Home - limithit/ModSecurity GitHub Wiki
Welcome to the ModSecurity wiki!
https://github.com/SpiderLabs/ModSecurity/wiki
https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x
https://github.com/SpiderLabs/ModSecurity
https://github.com/coreruleset/coreruleset
https://github.com/maxmind/libmaxminddb/releases/tag/1.6.0
mkdir -p /etc/nginx/modsecurity
cp coreruleset/crs-setup.conf.example /etc/nginx/modsecurity/crs-setup.conf
cp -r coreruleset /etc/nginx/modsecurity
cp ModSecurity/unicode.mapping /etc/nginx/modsecurity/
cp ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf
cd /etc/nginx/modsecurity/coreruleset/rules/ \
&& mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example \
&& mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd /etc/nginx/modsecurity/coreruleset/rules/ && git pull
less /etc/nginx/modsecurity/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Do not remove the 949110,959100 rule, as it will allow most attacks, after which direct warnings are handled according to contextual prompts
SecRuleRemoveById 200002 200007
SecRule REQUEST_URI "@beginsWith /oapi/record/start/edit" "id:1001,phase:1,pass,nolog,ctl:ruleRemoveById=931100,ctl:ruleRemoveById=920170"
SecRule REQUEST_HEADERS:Host "api.xx.com" "id:'1004',phase:2,t:none,t:lowercase,pass,nolog,ctl:ruleRemoveById=931100"
SecRule REQUEST_URI "@endsWith /delete" "id:1005,phase:2,pass,nolog,ctl:ruleRemoveById=949110"
alias meldata='grep -o "\[data [^]]*" | cut -d\" -f2'
alias melfile='grep -o "\[file [^]]*" | cut -d\" -f2'
alias melhostname='grep -o "\[hostname [^]]*" | cut -d\" -f2'
alias melid='grep -o "\[id [^]]*" | cut -d\" -f2'
alias melidmsg='grep -o "\[id [^]]*\].*\[msg [^]]*\]" | sed -e "s/\].*\[/] [/" -e "s/\[msg //" | cut -d\ -f2- | tr -d "\]\"" | sed -e "s/(Total .*/(Total ...) .../" -e "s/Incoming and Outgoing Score: [0-9]* [0-9]*/Incoming and Outgoing Score: .../"'
alias melip='grep -o "\[client [^]]*" | cut -b9-'
alias melline='grep -o "\[line [^]]*" | cut -d\" -f2'
alias melmatch='grep -o " at [^\ ]*\. \[file" | sed -e "s/\. \[file//" | cut -b5-'
alias melmsg='grep -o "\[msg [^]]*" | cut -d\" -f2 | sed -e "s/(Total .*/(Total ...) .../"'
alias melsummary='grep -o -E " (at|against) .*\[file.*\[id \"[0-9]+.*\[msg \"[^\"]+" | tr -d \" | sed -e "s/ at the end of input at/ at/" -e "s/ required. /. /" -e "s/\[rev .*\[msg/[msg/" -e "s/\. / /" -e "s/(Total .*/(Total ...) .../" | tr -d \] | cut -d\ -f3,9,11- | sed -e "s/^\([^ ]*\) \([^ ]*\)/\2 \1/" | awk "{ printf \"%+6s %-35s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n\", \$1, \$2, \$3, \$4, \$5, \$6, \$7, \$8, \$9, \$10, \$11, \$12, \$13, \$14, \$15, \$16, \$17, \$18, \$19, \$20 }" | sed -e "s/\ *$//"'
alias meltags='tr "]" "\n" | tr "[" "\n" | grep "tag \"" | cut -b6- | tr -d "\""'
alias meltimestamp='cut -b2-25'
alias melunique_id='grep -o "\[unique_id [^]]*" | cut -d\" -f2'
alias meluri='grep -o "\[uri [^]]*" | cut -d\" -f2'
alias melidmsg='grep -o "\[id [^]]*\].*\[msg [^]]*\]" | sed -e "s/\].*\[/] [/" \
-e "s/\[msg //" | cut -d\ -f2- | tr -d "\]\"" | sed -e "s/(Total .*/(Total ...) .../" \
-e "s/Incoming and Outgoing Score: [0-9]* [0-9]*/Incoming and Outgoing Score: .../"'
cat /var/log/modsec_audit.log |melidmsg |sort|uniq -c|sort -rn
.............
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
...........less /etc/nginx/modsecurity/modsecurity.conf
........
#SecRuleEngine DetectionOnly
SecRuleEngine On
Include /etc/nginx/modsecurity/crs-setup.conf
Include /etc/nginx/modsecurity/coreruleset/rules/*.conf
SecAuditLogParts ABCIJDEFHZ
SecAuditLogFormat JSON
SecAuditLogRelevantStatus "^(?:5|4(?!04|02|00))"
........Very simple, create /etc/fail2ban/filter.d/nginx-modsecurity.conf with:
# modsecurity v3.0.7
# Fail2Ban nginx-modsec filter
[INCLUDES]
before = common.conf
[Definition]
#match 4xx or 5xx
failregex = (?: \[client <HOST>\]) ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
#only match 403
#failregex = (?: \[client <HOST>\]) ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code 403
ignoreregex =
And add a section within /etc/fail2ban/jail.conf with:
[nginx-modsecurity]
enabled = true
port = http,https
filter = nginx-modsecurity
logpath = /var/log/nginx/*error.log
maxretry = 3
logencoding = utf-8
bantime = 72h
findtime = 1h
So in /var/log/fail2ban.log, any time the same IP triggers modsecurity 6 times in 1 hours (fail2ban findtime=72h) you should see:
2022-09-05 13:49:41,956 fail2ban.filter [10360]: INFO Added logfile: '/var/log/nginx/logs/error.log' (pos = 75639, hash = f1e0404f6d1a5af57d9a39ba9c8dc93188
2022-09-05 13:49:41,957 fail2ban.filter [10360]: INFO encoding: UTF-8
2022-09-05 13:49:41,958 fail2ban.filter [10360]: INFO maxRetry: 2
2022-09-05 13:49:41,958 fail2ban.filter [10360]: INFO findtime: 3600
2022-09-05 13:49:41,958 fail2ban.actions [10360]: INFO banTime: 259200
2022-09-05 13:49:41,961 fail2ban.jail [10360]: INFO Jail 'nginx-modsecurity' started
2022-09-05 13:50:03,238 fail2ban.filter [10360]: INFO [nginx-modsecurity] Found 192.168.181.1 - 2022-09-05 13:49:25
2022-09-05 13:50:03,238 fail2ban.filter [10360]: INFO [nginx-modsecurity] Found 192.168.181.1 - 2022-09-05 13:49:25
2022-09-05 13:50:03,239 fail2ban.filter [10360]: INFO [nginx-modsecurity] Found 192.168.181.1 - 2022-09-05 13:49:26
2022-09-05 13:50:04,009 fail2ban.actions [10360]: NOTICE [nginx-modsecurity] Ban 192.168.181.1