Integrated Naxsi
Contents |
Synopsis
is a excellent proactive protection module based on whitelist mechanism. It supports to protect many vulnerabilities including SQL Inject, XSS etc.
SEnginx integrates naxsi module by default, the usage of naxsi stays unchanged. For configuring naxsi, you can refer to the official naxsi docs or just follow what we do in this section.
Directive
Besides the directives provided with naxsi, SEnginx offers the following new directive(s):
naxsi_whitelist
Syntax | naxsi_whitelist ua_var_name=UA whitlist ip_var_name=IP whitelist ip_var_value=value; |
Default | - |
Context | Location |
Version Since | 1.5.11 |
This directives specifies the IP whitelist and User-Agent whitelist which are globally defined. The IP whitelist is provided by nginx's geo module.
Example:
#Define an IP whitelist geo $ip_wl { ranges; default 0; 127.0.0.1-127.0.0.1 1; 3.0.0.1-3.2.1.254 1; } #Define an UA whitelist whitelist_ua $ua_wl { "autotest" ".*\.test\.com"; } server { location / { naxsi_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1; } }
Use naxsi module in SEnginx
The naxsi module in SEnginx is located in the "naxsi" directory in senginx's installation directory, including some tools for generating whitelist etc.
Before using naxsi in SEnginx, you need to do the following steps:
Create the whitelist file
Create an empty whitelist file, for instance wl.conf, at any place in your file system.
Configure the core rule set of naxsi
In senginx's nginx.conf file, include naxsi's core rule set:
/usr/local/senginx/naxsi/naxsi_config/naxsi_core.rules;
Configure the directives in Location
In nginx.conf, place the directives related to naxsi in the location that you want to protect:
location /cn { error_log logs/error.cn.log; ... ... LearningMode; SecRulesEnabled; #SecRulesDisabled; DeniedUrl "/RequestDenied"; include wl.conf; ## check rules CheckRule "$XSS >= 4" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 8" BLOCK; CheckRule "$UPLOAD >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$SQL >= 8" BLOCK; }
Configure the Denied Location
This section is invalid for version 1.5.3-1 and newer. Use naxsi_neteye_action instead. Define a new locatition /RequestDenied, the name can be arbitrary, but must be same as the parameter as the DeniedUrl directive:
location /RequestDenied { return 403; }
All of the denied requests will be redirect into this location, thus you can do anything you want here. In the example, we just return 403.
start or reload senginx
At this time, naxsi goes into Learning mode.
Feed naxsi with enough traffic
Go through the whole content on your website to let naxsi generate exceptions.
Note: at this stage, all of the requests that hit the rules will not be blocked, but will be recorded into error.log. In this example, we defined a error.log for the specific location, called error.cn.log. Thus all the records generated by naxsi will bu put here. Another point, at this stage, you should make sure the traffic of your website is clean and not harmful, otherwise real attacks will be recorded into whitelist later, which can make naxsi blind on some attacks in protect mode.
Generate the whitelist
Run the following commands:
Note: If you don't want to type the following commands, you can use a Perl to finish those steps, you can download it here: gen-wl.pl. (This script will be included into senginx package, but not for now). Put this script in /path/to/senginx/naxsi/contrib/naxsi_ui and run it as: ./gen-wl.pl /path/to/error.log /path/to/whitelist/file You can also use a Learning Daemon to auto-learn and generate whitelist according to the official document, please read this: |
The following is manual steps:
cd /path/to/senginx/naxsi/contrib/naxsi-ui/ sudo python ./nx_intercept.py -c ./naxsi-ui.conf -l /path/to/location's/error.log -n sudo python nx_extract.py -c ./naxsi-ui.conf -o
The -l parameter of nx_intercept.py needs to be specified the location of error.log.
At last, copy the following part of output of nx_extract.py into the whitelist file which is created previously.
########### Optimized Rules Suggestion ################## # total_count:1 (50.0%), peer_count:1 (100.0%) | , in stuff BasicRule wl:1015 "mz:$URL:/en/load.php|$ARGS_VAR:modules"; # total_count:1 (50.0%), peer_count:1 (100.0%) | mysql keyword (|) BasicRule wl:1005 "mz:$URL:/en/load.php|$ARGS_VAR:modules";
In the whitelist file, it should contains something like this:
BasicRule wl:1000 "mz:$URL:/cn/select * from|URL";
Enter Protect Mode
Edit nginx.conf, un-comment the LearningMode line, then reload senginx. At this this time, naxsi enters into protect mode, any attack behavior will be recorded into the error.log log file of senginx, at the level of "error".