Join the community today
Become a Member

Beta Branch update inc/mod_security.inc fix for GeoIP2 conflict in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 1, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    45,208
    10,281
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,935
    Local Time:
    12:09 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    update inc/mod_security.inc fix for GeoIP2 conflict in 123.09beta01

    - Follow up to bugs discussed on April 30/May 1, 2019 in thread at https://community.centminmod.com/threads/update-prep-for-modsecurity-v3-0.12453/
    - GeoIP2 Nginx module compilation conflicts with modsecurity v3 nginx connector module builds as modsecurity picks up GeoIP2's routine installed libmaxminddb library to build against but fails to properly find libmaxminddb libraries so fails to install modsecurity v3 nginx connector module. Prior to this commit update, the work around was to add a new variable NGINX_MODSECURITY_MAXMIND='n' to disable modsecurity v3 nginx connector from building with libmaxminddb and use GeoIP legacy library instead which works https://community.centminmod.com/th...n-modsecurity-variable-in-123-09beta01.17369/.
    - This update has a fix for using modsecurity v3 nginx connector with libmaxminddb now, so you can try it via setting NGINX_MODSECURITY_MAXMIND='y' along with NGINX_MODSECURITY='y' in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles.

    Fix configuration for modsecurity v3 nginx connector module compile into Nginx using libmaxminddb instead of GeoIP legacy library
    Code (Text):
    ModSecurity -  for Linux
    
     Mandatory dependencies
       + libInjection                                  ....v3.9.2-30-gbf234eb
       + SecLang tests                                 ....5d85f36
    
     Optional dependencies
       + GeoIP/MaxMind                                 ....found
         * (MaxMind) v1.3.2
            -lmaxminddb  , -DWITH_MAXMIND -I/usr/local/include
         * (GeoIP) v1.6.12
            -lGeoIP  , -I/usr/include/
       + LibCURL                                       ....found v7.64.1
         -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
       + YAJL                                          ....found v2.0.4
         -lyajl  , -DWITH_YAJL
       + LMDB                                          ....disabled
       + LibXML2                                       ....found v2.9.9
         -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
       + SSDEEP                                        ....found
         -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
       + LUA                                           ....found v501
         -lluajit-5.1 -L/usr/local/lib/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
    
     Other Options
       + Test Utilities                                ....enabled
       + SecDebugLog                                   ....enabled
       + afl fuzzer                                    ....disabled
       + library examples                              ....enabled
       + Building parser                               ....disabled
       + Treating pm operations as critical section    ....disabled
    

    Example install for modsecurity v3 nginx connector.

    Enable nginx modsecurity module via NGINX_MODSECURITY='y' set in persistent config file /etc/centminmod/custom_config.inc BEFORE running centmin.sh menu option 4 to recompile Nginx 1.15.12

    dynamic modules load include file /usr/local/nginx/conf/dynamic-modules.conf contents
    Code (Text):
    # place custom load_module lines in this dynamic-modules-includes.conf
    # file so that they persistent i.e. for manually dropped in dynamic modules
    include /usr/local/nginx/conf/dynamic-modules-includes.conf;
    load_module "modules/ngx_http_image_filter_module.so";
    load_module "modules/ngx_http_headers_more_filter_module.so";
    load_module "modules/ndk_http_module.so";
    load_module "modules/ngx_http_set_misc_module.so";
    load_module "modules/ngx_http_echo_module.so";
    load_module "modules/ngx_http_fancyindex_module.so";
    load_module "modules/ngx_http_vhost_traffic_status_module.so";
    load_module "modules/ngx_pagespeed.so";
    load_module "modules/ngx_http_brotli_filter_module.so";
    load_module "modules/ngx_http_brotli_static_module.so";
    load_module "modules/ngx_http_geoip2_module.so";
    load_module "modules/ngx_http_modsecurity_module.so";
    

    nginx dynamic modules themselves installed at /usr/local/nginx/modules where modsecurity dynamic nginx module = ngx_http_modsecurity_module.so
    Code (Text):
    ls -lah /usr/local/nginx/modules | grep -v .old
    total 41M
    drwxr-xr-x.  2 root root 4.0K Apr 30 16:24 .
    drwxr-xr-x. 14 root root 4.0K Apr 30 12:27 ..
    -rwxr-xr-x   1 root root 104K Apr 30 16:24 ndk_http_module.so
    -rwxr-xr-x   1 root root  97K Apr 30 16:24 ngx_http_brotli_filter_module.so
    -rwxr-xr-x   1 root root  90K Apr 30 16:24 ngx_http_brotli_static_module.so
    -rwxr-xr-x   1 root root 532K Apr 30 16:24 ngx_http_echo_module.so
    -rwxr-xr-x   1 root root 114K Apr 30 16:24 ngx_http_fancyindex_module.so
    -rwxr-xr-x   1 root root 103K Apr 30 16:24 ngx_http_geoip2_module.so
    -rwxr-xr-x   1 root root 222K Apr 30 16:24 ngx_http_headers_more_filter_module.so
    -rwxr-xr-x   1 root root 107K Apr 30 16:24 ngx_http_image_filter_module.so
    -rwxr-xr-x   1 root root 291K Apr 30 16:24 ngx_http_modsecurity_module.so
    -rwxr-xr-x   1 root root 643K Apr 30 16:24 ngx_http_set_misc_module.so
    -rwxr-xr-x   1 root root 781K Apr 30 16:24 ngx_http_vhost_traffic_status_module.so
    -rwxr-xr-x   1 root root  18M Apr 30 16:24 ngx_pagespeed.so
    -rwxr-xr-x   1 root root  76K Apr 30 16:24 ngx_stream_geoip2_module.so
    

    in virtual.conf main hostname
    Code (Text):
        modsecurity on;
        modsecurity_rules_file /usr/local/nginx/modsec/main.conf;
    

    contents of /usr/local/nginx/modsec/main.conf
    Code (Text):
    # Edit to set SecRuleEngine On
    Include "/usr/local/nginx/modsec/modsecurity.conf"
    
    # OWASP CRS v3 rules
    Include "/usr/local/nginx/owasp-modsecurity-crs-3.1.0/crs-setup.conf"
    Include "/usr/local/nginx/owasp-modsecurity-crs-3.1.0/rules/*.conf"
    
    # Basic test rule
    SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
    

    directory contents for /usr/local/nginx/modsec
    Code (Text):
    ls -lah /usr/local/nginx/modsec
    total 88K
    drwxr-xr-x   2 root root 4.0K Apr 30 12:21 .
    drwxr-xr-x. 14 root root 4.0K Apr 30 12:27 ..
    -rw-r--r--   1 root root  327 Apr 30 10:39 main.conf
    -rw-r--r--   1 root root  10K Apr 30 10:39 modsecurity.conf
    -rw-r--r--   1 root root  10K Apr 30 12:21 modsecurity.conf-recommended
    -rw-r--r--   1 root root  52K Apr 30 10:39 unicode.mapping
    

    directory contents for /usr/local/nginx/owasp-modsecurity-crs-3.1.0
    Code (Text):
    ls -lah /usr/local/nginx/owasp-modsecurity-crs-3.1.0/
    total 212K
    drwxrwxr-x   6 root root 4.0K Apr 30 12:27 .
    drwxr-xr-x. 14 root root 4.0K Apr 30 12:27 ..
    -rw-rw-r--   1 root root  51K Nov 12 03:26 CHANGES
    -rw-rw-r--   1 root root 7.5K Nov 12 03:26 CONTRIBUTING.md
    -rw-rw-r--   1 root root 2.2K Nov 12 03:26 CONTRIBUTORS.md
    -rw-r--r--   1 root root  33K Apr 30 12:27 crs-setup.conf
    -rw-rw-r--   1 root root  33K Nov 12 03:26 crs-setup.conf.example
    drwxrwxr-x   3 root root 4.0K Nov 12 03:26 documentation
    drwxrwxr-x   2 root root 4.0K Nov 12 03:26 .github
    -rw-rw-r--   1 root root  374 Nov 12 03:26 .gitignore
    -rw-rw-r--   1 root root  176 Nov 12 03:26 .gitmodules
    -rw-rw-r--   1 root root  17K Nov 12 03:26 INSTALL
    -rw-rw-r--   1 root root 2.8K Nov 12 03:26 KNOWN_BUGS
    -rw-rw-r--   1 root root  12K Nov 12 03:26 LICENSE
    -rw-rw-r--   1 root root 2.4K Nov 12 03:26 README.md
    drwxrwxr-x   2 root root 4.0K Nov 12 03:26 rules
    -rw-rw-r--   1 root root 1.1K Nov 12 03:26 .travis.yml
    drwxrwxr-x  13 root root 4.0K Nov 12 03:26 util
    



    Continue reading...

    123.09beta01 branch
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,208
    10,281
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,935
    Local Time:
    12:09 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    FYI, now that above bug has been fixed, can re-enable libmaxminddb library support via NGINX_MODSECURITY_MAXMIND='y' default setting for modsecurity v3 nginx connector module compilations (latest Centmin Mod 123.09beta01 update has this) when NGINX_MODSECURITY='y' is set in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles.
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,208
    10,281
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,935
    Local Time:
    12:09 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  4. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    7:39 PM
    1.17.8
    10.3
    Do I need to add these codes manually in my domain vhost also which we create after selecting option 22 in centmin.sh cause in virtual.conf these codes gets added automatically.
    If we need to add these commands manually in domain vhost too created by option 22 then do I need to recompile nginx using option 4 again?
     
  5. eva2000

    eva2000 Administrator Staff Member

    45,208
    10,281
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,935
    Local Time:
    12:09 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    which codes ? these ?
    Code (Text):
       modsecurity on;
       modsecurity_rules_file /usr/local/nginx/modsec/main.conf;
    

    You'll need to add it manually to your created site nginx vhosts you want modsecurity to work with but do not need to recompile nginx via centmin.sh menu option 4. Modsecurity is provided as is without further support. So Centmin Mod only provides Modsecurity install. Configuration for your site/web app is left to end users to figure out and/or for folks who know how to configure Modsecurity for Nginx for their specific site.
     
  6. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    7:39 PM
    1.17.8
    10.3
    Until and unless I need some specific function from modsecurity to perform for my website, you think activating modsecurity via customconfig would be sufficient and will secure site to a great extent?
     
  7. eva2000

    eva2000 Administrator Staff Member

    45,208
    10,281
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,935
    Local Time:
    12:09 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Just installing and enabling Modsecurity may or may not help. There's also false positives as well. And well if you use Cloudflare Pro or high plans they already have CF WAF which has Modsecurity rules too managed by Cloudflare so Modsecurity on Nginx side is not needed.