Open Source Firewall for Ubuntu 18.04 and NGINX – NAXSI
Today, we will install NAXSI which is an open source firewall for Ubuntu 18.04 . Now, we will take a look at compiling NAXSI with NGINX.
Install the Pre-reqs
apt -y install libpcre3-dev libssl-dev unzip build-essential daemon libxml2-dev libxslt1-dev libgd-dev libgeoip-dev
Download and extract NGINX and NAXSI
In order to get our open source firewall for Ubuntu 18.04 operational, we will need to download NGINX and NAXSI. In this guide we will use the current versions. Of course, these likely will not be the current versions when you are following this guide, so change accordingly. NGINX and NAXSI both make their downloads easily accessible and easy to predict naming conventions based on version number.
We are creating a directory called /home/nginx-waf/
and extracting our files there.
mkdir /home/nginx-waf/
wget https://nginx.org/download/nginx-1.17.0.tar.gz -O /home/nginx-waf/nginx.tar.gz
tar xzf /home/nginx-waf/nginx.tar.gz -C /home/nginx-waf
wget https://github.com/nbs-system/naxsi/archive/master.zip -O /home/nginx-waf/waf.zip
unzip /home/nginx-waf/waf.zip -d /home/nginx-waf/
Create a compiling script
Now will create a simple bash script to run our compiling process for us.
cat > /home/nginx-waf/nginx-1.17.0/install.sh <<\EOF
cd /home/nginx-waf/nginx-1.17.0/
./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr
make
make install
EOF
Run the Compile bash script
Now let’s compile the open source firewall for Ubuntu 18.04
sh /home/nginx-waf/nginx-1.17.0/install.sh
Create Dynamic data libraries
mkdir -p /var/lib/nginx/{body,fastcgi}
Copy rule file from NAXSI master config
cp /home/nginx-waf/naxsi-master/naxsi_config/naxsi_core.rules /etc/nginx/
Create a NAXSI rule file for NGINX to process on start
cat > /etc/nginx/naxsi.rules <<\EOF
SecRulesEnabled;
DeniedUrl "/RequestDenied";
## Check Naxsi rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
EOF
Add the following lines to NGINX config
Add or uncomment these lines to your nginx.conf
file. We need to make sure NGINX processes the NAXSI rules at start.
vi /etc/nginx/nginx.conf
include /etc/nginx/naxsi_core.rules;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/naxsi.rules;
Edit NGINX service to run NAXSI at start
cat > /lib/systemd/system/nginx.service <<\EOF
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
Reload daemon and configure NGINX to start
systemctl daemon-reload
systemctl enable nginx
systemctl start nginx
Additonal information
As cited on on kifarunix.com you may run into an additional issue ( I did). If you see nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
then you need to do this:
mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
Testing
Run any type of attack against your server. You should notice in the NGINX error log that your attack is being blocked
curl 'http://192.168.121.67/?q="><script>alert(1)</script>'
Now view the logs and verify you were blocked
tail -f /var/log/nginx/error.log
Notice that my attack was blocked
2019/06/21 21:28:09 [error] 15431#0: *3 NAXSI_FMT: ip=192.168.121.67&server=192.168.121.67&uri=/&vers=0.56&total_processed=3&total_blocked=3&config=block&cscore0=$SQL&score0=8&cscore1=$XSS&score1=8&zone0=ARGS&id0=1001&var_name0=q, client: 192.168.121.67, server: localhost, request: "GET /?q="><script>alert(0)</script> HTTP/1.1", host: "192.168.121.67"
Looking to setup the ultimate hardened WordPress check out these guides?
Get started here.
