How to Secure Nginx with NAXSI Firewall on Ubuntu 16.04

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Naxsi (Nginx Anti XSS & SQL Injection) is a free, open source and high-performance web application firewall for Nginx. Naxsi is a third party Nginx module that comes with a small subset of rules containing 99% of known patterns involved in website vulnerabilities. The main difference between Naxsi and other firewalls is that it filters only GET and POST requests. You will also need to add a whitelist for the target website to work properly.

If you want to protect your web application from SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery, then Naxsi is the best choice for you.

In this tutorial, we will be installing a NAXSI firewall with Nginx on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 instance.

Prerequisites

  1. A fresh Alibaba cloud instance with Ubuntu 16.04 server installed.
  2. A static IP address 192.168.0.103 is configured on the instance.
  3. A root password is setup on the server.

Launch an Alibaba Cloud ECS Instance

First, login to your Alibaba Cloud ECS Console. Create a new ECS instance, with Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

Getting Started

Before starting, you will need to install all necessary dependencies required to install Nginx-Naxsi. You can install all the required dependencies by running the following command:

Once all the required dependencies are installed, you can proceed to the next step.

Install Nginx with Naxsi Support

By default, Naxsi module does not come with Nginx package. So, you will need to download Nginx source and compile it with Naxsi support.

First, download the Nginx and Naxsi source with the following command:

Once both files are downloaded, extract both files using the following command:

Next, you will need to create a user and group www-data for Nginx. Run the following command to create both:

Next, change the directory to the Nginx source and compile it with Naxsi support with the following command:

Next, create some directories to make Nginx work. You can do this with the following command:

Once Nginx is installed with Naxsi support, you can proceed to the next step.

Configure Nginx

Nginx is now installed. Next, you will need to configure Naxsi rules for Nginx. To do so, copy Naxsi core rules from Naxsi source to the Nginx config directory.

First, change the directory to the Naxsi source:

Next, copy Naxsi rules file to the Nginx config directory using the following command:

Next, create naxsi.rules file in Nginx config directory:

Add the following lines:

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 4" BLOCK;

Save and close the file, when you are finished.

Note: Define all the above parameter as below.

  1. LearningMode: This means that malicious requests are copied to the a defined error log and not blocked.
  2. SecRulesEnabled: This will enable Naxsi for a server block. You can also disable Naxsi for server block by replacing it with SecRulesDisabled.
  3. DeniedUrl: This parameter indicates where naxsi will redirect blocked requests.
  4. CheckRule: This will instruct naxsi to take an action like, LOG, BLOCK, DROP, ALLOW based on a specific score associated to the request.

Next, you will need to define Naxsi rules path in the Nginx config directory. You can do this by editing nginx.conf file:

Make the following changes:

events {

}

http {

include /etc/nginx/naxsi_core.rules;

}

Save the file when you are finished, then test Nginx for any syntax error with the following command:

You should see the following output:

Create Nginx SysVinit Script

Next, you will also need to create an Nginx upstart script. You can do this by running the following command:
First, download the Nginx sysvinit source from Git repository using the following command:

Next, change the directory to the nginx-sysvinit-script and install Nginx Sysvinit script with the following command:

You should see the following output:

Once script is installed, start the Nginx service with the following command:

You can check the status of the Nginx with the following command:

You should see the following output:

Process: 17806 ExecStop=/etc/init.d/nginx stop (code=exited, status=0/SUCCESS)
Process: 17821 ExecStart=/etc/init.d/nginx start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/nginx.service

May 22 20:59:01 Node1 systemd[1]: Stopped LSB: nginx LSB init script.
May 22 20:59:01 Node1 systemd[1]: Starting LSB: nginx LSB init script...
May 22 20:59:02 Node1 systemd[1]: Started LSB: nginx LSB init script.

Test NAXSI Firewall

Nginx is now installed with Naxsi support, it’s time to test Naxsi against different types of attack.
First, go to the remote machine and test Nginx against XSS attack using the following command:

Now, on the Nginx server machine, check the Nginx server log using the following command:

You should see that XSS request from remote machine IP address 192.168.0.105 is blocked by Naxsi:

Next, go to the remote machine and test Nginx against SQL Injection attack using the following command:

Now, on the Nginx server machine, check the Nginx server log using the following command:

You should see that SQL query from remote machine IP address 192.168.0.105 is blocked by Naxsi:

Congratulations! You have successfully installed and configured Naxsi Firewall on Ubuntu 16.04 server. You can now protect Nginx server from different kind of attacks using Naxsi firewall.

Related Alibaba Cloud Products

Alibaba Cloud Anti-DDoS Pro is a value added protection service to ensure high availability and provide complete protection to your online business from all kinds of malicious DDoS attacks. The product also ensures the elimination of single-point-of-failure from real-time DDoS attacks, HTTP flood attacks, empty connection attacks, slow connection attacks and other web application attacks.

Alibaba CloudResource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.

Alibaba Cloud SSL Certificates Service allows customers to directly apply, purchase and manage SSL certificates on Alibaba Cloud. This service is offered in cooperation with qualified certificate authorities. From this platform, customers can select the expected certificate authority and its certificate products to enjoy full-site HTTPS security solutions.

Reference:

https://www.alibabacloud.com/blog/how-to-secure-nginx-with-naxsi-firewall-on-ubuntu-16-04_593763?spm=a2c41.11703207.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store