I will check my backup install ups as I am no longer using Hestia in production as need extra features not available. I did not install modsecurity but perhaps you can replace the lines to what you require

You need to create a file like this in /etc/apt/apt.conf.d/

Mine is simply called 06nginxmodules with the below line that hooks to your file /usr/local/sbin/nginx-mod-preinstall when update occurs.

// Hook to build and install dynamic modules before NGINX upgrades
// Script calls individual build scripts and passes back error codes
// Place this file in /etc/apt/apt.conf.d/

DPkg::Pre-Install-Pkgs {“/usr/local/sbin/nginx-mod-preinstall”;};

in nginx-mod-preinstall you need the below but I only use brotli

nginx-mod-preinstal contents

#!/bin/bash
Call NGINX module build scripts and pass error codes to apt hook

Get NGINX version to upgrade to

read ngfile < <(grep ‘/nginx_’) || exit 0
ngver=$(echo $ngfile | sed ‘s/-.//’ | sed 's/._//’)

List of build scripts to run:

/usr/local/sbin/makebrotli $ngver || exit $?

/usr/local/sbin/makemodsec $ngver || exit $? ← or what your build file is called

/usr/local/sbin/makepagespeed $ngver || exit $?

Thanks for hints @salnz. I have managed to work like this:

So, I have created a hook file like this:

/etc/apt/apt.conf.d/handleModSec

Code:
DPkg::Pre-Install-Pkgs {"/root/modsec/handleModSec"; }

Now in /root/modsec/handleModSec

#!/bin/bash

read debfile < <(grep '/nginx_') || exit 0
nginxVersion=$(echo $debfile | grep -o -e 'nginx_.*-' | sed 's/[^.0-9]*//g')
echo version is https://nginx.org/download/nginx-$nginxVersion.tar.gz

cd /root/modsec
wget https://nginx.org/download/nginx-$nginxVersion.tar.gz
if [ $? -ne 0 ] 
	then exit 0
fi
tar -xvf nginx-$nginxVersion.tar.gz

cd nginx-$nginxVersion
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx && make modules 

rm -rf /etc/nginx/modules/ngx_http_modsecurity_module.so
cp -rf objs/ngx_http_modsecurity_module.so /etc/nginx/modules 

cd ../
rm -rf nginx-$nginxVersion.tar.gz nginx-$nginxVersion

Looks working fine for me. So, before install nginx it’s checking & building module. I ain’t expert on this. Just tried by myself

Regarding aggressive bots, couldn’t you also disallow them in robots.txt (as long as they don’t violate standards) ? For some Websites I only allow Googlebot and Bingbot:

# robots.txt

User-agent: Googlebot
Disallow: /cgi-bin/
Disallow: /tmp/

User-agent: bingbot
Disallow: /cgi-bin/
Disallow: /tmp/

User-agent: *
Disallow: /

and if any bots ignore robots.txt and still hit the website, then I usually block their IP ranges and/or their agent string in Apache.

I went with approach approx. 15 years ago - was a total PITA. Google/Bing also like to ignore robots.txt, BTW; for example ignoring /? directives to prevent crawling parameters. Consider this: in adding a Disallow, you are advertising a location that you don’t want crawlers to go - counter-productive? I actually use this technique for a honeypot on one of my servers.
Why re-invent the wheel when mod_sec can do an excellent job?.. here’s one from yesterday:

[Thu Jul 16 22:04:30.300767 2020] [:error] [pid 16368] [client 154.113.16.226:62796] [client 154.113.16.226] ModSecurity: Access denied with code 406 (phase 2). Pattern match “^[1]+$” at REQUEST_HEADERS:Host. [file “/etc/modsecurity.d/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “735”] [id “920350”] [msg “Host header is a numeric IP address”] [data “xxx.xxx.xxx.xxx”] [severity “WARNING”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272”] [tag “PCI/6.5.10”] [hostname “xxx.xxx.xxx.xxx”] [uri “/thinkphp/html/public/index.php”] [unique_id “XxCyzp3GaVmVrWnpbrcUNAAAAAU”]
[Thu Jul 16 22:04:30.531760 2020] [:error] [pid 8218] [client 154.113.16.226:63176] [client 154.113.16.226] ModSecurity: Access denied with code 406 (phase 2). Pattern match “^[2]+$” at REQUEST_HEADERS:Host. [file “/etc/modsecurity.d/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “735”] [id “920350”] [msg “Host header is a numeric IP address”] [data “xxx.xxx.xxx.xxx”] [severity “WARNING”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272”] [tag “PCI/6.5.10”] [hostname “xxx.xxx.xxx.xxx”] [uri “/html/public/index.php”] [unique_id “XxCyzrgCK5nTxWyAK6gzeQAAAAA”]

Note the scans for inexistent files, as well as the protocol violation. 5 Attempts and they’re blocked. A Nigerian hack attempt by the looks of things.

Another one:

[Tue Jul 14 00:30:27.732034 2020] [:error] [pid 5299] [client 93.158.66.41:38414] [client 93.158.66.41] ModSecurity: Access denied with code 406 (phase 2). Matched phrase “/.git/” at REQUEST_FILENAME. [file “/etc/modsecurity.d/REQUEST-930-APPLICATION-ATTACK-LFI.conf”] [line “124”] [id “930130”] [msg “Restricted File Access Attempt”] [data “Matched Data: /.git/ found within REQUEST_FILENAME: /.git/head”] [severity “CRITICAL”] [ver “OWASP_CRS/3.3.0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-lfi”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/255/153/126”] [tag “PCI/6.5.4”] [hostname “idle-spare.server.com”] [uri “/.git/HEAD”] [unique_id “Xwzgg1VF4Q3efdj6-fzgmAAAAAE”]

Mod Security is much more powerful/effective than just blocking the many rogue web crawlers.

1. \\d.: ↩︎

2. \\d.: ↩︎