How to Secure Nginx with NAXSI Firewall on Ubuntu 16.04

Prerequisites

  1. A fresh Alibaba cloud instance with Ubuntu 16.04 server installed.
  2. A static IP address 192.168.0.103 is configured on the instance.
  3. A root password is setup on the server.

Launch an Alibaba Cloud ECS Instance

First, login to your Alibaba Cloud ECS Console. Create a new ECS instance, with Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

apt-get update -y

Getting Started

Before starting, you will need to install all necessary dependencies required to install Nginx-Naxsi. You can install all the required dependencies by running the following command:

apt-get install build-essential libssl-dev daemon mariadb-server  libgeoip-dev wget nano bzip2 unzip libpcre3-dev zlib1g-dev -y

Install Nginx with Naxsi Support

By default, Naxsi module does not come with Nginx package. So, you will need to download Nginx source and compile it with Naxsi support.

wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget https://github.com/nbs-system/naxsi/archive/master.zip
tar -xvzf nginx-1.14.0.tar.gz
unzip master.zip
adduser --system --no-create-home --disabled-login --disabled-password --group www-data
cd nginx-1.14.0
./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --with-http_geoip_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr
make
make install
mkdir -p /var/lib/nginx
mkdir -p /var/lib/nginx/body
mkdir -p /var/lib/nginx/fastcgi

Configure Nginx

Nginx is now installed. Next, you will need to configure Naxsi rules for Nginx. To do so, copy Naxsi core rules from Naxsi source to the Nginx config directory.

cd /root/naxsi-master
cp naxsi_config/naxsi_core.rules /etc/nginx/
nano /etc/nginx/naxsi.rules
#LearningMode
SecRulesEnabled;
DeniedUrl "/RequestDenied";
  1. LearningMode: This means that malicious requests are copied to the a defined error log and not blocked.
  2. SecRulesEnabled: This will enable Naxsi for a server block. You can also disable Naxsi for server block by replacing it with SecRulesDisabled.
  3. DeniedUrl: This parameter indicates where naxsi will redirect blocked requests.
  4. CheckRule: This will instruct naxsi to take an action like, LOG, BLOCK, DROP, ALLOW based on a specific score associated to the request.
nano /etc/nginx/nginx.conf
user  www-data;
worker_processes 1;
worker_connections  1024;
include       mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
#charset koi8-r; #access_log logs/host.access.log main; location / {
include /etc/nginx/naxsi.rules;
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Create Nginx SysVinit Script

Next, you will also need to create an Nginx upstart script. You can do this by running the following command:
First, download the Nginx sysvinit source from Git repository using the following command:

git clone https://github.com/Fleshgrinder/nginx-sysvinit-script.git
cd nginx-sysvinit-script
make
install -D --mode=0644 --owner=root --group=root -- ./defaults /etc/default/nginx
install -D --mode=0755 --owner=root --group=root -- ./init /etc/init.d/nginx
update-rc.d nginx defaults
service nginx start
service nginx status
nginx.service - LSB: nginx LSB init script
Loaded: loaded (/etc/init.d/nginx; bad; vendor preset: enabled)
Active: active (running) since Tue 2018-05-22 20:59:02 IST; 8min ago
Docs: man:systemd-sysv-generator(8)
├─17834 nginx: master process /usr/sbin/ngin
└─17838 nginx: worker proces

Test NAXSI Firewall

Nginx is now installed with Naxsi support, it’s time to test Naxsi against different types of attack.
First, go to the remote machine and test Nginx against XSS attack using the following command:

curl 'http://192.168.0.104/?q=">'
tail -f /var/log/nginx/error.log
2018/05/22 20:59:14 [error] 17838#0: *1 NAXSI_FMT: ip=192.168.0.105&server=192.168.0.104&uri=/&learning=0&vers=0.56&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=8&cscore1=$XSS&score1=8&zone0=ARGS&id0=1001&var_name0=q, client: 192.168.0.105, server: localhost, request: "GET /?q="> HTTP/1.1", host: "192.168.0.104"
2018/05/22 20:59:14 [error] 17838#0: *1 open() "/usr/html/RequestDenied" failed (2: No such file or directory), client: 192.168.0.105, server: localhost, request: "GET /?q="> HTTP/1.1", host: "192.168.0.104"
curl "http://192.168.0.104/?q='1 OR 1=1"
tail -f /var/log/nginx/error.log
2018/05/22 21:45:16 [error] 18171#0: *35 NAXSI_FMT: ip=192.168.0.105&server=192.168.0.104&uri=/&learning=0&vers=0.56&total_processed=35&total_blocked=1&block=1&cscore0=$SQL&score0=6&cscore1=$XSS&score1=8&zone0=ARGS&id0=1009&var_name0=q&zone1=ARGS&id1=1013&var_name1=q, client: 192.168.0.105, server: localhost, request: "GET /?q='1 OR 1=1 HTTP/1.1", host: "192.168.0.104"
2018/05/22 21:45:16 [error] 18171#0: *35 open() "/usr/html/RequestDenied" failed (2: No such file or directory), client: 192.168.0.105, server: localhost, request: "GET /?q='1 OR 1=1 HTTP/1.1", host: "192.168.0.104"

Related Alibaba Cloud Products

Alibaba Cloud Anti-DDoS Pro is a value added protection service to ensure high availability and provide complete protection to your online business from all kinds of malicious DDoS attacks. The product also ensures the elimination of single-point-of-failure from real-time DDoS attacks, HTTP flood attacks, empty connection attacks, slow connection attacks and other web application attacks.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com