中国境内的许多CDN服务商等都开始强烈要求备案才可使用服务,而导致很多个人型的网站没有防御,从而很容易被攻击。

接下来的教程仅适用于拥有对自己服务器完全控制权的人使用[copy from GitHub]

naxsi setup

Jump to bottomAnnihil edited this page on Mar 20, 2017 · 4 revisions

Basic Setup

Architecture of naxsi configuration

Example configuration

#Only for nginx's version with modular support
load_module /../modules/ngx_http_naxsi_module.so;
events {
 ...
}
http {
 include /tmp/naxsi_ut/naxsi_core.rules;
 ...
 server {
  listen ...;
  server_name  ...;
  location / {
   #Enable naxsi
   SecRulesEnabled;
   #Enable learning mode
   LearningMode;
   #Define where blocked requests go
   DeniedUrl "/50x.html"; 
   #CheckRules, determining when naxsi needs to take action
   CheckRule "$SQL >= 8" BLOCK;
   CheckRule "$RFI >= 8" BLOCK;
   CheckRule "$TRAVERSAL >= 4" BLOCK;
   CheckRule "$EVADE >= 4" BLOCK;
   CheckRule "$XSS >= 8" BLOCK;
   #naxsi logs goes there
   error_log /.../foo.log;
   ...
  }
  error_page   500 502 503 504  /50x.html;
  #This is where the blocked requests are going
  location = /50x.html {
  return 418; #I'm a teapot \o/
  }
 }
}
Code language: PHP (php)

Next steps

The next step is learning; however, before jumping there, ensure that you have:

  • A nginx as a webserver or reverse proxy
  • Naxsi installed and running in learning mode
  • If you perform a request such as curl 'http://127.0.0.1:4242/?a=<>', you should see a NAXSI_FMT in your logs :2016/07/12 13:27:04 [error] 14492#0: *1 NAXSI_FMT: ip=127.0.0.1&server=127.0.0.1&uri=/&learning=1&vers=0.55rc2&total_processed=1&total_blocked=1&block=1&cscore0=$XSS&score0=16&zone0=ARGS&id0=1302&var_name0=a&zone1=ARGS&id1=1303&var_name1=a, client: 127.0.0.1, server: localhost, request: "GET /?a=<> HTTP/1.1", host: "127.0.0.1:4242"

Learning, log-injection, ElasticSearch, Kibana

The ElasticSearch/Kibana part is optional but provides a great comfort and way to visualize “what’s going on”.

Components

Nxtool setup can be found here: (tl;dr: python setup.py install, or ./nxtool.py -c nxapi.json -x)

Kibana (v4 as of this writing) can be downloaded here:

Once those two components are setup, you should be able to inject naxsi logs into ElasticSearch with NxTool. Here is an example of what it might look like in production:

Configuration – NXTOOL

As stated in dedicated documentation, nxtool comes with a json file specifying ES location, index etc.

"elastic" : {
 "host" : "127.0.0.1:9200",
 "index" : "nxapi",
 "doctype" : "events",
 "default_ttl" : "7200",
 "max_size" : "1000",
 "version" : "2"
},
Code language: JavaScript (javascript)

Once configured and running on the same host as nginx, you can start injecting logs into ES:

nxtool.py --fifo /tmp/naxsi_pipe --no-timeout (here, nginx is being told to write logs to /tmp/naxsi_pipe which is a FIFO created by nxtool)

Configuration – Kibana

Now, you should be able to configure Kibana to setup a dashboard to visualize your naxsi data.

This step is left as an exercise for the reader, see Creating Kibana Dashboard.

GitHub Readme:https://github.com/nbs-system/naxsi/blob/master/README.md


了解 Starx's Home 的更多信息

Subscribe to get the latest posts sent to your email.

分类: NGINX安全

0 条评论

发表评论

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据