ScaleScaleScaleScale

Tips / Nginx


How to Install the NAXSI Nginx Security Module

NAXSI is a web application firewall. It literally means “Nginx Anti XSS and SQL Injection.” It’s an Nginx module that acts as a firewall to prevent website hacks. NAXSI contains several rules with known vulnerability patterns that may affect your websites.

NAXSI contains whitelist options to avoid blocking legal users while matching a particular pattern. It also has a very interesting auto-learn feature. This feature will automatically detect valid requests from invalid ones, creating its own whitelist rules. It can filter GET and POST requests. Plus, it is OpenSource and 100% free for personal or enterprise use.

NAXSI is for Nginx what ModSecurity is for Apache, and it’s a must for any web server running live traffic.

Installing NAXSI

First, you will have to compile Nginx from source code, and add the NAXSI module while configuring Nginx:

cd /usr/local/src
wget http://nginx.org/download/nginx-1.6.2.tar.gz
tar -xpzf nginx-1.6.2.tar.gz 
wget https://github.com/nbs-system/naxsi/archive/master.zip
unzip master.zip 
cd nginx-1.6.2/

Now, it’s time to add the NAXSI module into Nginx. Add this at the beginning of the ./configure command:

./configure --add-module=../naxsi-master/naxsi_src/ 

Then, add the rest of the usual configure options. The file commands below are the ones that come by default on Nginx for CentOS:

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 

Run make and make install as usual:

make
make install

Configuring NAXSI

Copy the naxsi_core.rules into your Nginx directory:

cp /usr/local/src/naxsi-master/naxsi_config/naxsi_core.rules /etc/nginx/ -fv

Include this in the nginx.conf file inside the http{} block. Add this at the first line:

     include                        /etc/nginx/naxsi_core.rules;

Example of a complete http {} block:

http {
     include      /etc/nginx/naxsi_core.rules;
     include       mime.types;
     ...
     ...
     ...
}

Inside naxsi_core.rules, you will find what are called “score rules,” used by NAXSI core:

MainRule "rx:.ph|.asp|.ht" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

Configure NAXSI:

nano -w /etc/nginx/naxsi.rules

Paste this inside:

LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";

## Check & Blocking Rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

LearningMode enables Naxsi learning mode so you can tweak it as you like before going live, with this option enabled Naxsi won’t block any requests, it can also be used to configure an attack-pattern auto-learn mechanism inside Naxsi.

SecRulesEnabled enables the Naxsi Sec Rules.

#SecRulesDisabled lets you uncomment to disable rules.

DeniedUrl “/RequestDenied” be the returned URL while blocking.

Check and Blocking Rules set a “greater or equal” condition than “X” number. If that number is equal or greater than the one specified, then the request will be blocked.

Testing NAXSI

You can include naxi.rules files inside of your reverse proxy configuration. At the end, you can configure the ‘RequestDenied’ return response. Basic test configuration:

server {
     proxy_set_header  Proxy-Connection "";
     listen            *:80;
     access_log  /var/log/nginx/naxsi_access.log;
     error_log  /var/log/nginx/naxsi_error.log debug;

     location / {
          include           /etc/nginx/naxsi.rules;
          proxy_pass        http://x.x.x.x/;
          proxy_set_header  Host www.yoursite.com;
     }
     location /RequestDenied {
         return 406;
     }
 }

Remember to replace “http://x.x.x.x/” with your real URL. To test this out, you will have to launch a few malicious requests against your Nginx server. All will be logged at /var/log/nginx/naxsi_error.log for you to inspect. After you learn how it works, set it on production or create NAXSI whitelists.

This is one request to test this out that may work (first disable learning mode):

http://127.0.0.1/?a=%3C

If you need more information, please visit NAXSI at Github, and you will find more cool information like:

Conclusion

As you can see, NAXSI is a very powerful tool if you run Nginx and need to protect your websites against common HTTP attacks like SQL Injections and XSS Attacks. If you followed this tutorial, you should already be protected.

What do you think about NAXSI? Have you tried it? Do you know any other Nginx Security Modules alternatives?

Popular search terms:

  • nginx naxsi
  • test naxsi rules
  • naxsi nginx
  • naxsi
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking