0x01 as for naxsi, it is open source WAF, but different from ModSecurity, it is very compatible with nginx, and does not rely on the existing rule base. In fact, we all know that the interception based on rule base alone may need to be updated frequently, and it is easy to be bypassed. The defense is relatively passive. The installation and customization of naxsi are very simple and convenient, and occupy relatively less system resources, It is more applicable to the actual business [convenient white list setting] and has certain learning ability. However, in the actual test, it seems that only data from get or post can be intercepted temporarily, which is also a small pity
其实,我们心里都很清楚,单单基于规则库的拦截可能需要经常更新,且容易被绕过,防御起来比较被动
0x02 is still to take the compiled LNMP environment [please refer to the blog related articles for details on how to compile configuration] for demonstration. Here, I will backup the previous configuration file and bring it to use directly later
One
php5.5.38 + mysql-5.5.32 + nginx-1.12.1 + centOS6.8_x64
One
Two
Three
Four
Five
# netstat -tulnp | grep "80"
# pkill nginx
# cp /usr/local/nginx/conf/nginx.conf ./
# cp /usr/local/nginx/conf/extra/bwapp.conf ./
# rm -rf /usr/local/nginx*
0x03 download naxsi, recompile and install nginx, mainly to load the naxsi module. Here, nginx directly uses the latest stable version
One
Two
Three
Four
Five
Six
Seven
Eight
Nine
Ten
Eleven
# git clone https://github.com/nbs-system/naxsi.git
# wget http://nginx.org/download/nginx-1.12.1.tar.gz
# yum install pcre pcre-devel openssl openssl-devel -y
# useradd -s /sbin/nologin -M nginx
# tar xf nginx-1.12.1.tar.gz
# cd nginx-1.12.1
# ./configure --prefix=/usr/local/nginx-1.12.1 --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --with-file-aio --with-http_dav_module --add-module=../naxsi/naxsi_src/
# make && make install
# ln -s /usr/local/nginx-1.12.1/ /usr/local/nginx
# cd /usr/local/nginx/conf/
# mv nginx.conf nginx.conf.bak && egrep -v "^$|#" nginx.conf.bak >> nginx.conf
0x04 introduce the naxsi core rule file into the nginx main configuration file. Note that it should be placed in the HTTP section
One
Two
Three
Four
Five
Six
Seven
# cp /root/naxsi/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/
# vi /usr/local/nginx/conf/nginx.conf
Http {
...
include /usr/local/nginx/conf/naxsi_core.rules;
...
}
First, let's have a brief look at what the heart of naxsi looks like. Let's talk about it in detail when we have time. This time, I'm familiar with it. In fact, an experienced partner can see it at a glance
心脏
One
# vi /usr/local/nginx/conf/naxsi_core.rules
0x05 to introduce the sub rule file to the specified server, in fact, it is purely for convenience, so the rules are put in one file, so when you have many servers, you only need to include one in the server
One
Two
Three
Four
Five
Six
Seven
Eight
Nine
Ten
Eleven
SecRulesEnabled;
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
error_log /var/log/naxsi_attach.log;
One
Two
Three
Four
Five
Six
Seven
Eight
Nine
Ten
Eleven
Twelve
Thirteen
Fourteen
Fifteen
Sixteen
# mkdir /usr/local/nginx/conf/extra
# cp bwapp.conf /usr/local/nginx/conf/extra
# vi -o nginx.conf /usr/local/nginx/conf/nginx.conf
# vi /usr/local/nginx/conf/extra/bwapp.conf
Server{
...
location ~ .*\.(php|php5)?$ {
include /usr/local/nginx/conf/naxsi.rules;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
...
}
# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx
0x06 observe the actual interception effect to intercept PHP code execution
Block SQL injection
Intercept XSS
Intercept command execution
Block file contains
Block directory file disclosure
0x07 observe attack request log
0x07 to set the white list in accordance with the actual business parameters, we will discuss the setting method later
Summary: about naxsi, of course, it's not just these, there are many places to dig deep, to be continued