By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
Naxsi (Nginx Anti XSS & SQL Injection) is a free, open source and high-performance web application firewall for Nginx. Naxsi is a third party Nginx module that comes with a small subset of rules containing 99% of known patterns involved in website vulnerabilities. The main difference between Naxsi and other firewalls is that it filters only GET and POST requests. You will also need to add a whitelist for the target website to work properly.
If you want to protect your web application from SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery, then Naxsi is the best choice for you.
In this tutorial, we will be installing a NAXSI firewall with Nginx on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 instance.
First, login to your Alibaba Cloud ECS Console. Create a new ECS instance, with Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.
Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.
apt-get update -y
Before starting, you will need to install all necessary dependencies required to install Nginx-Naxsi. You can install all the required dependencies by running the following command:
apt-get install build-essential libssl-dev daemon mariadb-server libgeoip-dev wget nano bzip2 unzip libpcre3-dev zlib1g-dev -y
Once all the required dependencies are installed, you can proceed to the next step.
By default, Naxsi module does not come with Nginx package. So, you will need to download Nginx source and compile it with Naxsi support.
First, download the Nginx and Naxsi source with the following command:
wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget https://github.com/nbs-system/naxsi/archive/master.zip
Once both files are downloaded, extract both files using the following command:
tar -xvzf nginx-1.14.0.tar.gz
unzip master.zip
Next, you will need to create a user and group www-data for Nginx. Run the following command to create both:
adduser --system --no-create-home --disabled-login --disabled-password --group www-data
Next, change the directory to the Nginx source and compile it with Naxsi support with the following command:
cd nginx-1.14.0
./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --with-http_geoip_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr
make
make install
Next, create some directories to make Nginx work. You can do this with the following command:
mkdir -p /var/lib/nginx
mkdir -p /var/lib/nginx/body
mkdir -p /var/lib/nginx/fastcgi
Once Nginx is installed with Naxsi support, you can proceed to the next step.
Nginx is now installed. Next, you will need to configure Naxsi rules for Nginx. To do so, copy Naxsi core rules from Naxsi source to the Nginx config directory.
First, change the directory to the Naxsi source:
cd /root/naxsi-master
Next, copy Naxsi rules file to the Nginx config directory using the following command:
cp naxsi_config/naxsi_core.rules /etc/nginx/
Next, create naxsi.rules file in Nginx config directory:
nano /etc/nginx/naxsi.rules
Add the following lines:
#LearningMode
SecRulesEnabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 4" BLOCK;
Save and close the file, when you are finished.
Note: Define all the above parameter as below.
Next, you will need to define Naxsi rules path in the Nginx config directory. You can do this by editing nginx.conf file:
nano /etc/nginx/nginx.conf
Make the following changes:
user www-data;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
include /etc/nginx/naxsi_core.rules;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
include /etc/nginx/naxsi.rules;
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
Save the file when you are finished, then test Nginx for any syntax error with the following command:
nginx -t
You should see the following output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Next, you will also need to create an Nginx upstart script. You can do this by running the following command:
First, download the Nginx sysvinit source from Git repository using the following command:
git clone https://github.com/Fleshgrinder/nginx-sysvinit-script.git
cd nginx-sysvinit-script
make
You should see the following output:
install -D --mode=0644 --owner=root --group=root -- ./defaults /etc/default/nginx
install -D --mode=0755 --owner=root --group=root -- ./init /etc/init.d/nginx
update-rc.d nginx defaults
Once script is installed, start the Nginx service with the following command:
service nginx start
service nginx status
nginx.service - LSB: nginx LSB init script
Loaded: loaded (/etc/init.d/nginx; bad; vendor preset: enabled)
Active: active (running) since Tue 2018-05-22 20:59:02 IST; 8min ago
Docs: man:systemd-sysv-generator(8)
Process: 17806 ExecStop=/etc/init.d/nginx stop (code=exited, status=0/SUCCESS)
Process: 17821 ExecStart=/etc/init.d/nginx start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/nginx.service
├─17834 nginx: master process /usr/sbin/ngin
└─17838 nginx: worker proces
May 22 20:59:01 Node1 systemd[1]: Stopped LSB: nginx LSB init script.
May 22 20:59:01 Node1 systemd[1]: Starting LSB: nginx LSB init script...
May 22 20:59:02 Node1 systemd[1]: Started LSB: nginx LSB init script.
Nginx is now installed with Naxsi support, it's time to test Naxsi against different types of attack.
First, go to the remote machine and test Nginx against XSS attack using the following command:
curl 'http://192.168.0.104/?q=">'
Now, on the Nginx server machine, check the Nginx server log using the following command:
tail -f /var/log/nginx/error.log
You should see that XSS request from remote machine IP address 192.168.0.105 is blocked by Naxsi:
2018/05/22 20:59:14 [error] 17838#0: *1 NAXSI_FMT: ip=192.168.0.105&server=192.168.0.104&uri=/&learning=0&vers=0.56&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=8&cscore1=$XSS&score1=8&zone0=ARGS&id0=1001&var_name0=q, client: 192.168.0.105, server: localhost, request: "GET /?q="> HTTP/1.1", host: "192.168.0.104"
2018/05/22 20:59:14 [error] 17838#0: *1 open() "/usr/html/RequestDenied" failed (2: No such file or directory), client: 192.168.0.105, server: localhost, request: "GET /?q="> HTTP/1.1", host: "192.168.0.104"
Next, go to the remote machine and test Nginx against SQL Injection attack using the following command:
curl "http://192.168.0.104/?q='1 OR 1=1"
Now, on the Nginx server machine, check the Nginx server log using the following command:
tail -f /var/log/nginx/error.log
You should see that SQL query from remote machine IP address 192.168.0.105 is blocked by Naxsi:
2018/05/22 21:45:16 [error] 18171#0: *35 NAXSI_FMT: ip=192.168.0.105&server=192.168.0.104&uri=/&learning=0&vers=0.56&total_processed=35&total_blocked=1&block=1&cscore0=$SQL&score0=6&cscore1=$XSS&score1=8&zone0=ARGS&id0=1009&var_name0=q&zone1=ARGS&id1=1013&var_name1=q, client: 192.168.0.105, server: localhost, request: "GET /?q='1 OR 1=1 HTTP/1.1", host: "192.168.0.104"
2018/05/22 21:45:16 [error] 18171#0: *35 open() "/usr/html/RequestDenied" failed (2: No such file or directory), client: 192.168.0.105, server: localhost, request: "GET /?q='1 OR 1=1 HTTP/1.1", host: "192.168.0.104"
Congratulations! You have successfully installed and configured Naxsi Firewall on Ubuntu 16.04 server. You can now protect Nginx server from different kind of attacks using Naxsi firewall.
Alibaba Cloud Anti-DDoS Pro is a value added protection service to ensure high availability and provide complete protection to your online business from all kinds of malicious DDoS attacks. The product also ensures the elimination of single-point-of-failure from real-time DDoS attacks, HTTP flood attacks, empty connection attacks, slow connection attacks and other web application attacks.
Alibaba CloudResource Access Management (RAM) is an identity and access control service which enables you to centrally manage your users (including employees, systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.
Alibaba Cloud SSL Certificates Service allows customers to directly apply, purchase and manage SSL certificates on Alibaba Cloud. This service is offered in cooperation with qualified certificate authorities. From this platform, customers can select the expected certificate authority and its certificate products to enjoy full-site HTTPS security solutions.
Breaking the Communication Barriers with Natural Language Processing (NLP)
2,599 posts | 762 followers
FollowAlibaba Clouder - August 27, 2020
Alibaba Clouder - December 5, 2017
Alibaba Clouder - May 23, 2018
- November 14, 2017
Alibaba Clouder - May 11, 2018
Alibaba Clouder - July 8, 2020
2,599 posts | 762 followers
FollowElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreLearn More
A cloud firewall service utilizing big data capabilities to protect against web-based attacks
Learn MoreMore Posts by Alibaba Clouder