Web Defacement

Contents

Web Defacement

Synopsis

Web defacement module checks whether the hash of the files on server disk are changed, when requests arrive at SEnginx, so as to recognize the defacement. When defacement occurs, web defacement module can restore the previous web pages.
This module is released with SEnginx. It can also be used in standard nginx release.
Note: This feature is a remedial solution for web defacement. Administrators must take necessary measures, such as SELinux, to effect a permanent cure.

Directives

web_defacement

Syntax web_defacement on | off;
Default off
Context http/server/location

Enable web defacement.
Example:

web_defacement on;

web_defacement_original

Syntax web_defacement_original /path/to/original/files;
Default none
Context http/server/location

Specify the directory of the files/pages to protect. Generally, it's the root directory of the files in the file system. If a relative path is used, the root of the path will be the 'conf' directory in SEnginx installation directory.
Example:

web_defacement_original /var/www/html;

web_defacement_hash_data

Syntax web_defacement_hash_data /path/to/hash/data/file;
Default none
Context http/server/location

Specify the location of the hash file of the page file to be protected. Hash files can be generated with 'web_defacement.pl' released together within SEnginx tar ball. If a relative path is used, the root of the path will be the 'conf' directory in SEnginx installation directory.
Example:

web_defacement_hash_data /usr/local/senginx/hash_data;

Generate hash files:

cd senginx-install-dir
./web_defacement.pl -d /path/to/original/files -o /path/to/hash/file;

Example:

cd /usr/local/senginx
./web_defacement.pl -d /var/www/html -o ./hash_data;

web_defacement_log

Syntax web_defacement_log on | off;
Default off
Context http/server/location

Send attack log when defacement detects. Attack logs will be sent as 'error' level and record into error.log. Users can configure the location of error.log.
Example:

web_defacement_log on;

web_defacement_index

Syntax web_defacement_index filename;
Default none
Context http/server/location

Specify the default index file. When a request of a path arrives, web defacement module will check the hash value of the default index file.
Example:

location /cn/ {
    web_defacement_index index.html;
}

In this example, when a client request '/cn/', web defacement module will look for '/cn/index.html' to do the defacement checking. To note that the path must end up with '/', otherwise it'll be taken as a filename.

web_defacement_whitelist

Syntax web_defacement_whitelist ua_var_name=UA whitlist ip_var_name=IP whitelist ip_var_value=value;
Default -
Context HTTP/Server/Location
Available Version Since version 1.5.11

This directive quotes the global IP whitelist and User-Agent whitelist. IP whitelist need to be used together with geo module of nginx.
Example:

#Define IP whitelist
geo $ip_wl {
    ranges;
    default 0;
    127.0.0.1-127.0.0.1 1;
    3.0.0.1-3.2.1.254 1;
}
#Define UA whitelist
whitelist_ua $ua_wl {
    "autotest" ".*\.test\.com";
}
server {
    location {
        web_defacement_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
    }
}


Variables

Web defacement module provides 2 variables for user-defined actions.

  • $web_defacement

When the requested page is defaced, this variable is true.

  • $web_defacement_file

When the requested page is defaced, this variable is the requested URL, which refers to the defaced file.

Examples

SEnginx working in web server mode

Suppose that all the files of a website is under the /var/www/html directory, and SEnginx is installed under /usr/local/senginx. According to the following steps to configure the web defacement module:
Change to senginx install directory

cd /usr/local/senginx

Run web_defacement.pl to generate hash_data file, which is /usr/local/senginx/hash_data

./web_defacement.pl

Modify nginx.conf, enable web defacement module and specify the location or server to protect:

server {
        listen       80;
        server_name  localhost;
 
 
        web_defacement on;                                          #enable web defacement module
        web_defacement_original /var/www/html;                      #specify directory of page files
        web_defacement_hash_data /usr/local/senginx/hash_data;      #specify hash files
        
        location / {
              web_defacement_index index.html;                      #specify default index filename
              web_defacement_log on;                                #enable attack log
 
              if ($web_defacement) {                                #specify actions when defacement occurs. In this case, the action is return 403.
                                                                    #do other things here if need
                     return 403;
              }
               
              index index.html;
              root /var/www/html;
        }
 
        location /other {
              web_defacement off;                                    #disable web defacement module in this location
              ... ...
        }
}

Reboot or reload SEnginx

SEnginx working in reverse proxy mode

When SEnginx is working as a reverse proxy, how can it access the page files on the back-end servers? In this example, we use NFS to mount the remote server page directory. Suppose that the backend server IP is 1.1.1.1, and the backend server directory is /var/www/html, which is mounted under the /opt/original of SEnginx server.
The steps of mounting 1.1.1.1:/var/www/html to /opt/original of SEnginx server, and NFS configuration is not included here.
Please generate hash_data according to the above example. Note that the original directory should be /opt/original.
Modify nginx.conf:

server {
        listen       80;
        server_name  localhost;
 
 
        web_defacement on;                                          #enable web defacement module
        web_defacement_original /opt/original;                      #specify directory of page files
        web_defacement_hash_data /usr/local/senginx/hash_data;      #specify hash files
        location / {
              web_defacement_index index.html;                      #specify default index filename
              web_defacement_log on;                                #enable attack log
 
              if ($web_defacement) {                                #specify actions when defacement occurs. In this case, the action is return 403.
                                                                    #do other things here if need
                     return 403;
              }
 
              proxy_pass http://1.1.1.1;
        }
        location /other {
              web_defacement off;                                   #disable web defacement module in this location
              ... ...
        }
}

If not choose NFS, copy the page files manually to the SEnginx reverse server is another choice. The disadvantage is when the website is updated, you need to synchronize the changes.

Restore after defacement occurs

Web defacement module provides variables to show whether the defacement occurs, so you can deal with the subsequent actions after inspection flexibly in nginx configuration files. The following example shows how to restore the original pages when the pages are defaced. First of all, you need to backup the page files. If SEnginx is working in reverse proxy mode, you need to copy the backup files to the SEnginx server. Assume that the page files are backuped under /var/www/recover.
Please follow the above examples to config the reverse proxy or web server, and generate hash_data.
Modify nginx.conf:

server {
        listen       80;
        server_name  localhost;
 
 
        web_defacement on;                                          #enable web defacement module
        web_defacement_original /opt/original;                      #specify directory of page files
        web_defacement_hash_data /usr/local/senginx/hash_data;      #specify hash files
 
        location /recover {
               web_defacement off;
               root /var/www;
        }
 
        location / {
              web_defacement_index index.html;                      #specify default index filename
              web_defacement_log on;                                #enable attack log
 
              if ($web_defacement) {                                #if defacement occurs, redirect to the recover directory and restore from the backup page files.
                     rewrite ^(.*)$ /recover$1 last;
              }
 
              proxy_pass http://1.1.1.1;
        }
        location /other {
              web_defacement off;                                   #disable web defacement module in this location
              ... ...
        }
}

Statistics

Use SEnginx Statistics module to see web defacement attacks statistics.