Nginx Web Application Firewall: NAXSI
NAXSI means Nginx Anti Xss & Sql Injection
Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, ‘<‘, ‘|’ or ‘drop’ are not supposed to be part of a URI.
Being very simple, those patterns may match legitimate queries, it is Naxsi’s administrator duty to add specific rules that will whitelist those legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx’s error log, or (recommended) start the project by an intensive auto-learning phase that will automatically generate whitelisting rules regarding website’s behaviour.
In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly.
Purpose:
- Naxsi (Nginx Anti Xss Sql Injection) is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.
- Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.
- The difference with most WAF (Web Application Firewalls) out there is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect “known” attacks, it detects unexpected characters in the HTTP requests/arguments.
- Each kind of unusual character will increase the score of the request. If the request reaches a score considered “too high”, the request will be denied, and the user will be redirected to a “forbidden” page. Yes, it works somewhat like a spam system.
Why it is different?
On the contrary of most Web Application Firewall, Naxsi doesn’t rely on a signature base, like an antivirus, and thus cannot be circumvented by an “unknown” attack pattern. Another main difference between Naxsi and other WAF, Naxsi filters Get & Posts resquests and is OpenSource and free to use for your company or personal own use (ie: as long as you don’t resell a service or product based on Naxsi to customers).
Performance review
Naxsi VS a highly vulnerable web siteNaxsi VS Obfuscated|Complex SQLi patternsInstallation
You can install nginx+naxsi either from packages (available from official repositories on debian, freebsd, netbsd) or directly from source. As Nginx does not yet support runtime module loading, lot of people will choose compiling from source to avoid package maintainers delay.
Installation from packages
Packages are available for NetBSD, FreeBSD and Debian.
Installation from source
Naxsi should be working with all Nginx versions superior to 0.8.X. To install it from source, we need to fetch both nginx and naxsi sources.
wget http://nginx.org/download/nginx-x.x.xx.tar.gz wget https://github.com/nbs-system/naxsi/archive/xxx.tar.gz tar xvzf nginx-x.x.xx.tar.gz tar xvzf naxsi-x.xx.tar.gz cd nginx-x.x.xx/
[install]
./configure --add-module=../naxsi-x.xx/naxsi_src/ [add/remove your favorite/usual options] make make install
Nginx Web Application Firewall: Initial setup
Let’s take the first step to use : setting up learning mode for your website ! This page assumes you already know how to properly configure nginx without naxsi and make it work. /etc/nginx/nginx.conf :
user www-data;
worker_processes 1;
worker_rlimit_core 500M;
working_directory /tmp/;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
# multi_accept on;
}
http {
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/mime.types;
server_names_hash_bucket_size 128;
access_log /var/log/nginx/access.log;
sendfile on;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
include /etc/nginx/sites-enabled/*;
}
Notice the /etc/nginx/naxsi_core.rules include. This is the only thing you need to add to your existing `http {}` section if you already have a configuration. naxsi_core.rules is provided in the project (naxsi_config/), and contains naxsi rules. As you might notice, these are not signatures, in the classic WAF sense, but simple “score rules”, ie :
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
You can see more about rules syntax at rulessyntax Now, let’s have a look at /etc/nginx/site-enabled/default :
server {
proxy_set_header Proxy-Connection "";
listen *:80;
access_log /tmp/nginx_access.log;
error_log /tmp/nginx_error.log debug;
location / {
include /etc/nginx/naxsi.rules;
proxy_pass http://x.x.x.x/;
proxy_set_header Host www.mysite.com;
}
location /RequestDenied {
return 418;
}
}
The naxsi’s configuration itself is in the file /etc/nginx/naxsi.rules :
LearningMode; #Enables learning mode SecRulesEnabled; #SecRulesDisabled; DeniedUrl "/RequestDenied"; ## check rules CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK;
With the following setup :
- Naxsi will be enabled
- Naxsi will not block any requests (while LearningMode is active)
- To-be-blocked requests will generate event logs in your location’s error.log file
Exception do look like (let’s request http://127.0.0.1/?a=%3C)
2013/05/30 20:09:43 [error] 8404#0:*3 NAXSI_FMT: ip=127.0.0.1&server=127.0.0.1&uri=/&learning=0&vers=0.50&total_processed=3&total_blocked=1&zone0=ARGS&id0=1302&var_name0=a, client: 127.0.0.1, server: , request: "GET /?a=< HTTP/1.0", host: "127.0.0.1"
Once you get this kind of lines in your error log, you have naxsi running in [LearningMode], congrats !
Source && Download
![[WAF-FLE] Web application firewall: fast log and event console](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNUiNj5SjQeu8VhkRyfVjV4mP1bHFkRLpos0NqOznjOFmrqXmnTaqDd-0btKDqtpn3Ay_K8B6Vy75b8yyJyCeSZrUY7NJPG0GRBfEbdmFs1A7fpWMRKQa5jzzm8JOrTc3zAC7GIumQmTk/s72-c/waf-fle.png "[WAF-FLE] Web application firewall: fast log and event console")
0 comments: