Nginx 安装应用防火墙模块 Naxsi

  • by

Naxsi是一个开放源代码、高效、低维护规则的Nginx web应用防火墙模块。Naxsi的主要目标是帮助人们加固他们的web应用程序,以抵御SQL注入、跨站脚本、跨域伪造请求、本地和远程文件包含漏洞。

下载Naxsi模块

# cd /usr/local/src
# git clone https://github.com/nbs-system/naxsi.git

重新编译Nginx添加Naxsi模块

查看之前nginx的编译参数

# nginx -V

编译加上新的naxsi模块

# cd nginx-x.x.xx# ./configure --add-module=../naxsi/naxsi_src/ [your options for nginx]
# make

复制Naxsi核心配置文件到nginx/conf下

# cp ../naxsi/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/

在nginx.conf配置文件中添加Naxsi核心配置文件


http {
include naxsi_core.rules;
include mime.types;
default_type application/octet-stream;
......

配置Naxsi规则,新建文件naxsi.rules

# vim /usr/local/nginx/conf/naxsi.rules

添加如下规则

#LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

虚拟主机添加支持Naxsi防攻击

部分配置:
server {

location / {
include naxsi.rules;
}

location /RequestDenied {
return 403;
}

error_page  403              /403.html;   
location = /403.html {       
root   /usr/share/nginx/html;   
}
}

自定义一个403拒绝访问阻断页面,当WAF检测到攻击时,会将该页面返回给用户,可参考如下内容


<html>
<head>
<title>Error 403 Request Denied</title>
</head>
<body>
<h2>Error 403 Request Denied</h2>
For some reasons, your request has been denied.
</body>
</html>

检查nginx配置文件有无语法错误

# nginx -t

重新加载新的nginx版本

# service nginx restart

测试Naxsi是否起作用

测试URL

访问 https://www.insisi.com/?a=%3C

如果错误日志出现如下,说明成功:

2018/11/23 11:01:30 [error] 301#0: *1 NAXSI_FMT: ip=125.70.252.121&server=www.insisi.com&uri=/vsftp%E5%8A%A0%E5%AF%86ssl%E3%80%81ftp%E9%9A%90%E5%BC%8F%E3%80%81%E6%98%BE%E5%BC%8F%E5%8A%A0%E5%AF%86/224/&vers=0.56&total_processed=1&total_blocked=1&config=block&cscore0=$SQL&score0=12&zone0=HEADERS&id0=1015&var_name0=cookie, client: 125.70.252.121, server: www.insisi.com, request: "GET /vsftp%e5%8a%a0%e5%af%86ssl%e3%80%81ftp%e9%9a%90%e5%bc%8f%e3%80%81%e6%98%be%e5%bc%8f%e5%8a%a0%e5%af%86/224/ HTTP/2.0", host: "www.insisi.com", referrer: "https://www.insisi.com/centos%e6%9c%8d%e5%8a%a1%e5%99%a8nginx%e7%89%88%e6%9c%ac%e5%b9%b3%e6%bb%91%e5%8d%87%e7%ba%a7/164/"

发表评论

电子邮件地址不会被公开。 必填项已用*标注

9 + 1 =