×
Community Blog How to Secure Nginx with NAXSI Firewall on Ubuntu 16.04

How to Secure Nginx with NAXSI Firewall on Ubuntu 16.04

In this tutorial, we will be installing a NAXSI firewall with Nginx on an Alibaba Cloud ECS Ubuntu 16.04 instance.

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Naxsi (Nginx Anti XSS & SQL Injection) is a free, open source and high-performance web application firewall for Nginx. Naxsi is a third party Nginx module that comes with a small subset of rules containing 99% of known patterns involved in website vulnerabilities. The main difference between Naxsi and other firewalls is that it filters only GET and POST requests. You will also need to add a whitelist for the target website to work properly.

If you want to protect your web application from SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery, then Naxsi is the best choice for you.

In this tutorial, we will be installing a NAXSI firewall with Nginx on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 instance.

Prerequisites

  1. A fresh Alibaba cloud instance with Ubuntu 16.04 server installed.
  2. A static IP address 192.168.0.103 is configured on the instance.
  3. A root password is setup on the server.

Launch an Alibaba Cloud ECS Instance

First, login to your Alibaba Cloud ECS Console. Create a new ECS instance, with Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Getting Started

Before starting, you will need to install all necessary dependencies required to install Nginx-Naxsi. You can install all the required dependencies by running the following command:

apt-get install build-essential libssl-dev daemon mariadb-server  libgeoip-dev wget nano bzip2 unzip libpcre3-dev zlib1g-dev -y

Once all the required dependencies are installed, you can proceed to the next step.

Install Nginx with Naxsi Support

By default, Naxsi module does not come with Nginx package. So, you will need to download Nginx source and compile it with Naxsi support.

First, download the Nginx and Naxsi source with the following command:

wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget https://github.com/nbs-system/naxsi/archive/master.zip

Once both files are downloaded, extract both files using the following command:

tar -xvzf nginx-1.14.0.tar.gz
unzip master.zip

Next, you will need to create a user and group www-data for Nginx. Run the following command to create both:

adduser --system --no-create-home --disabled-login --disabled-password --group www-data

Next, change the directory to the Nginx source and compile it with Naxsi support with the following command:

cd nginx-1.14.0
./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --with-http_geoip_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr
make
make install

Next, create some directories to make Nginx work. You can do this with the following command:

mkdir -p /var/lib/nginx
mkdir -p /var/lib/nginx/body
mkdir -p /var/lib/nginx/fastcgi

Once Nginx is installed with Naxsi support, you can proceed to the next step.

Configure Nginx

Nginx is now installed. Next, you will need to configure Naxsi rules for Nginx. To do so, copy Naxsi core rules from Naxsi source to the Nginx config directory.

First, change the directory to the Naxsi source:

cd /root/naxsi-master

Next, copy Naxsi rules file to the Nginx config directory using the following command:

cp naxsi_config/naxsi_core.rules /etc/nginx/

Next, create naxsi.rules file in Nginx config directory:

nano /etc/nginx/naxsi.rules

Add the following lines:

#LearningMode
 SecRulesEnabled; 
 DeniedUrl "/RequestDenied";
 
 ## check rules 
 CheckRule "$SQL >= 8" BLOCK; 
 CheckRule "$RFI >= 8" BLOCK; 
 CheckRule "$TRAVERSAL >= 4" BLOCK; 
 CheckRule "$EVADE >= 4" BLOCK; 
 CheckRule "$XSS >= 4" BLOCK; 

Save and close the file, when you are finished.

Note: Define all the above parameter as below.

  1. LearningMode: This means that malicious requests are copied to the a defined error log and not blocked.
  2. SecRulesEnabled: This will enable Naxsi for a server block. You can also disable Naxsi for server block by replacing it with SecRulesDisabled.
  3. DeniedUrl: This parameter indicates where naxsi will redirect blocked requests.
  4. CheckRule: This will instruct naxsi to take an action like, LOG, BLOCK, DROP, ALLOW based on a specific score associated to the request.

Next, you will need to define Naxsi rules path in the Nginx config directory. You can do this by editing nginx.conf file:

nano /etc/nginx/nginx.conf

Make the following changes:

user  www-data;
worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
include /etc/nginx/naxsi_core.rules;
     access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log;
    sendfile        on;
    keepalive_timeout  65;


    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
         include /etc/nginx/naxsi.rules;
            root   html;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }
}

Save the file when you are finished, then test Nginx for any syntax error with the following command:

nginx -t

You should see the following output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Create Nginx SysVinit Script

Next, you will also need to create an Nginx upstart script. You can do this by running the following command:
First, download the Nginx sysvinit source from Git repository using the following command:

git clone https://github.com/Fleshgrinder/nginx-sysvinit-script.git

Next, change the directory to the nginx-sysvinit-script and install Nginx Sysvinit script with the following command:
cd nginx-sysvinit-script
make

You should see the following output:

install -D --mode=0644 --owner=root --group=root -- ./defaults /etc/default/nginx
install -D --mode=0755 --owner=root --group=root -- ./init /etc/init.d/nginx
update-rc.d nginx defaults

Once script is installed, start the Nginx service with the following command:

service nginx start

You can check the status of the Nginx with the following command:
service nginx status

You should see the following output:
nginx.service - LSB: nginx LSB init script
   Loaded: loaded (/etc/init.d/nginx; bad; vendor preset: enabled)
   Active: active (running) since Tue 2018-05-22 20:59:02 IST; 8min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 17806 ExecStop=/etc/init.d/nginx stop (code=exited, status=0/SUCCESS)
  Process: 17821 ExecStart=/etc/init.d/nginx start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/nginx.service
           ├─17834 nginx: master process /usr/sbin/ngin
           └─17838 nginx: worker proces

May 22 20:59:01 Node1 systemd[1]: Stopped LSB: nginx LSB init script.
May 22 20:59:01 Node1 systemd[1]: Starting LSB: nginx LSB init script...
May 22 20:59:02 Node1 systemd[1]: Started LSB: nginx LSB init script. 

Test NAXSI Firewall

Nginx is now installed with Naxsi support, it's time to test Naxsi against different types of attack.
First, go to the remote machine and test Nginx against XSS attack using the following command:

curl 'http://192.168.0.104/?q=">'

Now, on the Nginx server machine, check the Nginx server log using the following command:

tail -f /var/log/nginx/error.log 

You should see that XSS request from remote machine IP address 192.168.0.105 is blocked by Naxsi:

2018/05/22 20:59:14 [error] 17838#0: *1 NAXSI_FMT: ip=192.168.0.105&server=192.168.0.104&uri=/&learning=0&vers=0.56&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=8&cscore1=$XSS&score1=8&zone0=ARGS&id0=1001&var_name0=q, client: 192.168.0.105, server: localhost, request: "GET /?q="> HTTP/1.1", host: "192.168.0.104"
2018/05/22 20:59:14 [error] 17838#0: *1 open() "/usr/html/RequestDenied" failed (2: No such file or directory), client: 192.168.0.105, server: localhost, request: "GET /?q="> HTTP/1.1", host: "192.168.0.104"

Next, go to the remote machine and test Nginx against SQL Injection attack using the following command:

curl "http://192.168.0.104/?q='1 OR 1=1"

Now, on the Nginx server machine, check the Nginx server log using the following command:

tail -f /var/log/nginx/error.log

You should see that SQL query from remote machine IP address 192.168.0.105 is blocked by Naxsi:

2018/05/22 21:45:16 [error] 18171#0: *35 NAXSI_FMT: ip=192.168.0.105&server=192.168.0.104&uri=/&learning=0&vers=0.56&total_processed=35&total_blocked=1&block=1&cscore0=$SQL&score0=6&cscore1=$XSS&score1=8&zone0=ARGS&id0=1009&var_name0=q&zone1=ARGS&id1=1013&var_name1=q, client: 192.168.0.105, server: localhost, request: "GET /?q='1 OR 1=1 HTTP/1.1", host: "192.168.0.104"
2018/05/22 21:45:16 [error] 18171#0: *35 open() "/usr/html/RequestDenied" failed (2: No such file or directory), client: 192.168.0.105, server: localhost, request: "GET /?q='1 OR 1=1 HTTP/1.1", host: "192.168.0.104"

Congratulations! You have successfully installed and configured Naxsi Firewall on Ubuntu 16.04 server. You can now protect Nginx server from different kind of attacks using Naxsi firewall.

Related Alibaba Cloud Products

Alibaba Cloud Anti-DDoS Pro is a value added protection service to ensure high availability and provide complete protection to your online business from all kinds of malicious DDoS attacks. The product also ensures the elimination of single-point-of-failure from real-time DDoS attacks, HTTP flood attacks, empty connection attacks, slow connection attacks and other web application attacks.

Alibaba CloudResource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.

Alibaba Cloud SSL Certificates Service allows customers to directly apply, purchase and manage SSL certificates on Alibaba Cloud. This service is offered in cooperation with qualified certificate authorities. From this platform, customers can select the expected certificate authority and its certificate products to enjoy full-site HTTPS security solutions.

0 0 0
Share on

Alibaba Clouder

2,599 posts | 758 followers

You may also like

Comments