Why Re-Invent the Wheel ? ? ? ?
In this tutorial/walkthrough, I shall be providing you detailed instructions on how to compile and configure NAXSI on NGINX on Ubuntu 14.04 as the ubuntu standard repos have a very old version of NAXSI built NGINX which I have personally found to be very buggy !
Schedule:
Part#1: Installation and basic configuration of NGINX-NAXSI
Part#2: Pumping the NGINX and NAXSI logs to ELASTICSEARCH
Part#3: Analyzing the logs and automated process of generating the false-positives and exclusions
Part#4: Conclusion
Requirements:
- Ubuntu 14.04
- GIT tools installed and setup on the server
Rest of the dependencies shall be provided below.
Step#1: Download Config Files
Ensure that you have the necessary tools handy that have been preconfigured to work with Ubuntu 14.04 from my GIT link: https://github.com/aarvee11/nginx_1.11.6-naxsi_latest
cd /tmp git clone https://github.com/aarvee11/nginx_1.11.6-naxsi_latest.git
Step#2: Install Dependencies
As NAXSI and NGINX are being compiled from source, we will have to setup our server manually by installing all the dependencies below:
apt-get update apt-get install automake gcc make pkg-config libtool g++ libfl-dev bison build-essential libbison-dev libyajl-dev liblmdb-dev libpcre3-dev libcurl4-openssl-dev libgeoip-dev libxml2-dev libyajl2 libxslt-dev openssl libssl-dev libperl-dev libgd2-xpm-dev
Step#3: Download and Setup
Run the following commands as given below. Ensure that the necessary permissions are given.
I have a habit of playing risky by running the commands as “sudo su” but it’s not really safe to play that risky on a production machine. Please follow your best standards to get things running on the server !
cd /usr/src wget https://github.com/nbs-system/naxsi/archive/master.zip wget http://nginx.org/download/nginx-1.11.6.tar.gz unzip master.zip tar -zxvf nginx-1.11.6.tar.gz git clone https://github.com/openresty/headers-more-nginx-module.git git clone https://github.com/flant/nginx-http-rdns.git cd /usr/src/nginx-1.11.6/ ./configure --prefix=/etc/nginx \ --add-module=/usr/src/naxsi/naxsi_src/ \ --add-module=/usr/src/headers-more-nginx-module \ --add-module=/usr/src/nginx-http-rdns/ \ --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' \ --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' \ --http-log-path=/var/log/nginx/access.log \ --error-log-path=/var/log/nginx/error.log \ --with-debug --with-pcre-jit --with-ipv6 \ --with-http_ssl_module --with-http_stub_status_module \ --with-http_realip_module \ --with-http_addition_module \ --with-http_dav_module \ --with-http_geoip_module \ --with-http_gzip_static_module \ --with-http_image_filter_module \ --with-http_sub_module \ --with-http_xslt_module \ --with-mail \ --with-mail_ssl_module \ --http-client-body-temp-path=/tmp/client_body_temp \ --http-proxy-temp-path=/tmp/proxy_temp \ --http-fastcgi-temp-path=/tmp/fastcgi_temp \ --http-uwsgi-temp-path=/tmp/uwsgi_temp \ --http-scgi-temp-path=/tmp/scgi_temp make make install
Step#4: Create/Copy Config files
Using the pre-configured steps provided in Step#1, we shall be now copying the files over to the correct locations as shown below:
cp /tmp/nginx_1.11.6-naxsi_latest/etc/init.d/nginx /etc/init.d/nginx cp -r /tmp/nginx_1.11.6-naxsi_latest/nginx/conf/* /etc/nginx/conf/ ln -s /etc/nginx/sbin/nginx /usr/sbin/nginx mkdir /etc/nginx/conf/sites-available mkdir /etc/nginx/conf/sites-enabled cp /usr/src/naxsi-master/naxsi_config/naxsi_core.rules /etc/nginx/conf/ mkdir /etc/nginx/conf/naxsi-whitelist/ touch /etc/nginx/conf/whitelist.conf
Step#5: Configure your website on NGINX-NAXSI
You can use the sample configuration that can be found under “/tmp/nginx_1.11.6-naxsi_latest/nginx/sites-available” directory that has already been copied in the above step.
Edit the config file to match your requirements such as Site Name, Upstream IP/ Server etc. The sample has been provided below for quick reference:
server { listen 80 default_server; #listen [::]:80 default_server ipv6only=on; #root /var/www/nginx/html; #index index.html index.htm; # Make site accessible from http://localhost/ server_name *.example.com; # Replace it with your website hostname. * is wildcard. set $naxsi_extensive_log 1; location / { # Uncomment to enable naxsi on this location include /etc/nginx/conf/naxsi.rules; include /etc/nginx/conf/naxsi-whitelist/*.rules; #try_files $uri $uri/ @rewrite; proxy_pass http://127.0.1.80:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection close; proxy_set_header X-Real-IP $remote_addr; # Comment the below line if there is already an upstream reverse proxy server that is setting the actual client IP proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
Once the configuration is complete, run the command below to create a symlink of the config file in sites-enabled directory so that NGINX can be pick it up
cd /etc/nginx/conf/sites-enabled ls -s ../sites-available/<virtual-host-config-file> .
Conclusion:
With all the above steps, we are now ready to deploy our Web Application in a Alert-Only mode which start scanning our incoming web requests and starts generating events that trigger a lot of events.
In the upcoming second part, I shall be providing detailed steps on how to setup the logging for NGINX and NAXSI using Elasticsearch.
As always I say:
Keep Defending !
Hits: 472