Open Source Firewall for Ubuntu 18.04 and NGINX – NAXSI

Today, we will install NAXSI which is an open source firewall for Ubuntu 18.04 . Now, we will take a look at compiling NAXSI with NGINX.

Install the Pre-reqs

apt -y install libpcre3-dev libssl-dev unzip build-essential daemon libxml2-dev libxslt1-dev libgd-dev libgeoip-dev

Download and extract NGINX and NAXSI

In order to get our open source firewall for Ubuntu 18.04 operational, we will need to download NGINX and NAXSI. In this guide we will use the current versions. Of course, these likely will not be the current versions when you are following this guide, so change accordingly. NGINX and NAXSI both make their downloads easily accessible and easy to predict naming conventions based on version number.

We are creating a directory called /home/nginx-waf/ and extracting our files there.

mkdir /home/nginx-waf/
wget https://nginx.org/download/nginx-1.17.0.tar.gz -O /home/nginx-waf/nginx.tar.gz
tar xzf /home/nginx-waf/nginx.tar.gz -C /home/nginx-waf

wget https://github.com/nbs-system/naxsi/archive/master.zip -O /home/nginx-waf/waf.zip
unzip /home/nginx-waf/waf.zip -d /home/nginx-waf/

Create a compiling script

Now will create a simple bash script to run our compiling process for us.

cat > /home/nginx-waf/nginx-1.17.0/install.sh <<\EOF
cd /home/nginx-waf/nginx-1.17.0/
./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr
make
make install
EOF

Run the Compile bash script

Now let’s compile the open source firewall for Ubuntu 18.04

sh /home/nginx-waf/nginx-1.17.0/install.sh

Create Dynamic data libraries

mkdir -p /var/lib/nginx/{body,fastcgi}

Copy rule file from NAXSI master config

cp /home/nginx-waf/naxsi-master/naxsi_config/naxsi_core.rules /etc/nginx/

Create a NAXSI rule file for NGINX to process on start

cat > /etc/nginx/naxsi.rules <<\EOF
SecRulesEnabled;
DeniedUrl "/RequestDenied";
## Check Naxsi rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
EOF

Add the following lines to NGINX config

Add or uncomment these lines to your nginx.conf file. We need to make sure NGINX processes the NAXSI rules at start.

vi /etc/nginx/nginx.conf
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/naxsi.rules;

Edit NGINX service to run NAXSI at start

cat > /lib/systemd/system/nginx.service <<\EOF
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF

Reload daemon and configure NGINX to start

systemctl daemon-reload
systemctl enable nginx
systemctl start nginx

Additonal information

As cited on on kifarunix.com you may run into an additional issue ( I did). If you see nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument then you need to do this:

mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload

Testing

Run any type of attack against your server. You should notice in the NGINX error log that your attack is being blocked

curl 'http://192.168.121.67/?q="><script>alert(1)</script>'

Now view the logs and verify you were blocked

tail -f /var/log/nginx/error.log

Notice that my attack was blocked

2019/06/21 21:28:09 [error] 15431#0: *3 NAXSI_FMT: ip=192.168.121.67&server=192.168.121.67&uri=/&vers=0.56&total_processed=3&total_blocked=3&config=block&cscore0=$SQL&score0=8&cscore1=$XSS&score1=8&zone0=ARGS&id0=1001&var_name0=q, client: 192.168.121.67, server: localhost, request: "GET /?q="><script>alert(0)</script> HTTP/1.1", host: "192.168.121.67"

Looking to setup the ultimate hardened WordPress check out these guides?

Get started here.

0 Points


Leave a Reply

Your email address will not be published. Required fields are marked *