Skip to content

Instantly share code, notes, and snippets.

@purwandi

purwandi/01-Nginx-Naxsi-Core.md

Last active January 4, 2021 12:10
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save purwandi/4690042 to your computer and use it in GitHub Desktop.
Save purwandi/4690042 to your computer and use it in GitHub Desktop.
Download ZIP
Install nginx, naxsi core and naxsi ui
Raw
01-Nginx-Naxsi-Core.md

Install Some Dependencies

apt-get install build-essential bzip2 libpcre3-dev libssl-dev mysql-server daemon libgeoip-dev

Installing Nginx with Naxsi Core

Download Nginx, Naxsi Core dan Naxsi UI. Saya berasumsi tempat download berada di /home/compile

wget http://nginx.org/download/nginx-1.2.7.tar.gz
wget http://naxsi.googlecode.com/files/naxsi-core-0.48.tgz
wget http://naxsi.googlecode.com/files/naxsi-ui-0.48.tgz

Extract

tar xvzf nginx-1.2.7.tar.gz 
tar xvzf naxsi-core-0.48.tgz
tar xvzf naxsi-ui-0.48.tgz

Add user and group www

adduser --system --no-create-home --disabled-login --disabled-password --group www-data

Configure Nginx and Naxsi Core

nginx-1.2.7

./configure \
--conf-path=/etc/nginx/nginx.conf \
--add-module=../naxsi-core-0.48/naxsi_src/ \
--error-log-path=/var/log/nginx/error.log \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-log-path=/var/log/nginx/access.log \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--lock-path=/var/lock/nginx.lock \
--pid-path=/var/run/nginx.pid \
--user=www-data \
--group=www-data \
--with-http_ssl_module \
--with-http_geoip_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--with-ipv6  \
--prefix=/usr

Configuration summary
  + using system PCRE library
  + using system OpenSSL library
  + md5: using OpenSSL library
  + sha1: using OpenSSL library
  + using system zlib library

  nginx path prefix: "/usr"
  nginx binary file: "/usr/sbin/nginx"
  nginx configuration prefix: "/etc/nginx"
  nginx configuration file: "/etc/nginx/nginx.conf"
  nginx pid file: "/var/run/nginx.pid"
  nginx error log file: "/var/log/nginx/error.log"
  nginx http access log file: "/var/log/nginx/access.log"
  nginx http client request body temporary files: "/var/lib/nginx/body"
  nginx http proxy temporary files: "/var/lib/nginx/proxy"
  nginx http fastcgi temporary files: "/var/lib/nginx/fastcgi"

and then run

make
make install

Nginx daemon script, letakkan sript ini di /etc/init.d/nginx

#! /bin/sh

### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/nginx
NAME=nginx
DESC=nginx

test -x $DAEMON || exit 0

# Include nginx defaults if available
if [ -f /etc/nginx ] ; then
        . /etc/nginx
fi

set -e

case "$1" in
  start)
        echo -n "Starting $DESC: "
        start-stop-daemon --start --quiet --pidfile /var/run/nginx.pid \
                --exec $DAEMON -- $DAEMON_OPTS
        echo "$NAME."
        ;;
  stop)
        echo -n "Stopping $DESC: "
        start-stop-daemon --stop --quiet --pidfile /var/run/nginx.pid \
                --exec $DAEMON
        echo "$NAME."
        ;;
  restart|force-reload)
        echo -n "Restarting $DESC: "
        start-stop-daemon --stop --quiet --pidfile \
                /var/run/nginx.pid --exec $DAEMON
        sleep 1
        start-stop-daemon --start --quiet --pidfile \
                /var/run/nginx.pid --exec $DAEMON -- $DAEMON_OPTS
        echo "$NAME."
        ;;
  reload)
      echo -n "Reloading $DESC configuration: "
      start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/nginx.pid \
          --exec $DAEMON
      echo "$NAME."
      ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|restart|force-reload}" >&2
        exit 1
        ;;
esac

exit 0

Lalu chmod

chmod 755 /etc/init.d/nginx

Pastikan direktori /var/lib/nginx ada, klo belum ada buat saka. Lalu register init script

sudo update-rc.d nginx defaults

Please make sure your nginx web server is running :)

Raw
02-Nginx-Naxsi-Core-Conf.md

Nginx and Naxsi UI Configuration

Create naxsi_core.rules and put this file in /etc/nginx/naxsi_core.rules

##################################
## INTERNAL RULES IDS:1-10      ##
##################################
#weird_request : 1
#big_body : 2
#no_content_type : 3

#@MainRule "msg:weird/incorrect request" id:1;
#@MainRule "msg:big request, unparsed" id:2;
#@MainRule "msg:uncommon hex encoding (%00 etc.)" id:10;
#@MainRule "msg:uncommon/empty content-type in POST" id:11;
#@MainRule "msg:uncommon/malformed URL" id:12;

#MainRule "str:123FREETEXT" "msg:exemple learning test pattern"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:BLOCK" id:0;

##################################
## SQL Injections IDs:1000-1099 ##
##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
## Hardcore rules
MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
MainRule "rx:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
## end of hardcore rules
MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;

###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;

#######################################
## Directory traversal IDs:1200-1299 ##
#######################################
MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;

########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
MainRule "str:`"  "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
MainRule "rx:%[2|3]."  "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;

####################################
## Evading tricks IDs: 1400-1500 ##
####################################
MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;

#############################
## File uploads: 1500-1600 ##
#############################
MainRule "rx:.ph*|.asp*" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

Create nbs.rules and put this file in /etc/nginx/nbs.rules.

root@debian:/home/compile/naxsi-core-0.48/naxsi_config# cat /etc/nginx/nbs.rules
# Aktifkan learning mode untuk melakukan log error di nginx
# Abila sudah mendapatkan beberapa whitelist saya sarankan untuk mencoment LearningMode Script
LearningMode;
SecRulesEnabled;
DeniedUrl "/RequestDenied";

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

My nginx conf

cat /etc/nginx/nginx.conf
user  www-data;
worker_processes  1;
worker_rlimit_core  500M;
working_directory   /tmp/;
error_log   /var/log/nginx/error.log;
pid         /var/run/nginx.pid;

events {
    worker_connections  1024;
    use epoll;
}


http {
    # naxsi core rules
    include       /etc/nginx/naxsi_core.rules;
    include       mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 128;
    access_log     /var/log/nginx/access.log;

    sendfile        on;
    tcp_nodelay     on;
    keepalive_timeout  65;
    gzip  on;
    gzip_disable "MSIE [1_6]\.(?!.*SV1)";

    server {
        listen       80;
        server_name  localhost;
	    root  /home/www/;
	    index index.html index.html index.php;

        location / {
            include    /etc/nginx/nbs.rules;
            #root  /home/purwandi/;
            #index  index.html index.htm;

	        # pass the PHP scripts to FastCGI server
            location ~ \.php$ {
                include /etc/nginx/nbs.rules;
                # Zero-day exploit defense.
                # http://forum.nginx.org/read.php?2,88845,page=3
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                include /etc/nginx/fastcgi_params;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                ## Custom FastCGI
                fastcgi_send_timeout 900;
                fastcgi_read_timeout 900;
                fastcgi_buffer_size 512k;
                fastcgi_buffers 16 256k;
                fastcgi_busy_buffers_size 512k;
                fastcgi_temp_file_write_size 512k;
                fastcgi_intercept_errors on;

                # fastcgi_intercept_errors on;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
            }
        }

        # ketika request yang dilakukan user tidak bisa melewati naxsi rules
        # maka request di block
        location /RequestDenied {
            # jika masih dalam learning mode maka arahkan ke port nx_intercept naxsi-ui
            # dan generate whitelist rules seperlunya
     	    #proxy_pass http://127.0.0.1:8080;

            # jika tidak dalam mode laerning mode saya sarankan untuk memblok
            # atau menggunakan script ini https://code.google.com/p/naxsi/source/browse/tags/0.41/contrib/fp-reporter/fp-reporter.php
    	    return 403;
        }
    }
}
Raw
03-naxsi-ui.md

Installing Naxsi UI

Install python-twisted

apt-get install python-twisted python-mysqldb

Update database config for naxsi-ui-learning.config

root@debian:/home/compile/naxsi-ui# cat naxsi-ui-learning.conf
[nx_extract]
username = naxsi_web
password = 123456
port = 8081 # naxsi-port
rules_path = /etc/nginx/nbs.rules

[nx_intercept]
port = 8080

[sql]
dbtype = mysql
username = root
password = 123456
hostname = 127.0.0.1
dbname = naxsi

Adding data into naxsi ui database from error.log

cd /home/compile/naxsi-ui/
python nx_intercept.py -c naxsi-ui-learning.conf -l /var/log/nginx/error.log

python /usr/share/nginx-naxsi/naxsi-ui/nx_intercept.py  -c /etc/nginx/naxsi-ui.conf -l /var/log/nginx/woorkjob.dev-error.log

Create bin nx_intercept dan nx_extract

/usr/sbin/nx-intercept

#!/bin/bash
cd /home/compile/naxsi-ui/
python nx_intercept.py -c naxsi-ui-learning.conf &
somepid=$!
echo $somepid > /var/run/nginx-naxsi-ui_intercept.pid
wait $somepid

/usr/sbin/nx-extract

#!/bin/bash
python nx_extract.py naxsi-ui-learning.conf &
somepid=$!
echo $somepid > /var/run/nginx-naxsi-ui_extract.pid
wait $somepid

Daemon nginx-naxsi-ui

Create file nginx-naxsi-ui and put this file in /etc/init.d/nginx-naxsi-ui

#!/bin/sh

### BEGIN INIT INFO
# Provides:          nginx-naxsi-ui
# Required-Start:    $local_fs $remote_fs $network $syslog nginx
# Required-Stop:     $local_fs $remote_fs $network $syslog nginx
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx-naxsi-ui using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON_intercept=/usr/sbin/naxsi-ui-intercept
DAEMON_extract=/usr/sbin/naxsi-ui-extract
NAME=nginx-naxsi-ui
NAME_intercept=nginx-naxsi-ui_intercept
NAME_extract=nginx-naxsi-ui_extract
DESC=nginx-naxsi-ui

# Include nginx defaults if available
if [ -f /etc/default/nginx-naxsi-ui ]; then
    . /etc/default/nginx-naxsi-ui
fi

test -x $DAEMON_intercept || exit 0
test -x $DAEMON_extract || exit 0

set -e

. /lib/lsb/init-functions


case "$1" in
    start)
        echo -n "Starting $DESC: "
        # Check if the ULIMIT is set in /etc/default/nginx
        if [ -n "$ULIMIT" ]; then
            # Set the ulimits
            ulimit $ULIMIT
        fi
        start-stop-daemon --start --quiet --pidfile /var/run/$NAME_intercept.pid \
            --exec /usr/bin/daemon -- $DAEMON_intercept || true
        echo "$NAME_intercept."
        start-stop-daemon --start --quiet --pidfile /var/run/$NAME_extract.pid \
            --exec /usr/bin/daemon -- $DAEMON_extract || true
        echo "$NAME_extract."
        ;;

    stop)
        echo -n "Stopping $DESC: "
        start-stop-daemon --stop --quiet --pidfile /var/run/$NAME_extract.pid && rm /var/run/$NAME_extract.pid || true
        echo "$NAME_extract."
        start-stop-daemon --stop --quiet --pidfile /var/run/$NAME_intercept.pid && rm /var/run/$NAME_intercept.pid || true
        echo "$NAME_intercept."
        ;;

    restart|force-reload|reload)
        echo -n "Restarting $DESC: "
        start-stop-daemon --stop --quiet --pidfile /var/run/$NAME_extract.pid && rm /var/run/$NAME_extract.pid || true
        echo "$NAME_extract."
        start-stop-daemon --stop --quiet --pidfile /var/run/$NAME_intercept.pid && rm /var/run/$NAME_intercept.pid || true
        echo "$NAME_intercept."
        sleep 1
        start-stop-daemon --start --quiet --pidfile /var/run/$NAME_intercept.pid \
            --exec /usr/bin/daemon -- $DAEMON_intercept || true
        echo "$NAME_intercept."
        start-stop-daemon --start --quiet --pidfile /var/run/$NAME_extract.pid \
            --exec /usr/bin/daemon -- $DAEMON_extract || true
        echo "$NAME_extract."
        ;;

    status)
        (status_of_proc -p /var/run/$NAME_extract.pid "$DAEMON_extract" nginx-naxsi-ui_extract && status_of_proc -p /var/run/$NAME_intercept.pid "$DAEMON_intercept" nginx-naxsi-ui_intercept) && exit 0 || exit $?
        ;;
    *)
        echo "Usage: $NAME {start|stop|restart|reload|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Run Nginx and Naxsi

/etc/init.d/nginx start
/etc/init.d/nginx-naxsi-ui start
@haryx8
Copy link

haryx8 commented Jun 9, 2017

Thanks berat sir 🥇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment