How to Secure Nginx with NAXSI Firewall on Ubuntu 16.04

Prerequisites

Launch an Alibaba Cloud ECS Instance

apt-get update -y

Getting Started

apt-get install build-essential libssl-dev daemon mariadb-server  libgeoip-dev wget nano bzip2 unzip libpcre3-dev zlib1g-dev -y

Install Nginx with Naxsi Support

wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget https://github.com/nbs-system/naxsi/archive/master.zip
tar -xvzf nginx-1.14.0.tar.gz
unzip master.zip
adduser --system --no-create-home --disabled-login --disabled-password --group www-data
cd nginx-1.14.0
./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --with-http_geoip_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr
make
make install
mkdir -p /var/lib/nginx
mkdir -p /var/lib/nginx/body
mkdir -p /var/lib/nginx/fastcgi

Configure Nginx

cd /root/naxsi-master
cp naxsi_config/naxsi_core.rules /etc/nginx/
nano /etc/nginx/naxsi.rules
#LearningMode
SecRulesEnabled;
DeniedUrl "/RequestDenied";
nano /etc/nginx/nginx.conf
user  www-data;
worker_processes 1;
worker_connections  1024;
include       mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
#charset koi8-r; #access_log logs/host.access.log main; location / {
include /etc/nginx/naxsi.rules;
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Create Nginx SysVinit Script

git clone https://github.com/Fleshgrinder/nginx-sysvinit-script.git
cd nginx-sysvinit-script
make
install -D --mode=0644 --owner=root --group=root -- ./defaults /etc/default/nginx
install -D --mode=0755 --owner=root --group=root -- ./init /etc/init.d/nginx
update-rc.d nginx defaults
service nginx start
service nginx status
nginx.service - LSB: nginx LSB init script
Loaded: loaded (/etc/init.d/nginx; bad; vendor preset: enabled)
Active: active (running) since Tue 2018-05-22 20:59:02 IST; 8min ago
Docs: man:systemd-sysv-generator(8)
├─17834 nginx: master process /usr/sbin/ngin
└─17838 nginx: worker proces

Test NAXSI Firewall

curl 'http://192.168.0.104/?q=">'
tail -f /var/log/nginx/error.log
2018/05/22 20:59:14 [error] 17838#0: *1 NAXSI_FMT: ip=192.168.0.105&server=192.168.0.104&uri=/&learning=0&vers=0.56&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=8&cscore1=$XSS&score1=8&zone0=ARGS&id0=1001&var_name0=q, client: 192.168.0.105, server: localhost, request: "GET /?q="> HTTP/1.1", host: "192.168.0.104"
2018/05/22 20:59:14 [error] 17838#0: *1 open() "/usr/html/RequestDenied" failed (2: No such file or directory), client: 192.168.0.105, server: localhost, request: "GET /?q="> HTTP/1.1", host: "192.168.0.104"
curl "http://192.168.0.104/?q='1 OR 1=1"
tail -f /var/log/nginx/error.log
2018/05/22 21:45:16 [error] 18171#0: *35 NAXSI_FMT: ip=192.168.0.105&server=192.168.0.104&uri=/&learning=0&vers=0.56&total_processed=35&total_blocked=1&block=1&cscore0=$SQL&score0=6&cscore1=$XSS&score1=8&zone0=ARGS&id0=1009&var_name0=q&zone1=ARGS&id1=1013&var_name1=q, client: 192.168.0.105, server: localhost, request: "GET /?q='1 OR 1=1 HTTP/1.1", host: "192.168.0.104"
2018/05/22 21:45:16 [error] 18171#0: *35 open() "/usr/html/RequestDenied" failed (2: No such file or directory), client: 192.168.0.105, server: localhost, request: "GET /?q='1 OR 1=1 HTTP/1.1", host: "192.168.0.104"

Related Alibaba Cloud Products

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store