ModSecurity Nginx 500 Error With Default Configuration

[craftogrammer]

Hi

Whenever any rule is triggered , modsec shows 500 internal server error, instead of 403 access denied.

Check below details:

Nginx 1.16(Stable) also in mainline, With Debian 9
Server: UpCloud

nginx version: nginx/1.16.0 (OptimEngine)
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0j  20 Nov 2018
TLS SNI support enabled
configure arguments: --build=OptimEngine --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --user=www-data --group=www-data --with-cc-opt=-Wno-deprecated-declarations --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_mp4_module --with-http_auth_request_module --with-http_slice_module --with-http_stub_status_module --with-pcre-jit --with-debug --with-http_realip_module --add-module=/usr/local/src/nginx/modules/ngx_brotli --add-module=/usr/local/src/nginx/modules/headers-more-nginx-module-0.33 --add-module=/usr/local/src/nginx/modules/nginx-modsec-connect

/etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 2048;
    use epoll;
    multi_accept on;
}

http {


    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    aio threads;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;

    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_proxied any;
    gzip_types *;

    include /etc/nginx/sites-enabled/*.vhost;
}

and /etc/nginx/conf.d/main.conf

Include /etc/nginx/conf.d/modsecurity.conf
Include /etc/nginx/conf.d/crs-setup.conf
Include /etc/nginx/conf.d/rules/*.conf

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"

tested using:

curl -I domain.com/?testparam=test
curl -I domain.com/?param="><script>alert(1);</script>

Compiled ModSec

			cd /usr/local/src/nginx/modules || exit 1
			git clone https://github.com/SpiderLabs/ModSecurity
			git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
			cd ModSecurity || exit 1
			git checkout -b v3/master origin/v3/master
            		sh build.sh
            		git submodule init
			git submodule init
            		git submodule update
			./build.sh
            		./configure
            		make
            		make install

nginx connecter

git clone --quiet --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/nginx/modules/nginx-modsec-connect

Built nginx using these flags

		NGINX_OPTIONS="
		--prefix=/etc/nginx \
		--sbin-path=/usr/sbin/nginx \
		--conf-path=/etc/nginx/nginx.conf \
		--error-log-path=/var/log/nginx/error.log \
		--http-log-path=/var/log/nginx/access.log \
		--pid-path=/var/run/nginx.pid \
		--lock-path=/var/run/nginx.lock \
		--http-client-body-temp-path=/var/cache/nginx/client_temp \
		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
		--user=www-data \
		--group=www-data \
		--with-cc-opt=-Wno-deprecated-declarations"

		NGINX_MODULES="--with-threads \
		--with-file-aio \
		--with-http_ssl_module \
		--with-http_v2_module \
		--with-http_mp4_module \
		--with-http_auth_request_module \
		--with-http_slice_module \
		--with-http_stub_status_module \
		--with-pcre-jit \
		--with-debug \
		--with-http_realip_module"

ModSec Audit Log

tail -f /var/log/modsec_audit.log

ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:Content-Length' (Value: `97' ) [file "/etc/nginx/conf.d/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "158"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content."] [data "GET"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "CAPEC-272"] [hostname "87.98.233.162"] [uri "/wp-login.php"] [unique_id "156172125993.715761"] [ref "o0,3v0,3v152,2"]
ModSecurity: Access denied with code 500 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/conf.d/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "87.98.233.162"] [uri "/wp-login.php"] [unique_id "156172125993.715761"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/conf.d/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "87.98.233.162"] [uri "/wp-login.php"] [unique_id "156172125993.715761"] [ref ""]

I have tried to compile nginx several times, but it shows same 500 code on all rule triggers.

Thanks

[craftogrammer]

I'm using my script to build nginx with different modules, here is the script: https://github.com/OptimBro/NGINX-Install-Script-Extentded-NISE/blob/master/ngx.sh

[craftogrammer]

More information

using below confi on site vhost conf files

modsecurity on; modsecurity_rules_file /etc/nginx/conf.d/main.conf; modsecurity_rules ' SecRuleEngine On SecDebugLog /tmp/modsec_debug.log SecDebugLogLevel 9 ';

root@web-1:/tmp# tail -f /tmp/modsec_debug.log [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [4] Executing chained rule. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [4] (Rule: 0) Executing operator "Gt" with param "1" against TX:MONITOR_ANOMALY_SCORE. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [4] Rule returned 0. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [9] Matched vars cleaned. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [8] Checking if this request is suitable to be saved as an audit log. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [4] There was an audit log modifier for this transaction. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [7] AuditLog parts before modification(s): 6006. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [8] Checking if this request is relevant to be part of the audit logs. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [5] Saving this request as part of the audit logs. [156172266121.425647] [/?param=%22%3E%3Cscript%3Ealert(1);%3C/script%3E] [8] Request was relevant to be saved. Parts: 6006

[zimmerle]

Hi @OptimBro,

It is very likely that the rule that is actually triggering the 500 is not the exact rule that you are aiming to test. I would strongly recommend you to complete disable the owasp crs in order to continue with this test.

[zimmerle]

Marking this as closed. If disabling CRS does not help you to understand what is going on, please re-open.