https://github.com/SpiderLabs/ModSecurity-nginx.git wget http://nginx.org/download/nginx-1.19.10.tar.gz tar xzf nginx-1.19.10.tar.gz useradd -r -M -s /sbin/nologin -d /usr/local/nginx nginx - ganti directory cd nginx-1.19.10 ./configure --user=nginx --group=nginx --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/root/ModSecurity-nginx - install make make install - copy config cp /root/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf cp /root/ModSecurity/unicode.mapping /usr/local/nginx/conf/ - backup nginx config cp /usr/local/nginx/conf/nginx.conf{,.bak} - edit nginx config nano /usr/local/nginx/conf/nginx.conf user nginx; worker_processes 1; pid /run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name nginx.example.com; modsecurity on; modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; location / { root html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } } - Buat directory mkdir /var/log/nginx
- Buat service systemd
nano /etc/systemd/system/nginx.service [Unit] Description=The nginx HTTP and reverse proxy server After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/run/nginx.pid ExecStartPre=/usr/bin/rm -f /run/nginx.pid ExecStartPre=/usr/sbin/nginx -t ExecStart=/usr/sbin/nginx ExecReload=/bin/kill -s HUP $MAINPID KillSignal=SIGQUIT TimeoutStopSec=5 KillMode=mixed PrivateTmp=true [Install] WantedBy=multi-user.target - buat symlink ln -s /usr/local/nginx/sbin/nginx /usr/sbin/ - start service systemctl daemon-reload systemctl enable --now nginx systemctl status nginx
- Enable Mod Sec Rule
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /usr/local/nginx/conf/modsecurity.conf sed -i 's#/var/log/modsec_audit.log#/var/log/nginx/modsec_audit.log#' /usr/local/nginx/conf/modsecurity.conf
- Install OWASP ModSecurity
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/local/nginx/conf/owasp-crs
cp /usr/local/nginx/conf/owasp-crs/crs-setup.conf{.example,}
echo -e "Include owasp-crs/crs-setup.conf\nInclude owasp-crs/rules/*.conf" >> /usr/local/nginx/conf/modsecurity.conf
systemctl restart nginx
- Test Mod Sec
curl localhost/index.html?exec=/bin/bash <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.19.10</center> </body> </html>
- Cek log
tail -100 /var/log/nginx/modsec_audit.log
Penutup
Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Instal PhpMyAdmin di Arch Linux. Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.