Protecting Legacy Applications with Nginx and ModSecurity

Introduction

In this article, we’ll walk you through how to protect your legacy applications using Nginx as a reverse proxy with ModSecurity as a Web Application Firewall (WAF). ModSecurity provides a powerful layer of defense against common web attacks, such as SQL injection, XSS, and more. Since legacy applications often lack modern security features, this setup acts as a necessary protective measure without requiring code changes to the legacy system.

Why Use Nginx with ModSecurity for Legacy Apps?

• Security: ModSecurity filters out malicious traffic before it reaches the legacy application.
• Flexibility: Nginx can be used to load balance traffic and handle large-scale operations while ModSecurity provides the protection.
• Non-invasive: The legacy application remains untouched, as ModSecurity and Nginx act as a proxy layer.

Installation and Configuration

1. Installing Nginx with ModSecurity on Ubuntu

1. Update the package list:

   sudo apt update

2. Install Nginx:

   sudo apt install nginx

3. Install ModSecurity (ModSecurity 3.x):

   sudo apt install libmodsecurity3

4. Install Nginx ModSecurity Module:

   sudo apt install nginx-module-security

5. Enable ModSecurity in the Nginx configuration. Edit the Nginx configuration file:

sudo nano /etc/nginx/nginx.conf

6. Add the following lines to enable ModSecurity:

modsecurity on;
            modsecurity_rules_file /etc/nginx/modsec/modsec_rules.conf;

7. Restart Nginx:

   sudo systemctl restart nginx

2. Installing Nginx with ModSecurity on CentOS

1. Install Nginx:

   sudo yum install nginx

2. Install ModSecurity:

   sudo yum install mod_security

3. Enable ModSecurity by modifying the Nginx configuration as done in the Ubuntu guide:

sudo nano /etc/nginx/nginx.conf

4. Restart Nginx:

   sudo systemctl restart nginx

Configuring ModSecurity with Nginx

Once ModSecurity is installed, you need to configure it to protect the legacy application. One of the first steps is to use a rule set, such as the OWASP ModSecurity Core Rule Set (CRS), but there are alternatives available.

Alternatives to CRS

• Comodo WAF Rules: A popular alternative to the CRS that provides a range of rules for SQL injection, XSS, and other threats.
• Atomicorp WAF: A commercial WAF solution with additional rules designed for high-traffic applications.
• Custom Rules: You can develop your own rules based on the specific vulnerabilities in your legacy app.

Configuring ModSecurity Rules

1. Download the CRS rule set (or use an alternative):

   git clone https://github.com/coreruleset/coreruleset.git

2. Copy the rules to your ModSecurity directory:

   sudo cp -r coreruleset /etc/nginx/modsec/

3. Configure the rule set file:

   sudo nano /etc/nginx/modsec/modsec_rules.conf

4. Include the following in your Nginx configuration to enable ModSecurity:

   modsecurity on;
                   modsecurity_rules_file /etc/nginx/modsec/modsec_rules.conf;

Automating Email Notifications for Security Incidents

To monitor and respond to incidents effectively, configure ModSecurity to send email notifications when security rules are triggered:

1. Edit ModSecurity to send an email:

   SecRuleEngine On
                   SecAuditLog /var/log/modsec_audit.log
                   SecAuditLogParts ABIJDEFHZ
                   SecRule REQUEST_URI "@rx /wp-admin" \
                       "phase:2,deny,status:403,msg:'Possible WordPress Admin Access Attempt',\
                       log,auditlog,exec:/path/to/your/email/script"

2. Write a script to send an email when an audit log event is triggered. The script could look like this:

   #!/bin/bash
                   tail -n 50 /var/log/modsec_audit.log | mail -s "ModSecurity Alert" your-email@example.com

3. Make the script executable:

   chmod +x /path/to/your/email/script

ModSecurity SecRule Cheat Sheet

Here’s a list of common SecRule directives and their functions: