Integrated Naxsi

Synopsis

Naxsi is a excellent proactive web application firewall. It supports to protect many vulnerabilities including SQL Inject, XSS etc.
SEnginx integrates naxsi module by default, the usage of naxsi stays unchanged. For configuring naxsi, you can refer to the official naxsi docs or just follow what we do in this section.

Directive

Besides the directives provided with naxsi, SEnginx offers the following new directive(s):

naxsi_whitelist

This directives specifies the IP whitelist and User-Agent whitelist which are globally defined. The IP whitelist is provided by nginx's geo module.
Example:

#Define an IP whitelist
geo $ip_wl {
    ranges;
    default 0;

    127.0.0.1-127.0.0.1 1;
    3.0.0.1-3.2.1.254 1;
}

#Define an UA whitelist
whitelist_ua $ua_wl {
    "autotest" ".*\.test\.com";
}

server {
    location / {
         naxsi_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
    }
}

naxsi_blacklist (Pro)

This directive determines the threshold of the blocked or dropped requests by naxsi. If the client over this threshold, it will be added into dynamic blacklist.
This directive does not applied if nasxi in Learning mode.
Example:

naxsi_blacklist 3;

So this means if a client has failed for 4 times, this client will be added into blacklist.

Use naxsi module in SEnginx

The naxsi module in SEnginx is located in the "naxsi" directory in senginx's installation directory, including some tools for generating whitelist etc.

Before using naxsi in SEnginx, you need to do the following steps:

Create the whitelist file

Create an empty whitelist file, for instance wl.conf, at any place in your file system.

Configure the core rule set of naxsi

In senginx's nginx.conf file, include naxsi's core rule set:

/usr/local/senginx/naxsi/naxsi_config/naxsi_core.rules;

Configure the directives in Location

In nginx.conf, place the directives related to naxsi in the location that you want to protect:

 location /cn {
            error_log logs/error.cn.log;
            ... ...

	    LearningMode;
	    SecRulesEnabled;
	    #SecRulesDisabled;
	     
	    DeniedUrl "/RequestDenied";
	      
	    include wl.conf;
	       
	    ## check rules
	    CheckRule "$XSS >= 4" BLOCK;
	    CheckRule "$TRAVERSAL >= 4" BLOCK;
	    CheckRule "$EVADE >= 8" BLOCK;
	    CheckRule "$UPLOAD >= 8" BLOCK;
	    CheckRule "$RFI >= 8" BLOCK;
	    CheckRule "$SQL >= 8" BLOCK;
}

Configure the Denied Location

This section is invalid for version 1.5.3-1 and newer. Use naxsi_neteye_action instead. Define a new locatition /RequestDenied, the name can be arbitrary, but must be same as the parameter as the DeniedUrl directive:

location /RequestDenied {
	    return 403;
}

All of the denied requests will be redirect into this location, thus you can do anything you want here. In the example, we just return 403.

start or reload senginx

At this time, naxsi goes into Learning mode.

Feed naxsi with enough traffic

Go through the whole content on your website to let naxsi generate exceptions.
Note: at this stage, all of the requests that hit the rules will not be blocked, but will be recorded into error.log. In this example, we defined a error.log for the specific location, called error.cn.log. Thus all the records generated by naxsi will bu put here. Another point, at this stage, you should make sure the traffic of your website is clean and not harmful, otherwise real attacks will be recorded into whitelist later, which can make naxsi blind on some attacks in protect mode.

Generate the whitelist

Some valid requests are being bloked by Naxsi default rules. You can create naxsi whitelist rules to allow these valid requests.
Read Naxsi Wiki to know how to create and maintain naxsi whitelist rules.

Enter Protect Mode

Edit nginx.conf, un-comment the LearningMode line, then reload senginx. At this this time, naxsi enters into protect mode, any attack behavior will be recorded into the error.log log file of senginx, at the level of "error".

Statistics

Use SEnginx Statistics module to see common attacks statistics.