WAF nginx:

1. Install Dependencies

sudo apt update && sudo apt upgrade -y
sudo apt autoremove
sudo apt install -y git g++ build-essential autoconf automake libtool libpcre3 libpcre3-dev libpcre2-dev libxml2 libxml2-dev libyajl-dev pkg-config zlib1g zlib1g-dev libcurl4-openssl-dev liblua5.3-dev libgeoip-dev doxygen

2. Compile and Install ModSecurity v3
First you build ModSecurity. Then, in a separate step, you build the module for NGINX integration.

cd /usr/local/src
sudo git clone --depth 1 -b v3/master --single-branch https://github.com/owasp-modsecurity/ModSecurity
cd ModSecurity
sudo git submodule init
sudo git submodule update
sudo ./build.sh
sudo ./configure
sudo make -j"$(nproc)"
sudo make install

3. Build the NGINX Module
You need to determine which version of NGINX is in use on your system:

nginx -v

Depending on result, you’ll need the NGINX source to build the ModSecurity module. For example if you your nginx version is 1.24.0, we clone ModSecurity‑nginx.git and then download the NGINX 1.24.0 source.
Then you build only the NGINX modules with sudo make modules.

cd /usr/local/src
sudo git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git
sudo wget http://nginx.org/download/nginx-1.24.0.tar.gz
sudo tar -xzf nginx-1.24.0.tar.gz
cd nginx-1.24.0
sudo ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
sudo make modules

4. Place and Enable the Module

sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules-enabled/
sudo chmod 0644 /etc/nginx/modules-enabled/ngx_http_modsecurity_module.so
echo "load_module modules/ngx_http_modsecurity_module.so;" | sudo tee /etc/nginx/modules-available/mod-modsecurity.conf
sudo ln -s /etc/nginx/modules-available/mod-modsecurity.conf /etc/nginx/modules-enabled/50-modsecurity.conf

5. Create ModSecurity Configuration

sudo mkdir -p /etc/nginx/modsec
cd /etc/nginx/modsec
sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended ./modsecurity.conf
sudo cp /usr/local/src/ModSecurity/unicode.mapping .
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /etc/nginx/modsec/unicode.mapping

6. Enable Basic Rules

sudo nano /etc/nginx/modsec/modsecurity.conf

SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log

Edit 50-modsecurity.conf and edit line one so it has the correcrt (full) path.

sudo nano /etc/nginx/modules-enabled/50-modsecurity.conf
load_module /etc/nginx/modules-enabled/ngx_http_modsecurity_module.so;

7. Integrate the Module into Your Site and Test

sudo nano /etc/nginx/sites-available/registry.nic.tld
* replace "registry.nic.tld" with your actual config file

In the server block, right after server name, insert the following:

# activate ModSecurity
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;

8. Installing the OWASP Core Rule Set (CRS)

cd /etc/nginx/modsec
sudo git clone https://github.com/coreruleset/coreruleset.git
cd coreruleset
sudo cp crs-setup.conf.example crs-setup.conf

Next, include the following at the end of the modsecurity.conf file to activate the OWASP CRS:

sudo nano /etc/nginx/modsec/modsecurity.conf

Include /etc/nginx/modsec/coreruleset/crs-setup.conf
Include /etc/nginx/modsec/coreruleset/rules/*.conf

Restart NGINX, the rule set will be active:

sudo nginx -t && sudo systemctl reload nginx

Test using curl to See if is working (example command injection).

Expected result is 403 prohibited

curl -I "https://registry.nic.tld/?cmd=ls%20-la"

EPP API:

  • The CoCCA SRS requires that clients connect to the EPP server endpoint from a trusted IP configured in the CoCCA web portal for a given client. These IPs can be managed by the registry operator and if the functionality is enabled, the registrar.
  • CoCCA strongly recommends that either an OS or a firewall appliance (or both) be used restrict access on port 700. The CSV export of the client details has a column that shows the IPs that are allowed for each client to enable easier firewall configuration.
  • IPs that have not accessed the EPP API in 60 days are automatically removed daily via a CoCCA automation task,
  • The EPP server TLS and security is configured using the java jdk security file, the default is only TLS1.2 and TLS1.3 allowed. In the jdk security file section "jdk.tls.disabledAlgorithms" change the "DH Key Size < 1024" to "DH Key Size < 2048"
  • To disable TCP timestamps add the line 'net.ipv4.tcp_timestamps =0' to /etc/sysctl.conf then 'sysctl -p' to apply the settings at runtime.
  • A registry operator may also enforce the use of CoCCA generated API keys. If this is enabled, registrars will not be able to connect unless they configure thier systems to use the keys CoCCA generates for them.

Web Portal

  • The CoCCA web portal supports 2FA, Captcha, IP allow lists and browser fingerprints.
  • The CoCCA SRS does not have any password reset options that relies on email, passwords can only be reset by the user if they have access or another user with equal or higher privlges.
  • CoCCA will lock users out after X failed attempts (the X is configurable).
  • CoCCA will send users (and admins) an email when an account is locked out, a password changed, or a 2FA token removed.
  • All user passwords and domain authcodes stored as a one-way hash, it is not possible to decrypt or see the passwords, they can only be reset to a known value.
  • Domain authcodes have a limited validity period for transfers. The validity period is the configured transfer time out for a given zone plus one day. When an authcode is updated, the validity period starts.
  • The CoCCA applicaion server should listen on a private IP, and sit behind behind an nginx reverse proxy running as a non-root user, and configured to run as a basic WAF. The nginx configuration should enforce TLS1.3 only.
  • For ssh access best practices should be followed. Only allow ssh from trusted IPs, disable root access, use ssh keys, install fail2ban and enable detailed logging.