Initial Setup:
###########
Nginx latest version installed : 1.14.0
Steps:
#####
Configuring Nginx NAXSI
cp ~/naxsi-master/naxsi_config/naxsi_core.rules /etc/nginx/
Now that the rules are in place, you need to enable these rules to act on per location basis. You can also define different types of attacks that can be blocked by Naxsi.
Now include the naxsi_core.rules in the /etc/nginx/nginx.conf file.
http {
include mime.types;
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Now include the naxsi.rules file in the /etc/nginx/sites-enabled/xxx.conf file. Make sure you include this in the Location part.
location / {
include /etc/nginx/naxsi.rules;
root html;
index index.html index.htm;
}
Save the file and verify that there is no syntactical errors.
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Generating Whitelist rules for Naxsi firewall.
#####################################
cd /opt
sudo git clone https://github.com/prajal/nxutil.git
cd nxutil
sudo python setup.py install
sudo vi /etc/nginx/naxsi.rules
Add the below line in the first
LearningMode;
Also add the below line in the end.
error_log /var/log/nginx/error_log
wq!
service nginx restart
Now go ahead and perform some tasks on your website. Focus on important tasks such as password reset, user registration and shopping cart related tasks. Also if you have additional plugins, focus on them too. Test the plugin functionality thoroughly. Doing so will surely result in few entries to the Naxsi error log file. Let’s open it.
nano /var/log/nginx/error_log
The file will include lines similar to below lines,
2019/05/12 02:16:35 [error] 8400#8400: *31014 NAXSI_FMT: ip=158.69.201.47&server=example.com&uri=/community/&vers=0.56&total_processed=4153&total_blocked=526&config=block&cscore0=$XSS&score0=8&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_login%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_login%5D, client: 158.69.201.47, server: example.com, request: "POST /community/?wpforo=signup HTTP/1.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"
2019/05/12 02:24:51 [error] 8400#8400: *31082 NAXSI_FMT: ip=112.135.11.234&server=example.com&uri=/community/&vers=0.56&total_processed=4167&total_blocked=527&config=block&cscore0=$XSS&score0=8&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_login%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_login%5D, client: 112.135.11.234, server: example.com, request: "POST /community/?wpforo=signup HTTP/2.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"
2019/05/12 02:34:08 [error] 17279#17279: *1 NAXSI_FMT: ip=112.135.11.234&server=example.com&uri=/community/&vers=0.56&total_processed=4&total_blocked=1&config=learning&cscore0=$XSS&score0=40&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_email%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_email%5D&zone2=BODY|NAME&id2=1310&var_name2=legal%5Bgdpr%5D&zone3=BODY|NAME&id3=1311&var_name3=legal%5Bgdpr%5D&zone4=BODY|NAME&id4=1310&var_name4=legal%5Brules%5D&zone5=BODY|NAME&id5=1311&var_name5=legal%5Brules%5D&zone6=BODY|NAME&id6=1310&var_name6=legal%5Bterms_privacy%5D&zone7=BODY|NAME&id7=1311&var_name7=legal%5Bterms_privacy%5D&zone8=BODY|NAME&id8=1310&var_name8=legal%5Bemail%5D&zone9=BODY|NAME&id9=1311&var_name9=legal%5Bemail%5D, client: 112.135.11.234, server: example.com, request: "POST /community/?wpforo=signup HTTP/2.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"
From here only take the line of your IP address.
Now save those line to a file like naxsi-errors.log
Now create the whitlist rules using below command.
cd /opt/nxutil
sudo python nx_util.py -l naxsi-errors.log -o -p 1
this will give you some whitelist rules as output save that to a file like below:
nano /etc/nginx/wl-example.com.rules;
Now add this line in your nginx configuration file. /etc/nginx/sites-enabled/domain.config
location / {
autoindex off;
proxy_pass http://fgs/;
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header REMOTE_ADDR $remote_addr;
add_header X-Frame-Options SAMEORIGIN;
include /etc/nginx/naxsi.rules;
include /etc/nginx/wl-example.com.rules;
}
Restarting nginx at this point will load the new rules.
#######################################
Errors & Fixes:
###############
###########
Nginx latest version installed : 1.14.0
Steps:
#####
apt update
apt install libpcre3-dev libssl-dev unzip build-essential daemon libxml2-dev libxslt1-dev libgd-dev libgeoip-dev
Download and unzip naxis.
wget https://github.com/nbs-system/naxsi/archive/master.zip
unzip master.zip wget http://nginx.org/download/nginx-1.14.0.tar.gz;tar -xzvf nginx-1.14.0.tar.gz
Now cd to the downloaded and untar'ed Nginx package directory.
cd nginx-1.14.0
./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr
make
make install
Configuring Nginx NAXSI
cp ~/naxsi-master/naxsi_config/naxsi_core.rules /etc/nginx/
Now that the rules are in place, you need to enable these rules to act on per location basis. You can also define different types of attacks that can be blocked by Naxsi.
vim /etc/nginx/naxsi.rules
SecRulesEnabled;
DeniedUrl "/RequestDenied";
## Check Naxsi rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
http {
include mime.types;
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Now include the naxsi.rules file in the /etc/nginx/sites-enabled/xxx.conf file. Make sure you include this in the Location part.
location / {
include /etc/nginx/naxsi.rules;
root html;
index index.html index.htm;
}
Save the file and verify that there is no syntactical errors.
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Generating Whitelist rules for Naxsi firewall.
#####################################
cd /opt
sudo git clone https://github.com/prajal/nxutil.git
cd nxutil
sudo python setup.py install
sudo vi /etc/nginx/naxsi.rules
Add the below line in the first
LearningMode;
Also add the below line in the end.
error_log /var/log/nginx/error_log
wq!
service nginx restart
Now go ahead and perform some tasks on your website. Focus on important tasks such as password reset, user registration and shopping cart related tasks. Also if you have additional plugins, focus on them too. Test the plugin functionality thoroughly. Doing so will surely result in few entries to the Naxsi error log file. Let’s open it.
nano /var/log/nginx/error_log
The file will include lines similar to below lines,
2019/05/12 02:16:35 [error] 8400#8400: *31014 NAXSI_FMT: ip=158.69.201.47&server=example.com&uri=/community/&vers=0.56&total_processed=4153&total_blocked=526&config=block&cscore0=$XSS&score0=8&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_login%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_login%5D, client: 158.69.201.47, server: example.com, request: "POST /community/?wpforo=signup HTTP/1.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"
2019/05/12 02:24:51 [error] 8400#8400: *31082 NAXSI_FMT: ip=112.135.11.234&server=example.com&uri=/community/&vers=0.56&total_processed=4167&total_blocked=527&config=block&cscore0=$XSS&score0=8&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_login%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_login%5D, client: 112.135.11.234, server: example.com, request: "POST /community/?wpforo=signup HTTP/2.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"
2019/05/12 02:34:08 [error] 17279#17279: *1 NAXSI_FMT: ip=112.135.11.234&server=example.com&uri=/community/&vers=0.56&total_processed=4&total_blocked=1&config=learning&cscore0=$XSS&score0=40&zone0=BODY|NAME&id0=1310&var_name0=wpfreg%5Buser_email%5D&zone1=BODY|NAME&id1=1311&var_name1=wpfreg%5Buser_email%5D&zone2=BODY|NAME&id2=1310&var_name2=legal%5Bgdpr%5D&zone3=BODY|NAME&id3=1311&var_name3=legal%5Bgdpr%5D&zone4=BODY|NAME&id4=1310&var_name4=legal%5Brules%5D&zone5=BODY|NAME&id5=1311&var_name5=legal%5Brules%5D&zone6=BODY|NAME&id6=1310&var_name6=legal%5Bterms_privacy%5D&zone7=BODY|NAME&id7=1311&var_name7=legal%5Bterms_privacy%5D&zone8=BODY|NAME&id8=1310&var_name8=legal%5Bemail%5D&zone9=BODY|NAME&id9=1311&var_name9=legal%5Bemail%5D, client: 112.135.11.234, server: example.com, request: "POST /community/?wpforo=signup HTTP/2.0", host: "example.com", referrer: "https://example.com/community/?wpforo=signup"
From here only take the line of your IP address.
Now save those line to a file like naxsi-errors.log
Now create the whitlist rules using below command.
cd /opt/nxutil
sudo python nx_util.py -l naxsi-errors.log -o -p 1
this will give you some whitelist rules as output save that to a file like below:
nano /etc/nginx/wl-example.com.rules;
Now add this line in your nginx configuration file. /etc/nginx/sites-enabled/domain.config
location / {
autoindex off;
proxy_pass http://fgs/;
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header REMOTE_ADDR $remote_addr;
add_header X-Frame-Options SAMEORIGIN;
include /etc/nginx/naxsi.rules;
include /etc/nginx/wl-example.com.rules;
}
Restarting nginx at this point will load the new rules.
#######################################
###############
Error : 1
---------
The ./configure command might give an error like below:
./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl= option.
Fix:
aptitude install libssl-dev
and downgrade the openssl version. This will allow to configure the Naxsi successfully.
Error : 2
---------
nginx: [emerg] "SecRulesEnabled" directive is not allowed here in /etc/nginx/naxsi.rules
Fix:
This is because you have not included the naxsi.rules file inside the "Location / {" directive.
Error : 3
---------
In some cases naxsi will block genuine traffic in our site and we can either udpate developer to fix the code or as a quick fix we an exclude the corresponding naxsi rule in the core.rules file. tail -f /var/log/nginx/error.log | grep -i id0
Fix:
vi /etc/nginx/naxsi_core.rules
Reference:
https://kifarunix.com/install-and-configure-naxsi-nginx-waf-on-ubuntu-18-04-lts/
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-naxsi-on-ubuntu-16-04
Comments