Methods to secure Nginx with Naxsi on Ubuntu 16.04 :

Barry

One of the most famous open source HTTP server and reverse proxy known for its consistency, simple configuration, and frugal resource requirements. You can greatly boost up the security of your Nginx server with the help of module like NAXI. Nginx Anti XSS & SQL Injection or NAXSI is a third party , free module that offers web application firewall features . What actually NAXI does is it filters , creates security ,and analyses the traffic that comes to your web application and reacts like a Drop-by Default firewall , which means that it creates a blockage for all the traffic coming its way until and unless it gets an instruction of specially allowing access to them.

What mainly differentiates NAXSI from web application firewalls (WAF) with same features like MOD Security , is its way to give its user access which is the simplest and is also a key feature of NAXSI. Mod Security comes with a rich component set and it is more difficult than NAXSI. And thereafter NAXSI becomes a more adaptable and easiest choice and it also runs well with the popular Web Applications such as WordPress.

JOIN OUR NEWSLETTER
Not Every One Focuses On Your Requirements! Get What You Want- Revenue & Ranking Both. Make Money While Stepping Up The Ladder Of SERPs.
We hate spam. Your email address will not be sold or shared with anyone else.

By reading this blog you will get to know how to use NAXSI to secure Nginx on your Ubuntu 16.04 server. The NAXSI does not come with the package of Nginx by default, so you will need to mix up Nginx from source with NAXSI.

The Essentials:

You will need one Ubuntu 16.04 server set up by following the Ubuntu 16.04 initial server set up guide, including a sudo non-root user and a firewall.

So the very first step will be installing NGINX and NAXSI because most of the Nginx modules are obtainable through repositories and NAXSI is not at all any exception. You need to first download Nginx using the following command $ wget http://nginx.org/download/nginx-1.14.0.tar.gz. The next step is that you need to undergo is download Naxsi from the stable 0.56 release on Github $ wget https://github.com/nbs-system/naxsi/archive/0.56.tar.gz -O naxsi . One thing that might fall into your eyes is that the Nignx repository is a’tar’ archive. So firstly you need to take it out so that you can mix and install it which you can access with the ‘tar’ command $ tar -xvf nginx-1.14.0.tar.gz . In this command -x specifies the extract utility and -v makes the utility run in garrulous mode and -f signifies the name of the archive file to take out.

Now as you have taken out the nginx files , you can definitely move on to the extract the NAXSI files using this very command $ tar -xvf naxsi . Now, when you have the folders naxsi-0.56 and nginx-1.14.0 in your home directory using these files you just downloaded and extracted you can systemize the Nginx server with NAXSI and move it into your nginx-1.14.0 directory by using following command “cd nginx-1.14.0”. In order to systemize Nginx from source, you will need the C compiler ggc , the Perl Compatible Regular Expression library libpcre3-dev, and libssl-dev, which deploys the SSL and TLD cryptographic protocols. These reliance can be added with the apt-get command. First you need to run the following commands to make sure you have an updated list of packages $ sudo apt-get update and then install the dependencies by writing following command $ sudo apt-get install build-essential libpcre3-dev libssl-dev. After this you will have all the all your dependencies, and after this you can compile or systemize Nginx from source. Now in order to prepare Nginx to be systemized from source into your system execute the following script, which will create the make file that shows where to find all necessary dependencies.

$ ./configure \
$ --conf-path=/etc/nginx/nginx.conf \
$ --add-module=../naxsi-0.56/naxsi_src/ \
$ --error-log-path=/var/log/nginx/error.log \
$ --http-client-body-temp-path=/var/lib/nginx/body \
$ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
$ --http-log-path=/var/log/nginx/access.log \
$ --http-proxy-temp-path=/var/lib/nginx/proxy \
$ --lock-path=/var/lock/nginx.lock \
$ --pid-path=/var/run/nginx.pid \
$ --user=www-data \
$ --group=www-data \
$ --with-http_ssl_module \
$ --without-mail_pop3_module \
$ --without-mail_smtp_module \
$ --without-mail_imap_module \
$ --without-http_uwsgi_module \
$ --without-http_scgi_module \
$ --prefix=/us

Each of the lines from the above command describes a parameter from the Nginx Web server among which the most important are the –add-module=../naxsi-0.56/naxsi_src/ parameter , which connects the NAXSI module with Nginx , and the –user=www-data and –group=www-data parameters , which helps the NAXSI to run with the user and group and group privilages of a dedicated user called www-data which will come with your Ubuntu 16.04 server . The “–with-http_ssl_module” parameter enables the Ngnix server to use the SSL cryptography, and without-mail_pop3_module , –without -mail_smtp_module, and –without-mail_imap_module parameters turn off the unnecessary mail protocols that would otherwise be automatically included.  After you use ./configure command, you need to run the make command to enact a series of tasks denied in the make file that you have just created to construct the program from the source code.

Now when the Nginx is absolutely stable and ready to be accessible, you need to use the “ make install” command as a super user which will help you to copy the constructed programs and its libraries in order to correct the location of your server ($ sudo make install). After this is successful you will have a systemized version of Nginx with the NAXSI module. Now you need to stabilize a certain set of rules, upon which NAXSI will act upon by creating a series of configure files , if you want NAXSI to act as a blockage for the unwanted traffic.

Now the next very step you need to follow is Configuring NAXSI which is the most important part of a firewall’s functionality. The CORE RULES are the basic set of rules that comes with NAXSI . These rules are mainly used to search for patterns I parts of a request and filter out hose that may stand as attacks. NAXSI core rules are applied universally to the server for signature matching . In order to configure Nginx to use these core rules to need to copy the following command (naxsi_core.rules)to the Nginx configuration directory ($ sudo cp ~/naxsi-0.56/naxsi_config/naxsi_core.rules /etc/nginx/).

After adding the core rules you now need to add the basic NAXSI rules , which will enable and deploy the core rules on a per location basis and will assign actions for the server to take an URL request do not agree with the core rules. N ow you will have to create a file named “naxsi.rules” inside the “ /etc/nginx/” directory , for which you need to put the following command to open the file in the text editor known as “Nano” , also you can use any text editor of your choice ($ sudo nano /etc/nginx/naxsi.rules).
After that add the following set of rules , which defines some basic firewall rules:

SecRulesEnabled;
DeniedUrl "/error.html";
## Check for all the rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

This above mentioned set of codes defines DeniedUrl which is the URL, which NAXSI will redirect to when a request is blocked , also the file enables a checklist of different kinds of attacks , which shall be blocked by NAXSI including the SQL injection , cross site scripting (XSS) and also remote file inclusion (RFI) .

Now after you have added the given code to the file, you need to save and exit the editor. Now as you have redirected the blocked request to /error.html you can now create an error.html file inside “/user/html” directory to give this destination a landing page. Open up the file in your text editor: $ sudo nano /usr/html/error.html, and then add this following HTML code to the file to create a web page , which helps the user know that their request got blocked and then save the file and exit the editor :\

<html>
<head>
<title>Blocked By NAXSI</title>
</head>
<body>
<div style="text-align: center">
<h1>Malicious Request</h1>
<hr>
<p>This Request Has Been Blocked By NAXSI.</p>
</div>
</body>
</html>

Now coming to the next step that is you need to open up the Nginx configuration file /etc/nginx/nginx.conf,in your text editor ($ sudo nano /etc/nginx/nginx.conf).

To add the NAXSI configuration files to NAXSI’s configuration , insert the following codes into the http section of the nginx.conf file , in order4 to let the Web server know how to use NAXSI .

. . .
http {
include mime.types;
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
default_type application/octet-stream;
. . .

Then you need to add the following codes in the server section of the same file :

. . .
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
include /etc/nginx/naxsi.rules;
root html;
index index.html index.htm;
}
. . .

Now after the successful configuration of Nginx with the core and basic rules for NAXSI, the firewall will block the malicious requests when you start the web server. Now you can write a startup script to assure that the Nginx starts up when you reboot the server.

The next very step is the creation of the startup script for Nginx, because you have installed the Nginx manually you need to create a startup script to ensure that the web server auto starts if the system reloads.

In this blog you will see how to Systemd software suite is used to make the script , for which you need to create a unit file to configure how Systemd should start and how it should manage the Nginx service . You need to create a file named “nginx.service” and will have to open it up in your text editor:

“sudo nano /lib/systemd/system/nginx.service” . Now you neeed to add the following lines into the file:
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

The “Unit” section defines the program which you configure , “Service”  defines how Nginx should behave on startup and “Install” provides  information about unit installation . After you add these lines to the nginx.serevice  file , systemd will know how to start Nginx . The very next step is that you need to create a directory that Nginx can use to store this data, because nginx needs a folder to temporarily store incoming request data before processing it in the event that your server doesn’t have enough memory. You will have to make a directory called “body” inside “/var/lib/nginx”:(sudo mkdir -p /var/lib/nginx/body).You will now be able to start up the Nginx server by using the following command : “sudo systemctl status nginx” . After giving the command you will see the following output in your terminal, showing that your server has started successfully:

nginx.service - The NGINX HTTP and reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2018-11-05 13:59:40 UTC; 1s ago
Process: 16199 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 16194 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Main PID: 16201 (nginx)
Tasks: 2
Memory: 1.3M
CPU: 17ms
CGroup: /system.slice/nginx.service
├─16201 nginx: master process /usr/sbin/ngin
└─16202 nginx: worker proces
. . .

After this you will be having a secured Nginx server secured by NAXSI . The next step is to access a simulated XSS and SQL injection attack to ensure that NAXSI is protecting your server effectively.

The last and the fourth step is the testing of NAXSI . You will have to try and hit the server with malicious Http requests and scrutinize the responses , in order to test whether the Nginx is up and running with the Naxsi module which is enabled .First you will have to copy the Public IP of your server and will have to use the curl command for creating malicious request in the Nginx server : “curl ‘http://your_server_ip/?q=”><script>alert(0)</script>’”. This particular URL includes the XXS script “><script>alert(0)</script>” in the “q” parameter and will be rejected by the server. As per the Naxsirules that has been setup by you previously, will be redirected to the error.html file and will be receiving the following response :

Output
<html>
<head>
<title>Blocked By NAXSI</title>
</head>
<body>
<div style="text-align: center">
<h1>Malicious Request</h1>
<hr>
<p>This Request Has Been Blocked By NAXSI.</p>
</div>
</body>
</html>

Thus the Naxsi firewall have had blocked the request . After this you will have to verify the same with the use of the Nginx log by tailing the Nginx server log using the following command:

“tail -f /var/log/nginx/error.log”. In the log , you will get to see the XSS request from the Remote IP address which will be blocked by NAXSI:

Output
2018/11/07 17:05:05 [error] 21356#0: *1 NAXSI_FMT: ip=your_server_ip&server=your_server_ip&uri=/&learning=0&vers=0.56&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=8&cscore1=$XSS&score1=8&zone0=ARGS&id0=1001&var_name0=q, client: your_server_ip, server: localhost, request: "GET /?q="><script>alert(0)</script> HTTP/1.1", host: "your_server_ip"

The very next step you need to follow is you will have to press CTRL-C to exit tail and stop the output of the error log file. Then you will have to try another URL request, however this time you need to try it with a malicious SQL injection query : ““curl ‘http://your_server_ip/?q=1″ or “1”=”1″‘”

The “or” “1”=”1″ part of the preceding URL can expose a user’s data in a database, and will be blocked by NAXSI. It should produce the same response in the terminal:

Output
<html>
<head>
<title>Blocked By NAXSI</title>
</head>
<body>
<div style="text-align: center">
<h1>Malicious Request</h1>
<hr>
<p>This Request Has Been Blocked By NAXSI.</p>
</div>
</body>
</html>

In order to use the server log again use “tail” : tail -f /var/log/nginx/error.log. In the log file you can see the blocked entry for the SQL injection attempt :

Output
2018/11/07 17:08:01 [error] 21356#0: *2 NAXSI_FMT: ip=your_server_ip&server=your_server_ip&uri=/&learning=0&vers=0.56&total_processed=2&total_blocked=2&block=1&cscore0=$SQL&score0=40&cscore1=$XSS&score1=40&zone0=ARGS&id0=1001&var_name0=q, client: your_server_ip, server: localhost, request: "GET /?q=1" or "1"="1" HTTP/1.1", host: "your_server_ip"

Now you will have to press CTRL-C to exit the log. And thus Naxsi has had successfully blocked an XXS and SQL injection attack, which verifies that NAXSI has been configured perfectly and also your Nginx server is secure.

Therefore you now have an base understanding of using NAXSI which will protect your web server from malicious attacks.

Header Image Source: https://bit.ly/2Biicij

mm

Barry Davis is a Technology Evangelist who is joined to Webskitters for more than 5 years. A specialist in Website design, development & planning online business strategy. He is passionate about implementing new web technologies that makes websites perform better.

Facebooktwittergoogle_pluspinterestlinkedin

Interested in working with us?

We'd love to hear from you
Webskitters LLC
7950 NW 53rd St #337 Miami, Florida 33166
Phone: 732.218.7686