Skip to main content

Configuring NAXSI WebApplicationFirewall with NGINX & Ubuntu 18.04

 Initial Setup:
###########

Nginx latest version installed : 1.14.0

Steps:
#####

apt update
apt install libpcre3-dev libssl-dev unzip build-essential daemon libxml2-dev libxslt1-dev libgd-dev libgeoip-dev

Download and unzip naxis.

wget https://github.com/nbs-system/naxsi/archive/master.zip       
unzip master.zip                                                                                  wget http://nginx.org/download/nginx-1.14.0.tar.gz;tar -xzvf nginx-1.14.0.tar.gz                                                 
Now cd to the downloaded and untar'ed Nginx package directory.
cd nginx-1.14.0

./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr

make

make install


Configuring Nginx NAXSI

 cp ~/naxsi-master/naxsi_config/naxsi_core.rules /etc/nginx/
Now that the rules are in place, you need to enable these rules to act on per location basis. You can also define different types of attacks that can be blocked by Naxsi.

vim /etc/nginx/naxsi.rules

SecRulesEnabled;
DeniedUrl "/RequestDenied";

## Check Naxsi rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

Now include the naxsi_core.rules in the /etc/nginx/nginx.conf file.

http {
    include       mime.types;
    include /etc/nginx/naxsi_core.rules;
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Now include the naxsi.rules file in the /etc/nginx/sites-enabled/xxx.conf file. Make sure you include this in the Location part.

 location / {
            include /etc/nginx/naxsi.rules;
            root   html;
            index  index.html index.htm;
        }

Save the file and verify that there is no syntactical errors.

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful


Generating Whitelist rules for Naxsi firewall.
#####################################

cd /opt
sudo git clone https://github.com/prajal/nxutil.git
cd nxutil
sudo python setup.py install


sudo vi /etc/nginx/naxsi.rules

Add the below line in the first

LearningMode;

Also add the below line in the end.

error_log /var/log/nginx/error_log

wq!


service nginx restart

Now go ahead and perform some tasks on your website. Focus on important tasks such as password reset, user registration and shopping cart related tasks. Also if you have additional plugins, focus on them too. Test the plugin functionality thoroughly. Doing so will surely result in few entries to the Naxsi error log file. Let’s open it.

nano /var/log/nginx/error_log

The file will include lines similar to below lines,

2019/05/12 02:16:35 [error] 8400#8400: *31014 NAXSI_FMT: ip=158.69.201.47&server=example.com&uri=/community/&vers=0.56&total_processed=4153&total_blocked=526&config=block&cscore0=$XSS&score0=8&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_login%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_login%5D, client: 158.69.201.47, server: example.com, request: "POST /community/?wpforo=signup HTTP/1.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"
2019/05/12 02:24:51 [error] 8400#8400: *31082 NAXSI_FMT: ip=112.135.11.234&server=example.com&uri=/community/&vers=0.56&total_processed=4167&total_blocked=527&config=block&cscore0=$XSS&score0=8&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_login%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_login%5D, client: 112.135.11.234, server: example.com, request: "POST /community/?wpforo=signup HTTP/2.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"
2019/05/12 02:34:08 [error] 17279#17279: *1 NAXSI_FMT: ip=112.135.11.234&server=example.com&uri=/community/&vers=0.56&total_processed=4&total_blocked=1&config=learning&cscore0=$XSS&score0=40&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_email%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_email%5D&zone2=BODY|NAME&id2=1310&var_name2=legal%5Bgdpr%5D&zone3=BODY|NAME&id3=1311&var_name3=legal%5Bgdpr%5D&zone4=BODY|NAME&id4=1310&var_name4=legal%5Brules%5D&zone5=BODY|NAME&id5=1311&var_name5=legal%5Brules%5D&zone6=BODY|NAME&id6=1310&var_name6=legal%5Bterms_privacy%5D&zone7=BODY|NAME&id7=1311&var_name7=legal%5Bterms_privacy%5D&zone8=BODY|NAME&id8=1310&var_name8=legal%5Bemail%5D&zone9=BODY|NAME&id9=1311&var_name9=legal%5Bemail%5D, client: 112.135.11.234, server: example.com, request: "POST /community/?wpforo=signup HTTP/2.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"


From here only take the line of your IP address.

Now save those line to a file like naxsi-errors.log


Now create the whitlist rules using below command.


cd /opt/nxutil
sudo python nx_util.py -l naxsi-errors.log -o -p 1

this will give you some whitelist rules as output save that to a file like below:

nano /etc/nginx/wl-example.com.rules;

Now add this line in your nginx configuration file. /etc/nginx/sites-enabled/domain.config

    location / {
autoindex off;
        proxy_pass http://fgs/;
        proxy_set_header   Host $host;
        proxy_set_header   Referer $http_referer;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header    X-Forwarded-For $remote_addr;
        proxy_set_header    REMOTE_ADDR $remote_addr; 
add_header X-Frame-Options SAMEORIGIN;
include /etc/nginx/naxsi.rules;
include /etc/nginx/wl-example.com.rules;
    }

Restarting nginx at this point will load the new rules.

#######################################



Errors & Fixes:

###############

Error : 1
---------

The ./configure command might give an error like below:

./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl= option.


Fix:

aptitude install libssl-dev 

and downgrade the openssl version. This will allow to configure the Naxsi successfully.





Error : 2
---------

nginx: [emerg] "SecRulesEnabled" directive is not allowed here in /etc/nginx/naxsi.rules

Fix:

This is because you have not included the naxsi.rules file inside the "Location / {" directive.



Error : 3
---------

In some cases naxsi will block genuine traffic in our site and we can either udpate developer to fix the code or as a quick fix we an exclude the corresponding naxsi rule in the core.rules file. 
tail -f /var/log/nginx/error.log | grep -i id0

Fix:
vi /etc/nginx/naxsi_core.rules


Reference:

https://kifarunix.com/install-and-configure-naxsi-nginx-waf-on-ubuntu-18-04-lts/

 https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-naxsi-on-ubuntu-16-04

Comments

Post a Comment

Popular posts from this blog

Password reset too simplistic/systematic issue

Some time when we try to reset the password of our user in linux it will show as simple and systematic as below: BAD PASSWORD: it is too simplistic/systematic no matter how hard password you give it will show the same. Solution: ######### Check if your password is Ok with the below command, jino@ndz~$ echo 'D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l' | cracklib-check D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l: it is too simplistic/systematic Now Create a password with the below command : jino@ndz~$ echo $(tr -dc '[:graph:]' 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K; You can see that this password will be ok with the cracklib-check. jino@ndz~$ echo '7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;' | cracklib-check                 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;: OK Thats all, Thanks.
Post a Comment
Read more

Setting /etc/hosts entries during the initial deployment of an Application using k8s yaml file

Some times we have to enter specific hosts file entries to the container running inside the POD of a kubernetes deployment during the initial deployment stage itself. If these entries are not in place, the application env variables mentioned in the yaml file , as hostnames , will not resolve to the IP address and the application will not start properly. So to make sure the /etc/hosts file entries are already there after the spin up of the POD you can add the below entries in your yaml file. cat > api-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: spec:   template:     metadata:     spec:       volumes:       containers:       - image: registryserver.jinojoseph.com:5000/jinojosephimage:v1.13         lifecycle:           postStart:             exec:               command:...
Post a Comment
Read more

Running K8s cluster service kubelet with Swap Memory Enabled

For enabling swap memory check the below link : https://jinojoseph.blogspot.com/2019/10/enable-swap-memory-using-swapfile-in.html # sudo vi /etc/systemd/system/kubelet.service.d/10-kubeadm.conf Add the KUBELET_EXTRA_ARGS line as below: ---------------------------------------- Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false" ExecStart= ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS Now kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units # sudo systemctl daemon-reload # sudo systemctl restart kubelet # sudo systemctl status kubelet That is all cheers :p
Post a Comment
Read more