How to install NAXSI Web Application Firewall on Centos7
- 1:41 yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel
- 2:01 wget https://nginx.org/download/nginx-1.14.0.tar.gz
- 2:14 tar -xzf nginx-1.14.0.tar.gz
- 2:44 wget https://ftp.pcre.org/pub/pcre/pcre-8.40.tar.gz && tar xzf pcre-8.40.tar.gz
- 2:56 wget https://www.zlib.net/zlib-1.2.11.tar.gz && tar xzf zlib-1.2.11.tar.gz
- 2:57 wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz && tar xzf openssl-1.1.0f.tar.gz
- 3:14 wget https://github.com/nbs-system/naxsi/archive/master.zip
- 3:21 unzip master.zip
- 3:53 ./configure --prefix=/etc/nginx \
- 4:01 make
- 4:07 make install
- 4:20 ln -s /usr/lib64/nginx/modules /etc/nginx/modules
- 4:23 cd html
- 4:52 nginx -V
- 5:09 useradd --system --home /var/cache/nginx --shell /sbin/nologin --comment "nginx user" --user-group nginx
- 5:12 nginx -t
- 5:28 mkdir -p /var/cache/nginx && sudo nginx -t
- 5:37 vim /usr/lib/systemd/system/nginx.service
- 5:57 systemctl daemon-reload
- 6:08 systemctl start nginx
- 6:13 systemctl enable nginx
- 6:14 systemctl status nginx
- 6:22 cd naxsi-master/
- 6:30 cd naxsi_config
- 7:12 vim /etc/nginx/nginx.conf
- 7:54 mkdir -p /usr/share/nginx/html
- 8:05 cd /usr/share/nginx/html
- 8:12 vim index.html
- 8:37 vim /etc/nginx/naxsi.rules
- 9:58 tailf /var/log/nginx/error.log
- 10:35 vim /etc/nginx/naxsi.rules
Installation of NAXSI Web Application Firewall on Centos7
Web Application Firewall
Web application firewall is a client server software program which resides on the web server (server side) and runs on the client side (client browser).
What for we are going for Web application Firewall?
Generally we can say how come we protect web server from attacks consider a simple firewall application which only looks for source IP and destination port.
But attack to a server may arise anywhere and any means in that scenario the traditional firewall doesn't seem to be a good option to try with.
In that scenario we will get into web application firewall, because http attacks cannot be handled that level by simple traditional firewall.
Naxsi Web application Firewall
NAXSI means Nginx Anti XSS & SQL Injection. ... Being very simple, those patterns may match legitimate queries, it is the Naxsi's administrator duty to add specific rules that will whitelist legitimate behaviours. NAXSI does not have ‘rules’ It will just “score” strange characters in user contents. When the request reaches a critical score, the request will be denied.
Installation
Then install required dependent packages
[root@linuxhelp ~]# yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* epel: del-repos.extreme-ix.org
* extras: mirrors.nhanhoa.com
* updates: centos.excellmedia.net
Package 4:perl-5.16.3-292.el7.x86_64 already installed and latest version
Package libxslt-1.1.28-5.el7.x86_64 already installed and latest version
Package libxml2-2.9.1-6.el7_2.3.x86_64 already installed and latest version
Package gd-2.0.35-26.el7.x86_64 already installed and latest version
Package GeoIP-1.5.0-11.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package GeoIP-devel.x86_64 0:1.5.0-11.el7 will be installed
.
.
.
.
systemtap-sdt-devel.x86_64 0:3.2-8.el7_5
xorg-x11-proto-devel.noarch 0:7.7-20.el7
xz-devel.x86_64 0:5.2.2-1.el7
zlib-devel.x86_64 0:1.2.7-17.el7
Dependency Updated:
libdb.x86_64 0:5.3.21-24.el7 libdb-utils.x86_64 0:5.3.21-24.el7
Complete!
Now download the latest stable nginx version with wget command The latest stable version of nginx is 1.14.0
[root@linuxhelp ~]# wget https://nginx.org/download/nginx-1.14.0.tar.gz
--2018-09-01 10:14:56-- https://nginx.org/download/nginx-1.14.0.tar.gz
Resolving nginx.org (nginx.org)... 95.211.80.227, 206.251.255.63, 2606:7100:1:69::3f, ...
Connecting to nginx.org (nginx.org)|95.211.80.227|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1016272 (992K) [application/octet-stream]
Saving to: ‘nginx-1.14.0.tar.gz’
100%[======================================>] 1,016,272 163KB/s in 9.1s
2018-09-01 10:15:07 (109 KB/s) - ‘nginx-1.14.0.tar.gz’ saved [1016272/1016272]
Now extract the package by using the following command
[root@linuxhelp ~]# tar -xzf nginx-1.14.0.tar.gz
Similarly PCRE,ZLIB and Openssl download and extract them from archive format
PCRE
[root@linuxhelp ~]# wget https://ftp.pcre.org/pub/pcre/pcre-8.40.tar.gz && tar xzf pcre-8.40.tar.gz
--2018-09-01 10:15:38-- https://ftp.pcre.org/pub/pcre/pcre-8.40.tar.gz
Resolving ftp.pcre.org (ftp.pcre.org)... 131.111.8.88
Connecting to ftp.pcre.org (ftp.pcre.org)|131.111.8.88|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2065161 (2.0M) [application/x-gunzip]
Saving to: ‘pcre-8.40.tar.gz’
100%[===================================================================================================================================================>] 2,065,161 885KB/s in 2.3s
2018-09-01 10:15:42 (885 KB/s) - ‘pcre-8.40.tar.gz’ saved [2065161/2065161]
ZLIB
[root@linuxhelp ~]# wget https://www.zlib.net/zlib-1.2.11.tar.gz && tar xzf zlib-1.2.11.tar.gz
--2018-09-01 10:16:08-- https://www.zlib.net/zlib-1.2.11.tar.gz
Resolving www.zlib.net (www.zlib.net)... 68.66.224.164
Connecting to www.zlib.net (www.zlib.net)|68.66.224.164|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 607698 (593K) [application/x-gzip]
Saving to: ‘zlib-1.2.11.tar.gz’
100%[===================================================================================================================================================>] 607,698 280KB/s in 2.1s
2018-09-01 10:16:12 (280 KB/s) - ‘zlib-1.2.11.tar.gz’ saved [607698/607698]
Openssl
[root@linuxhelp ~]# wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz && tar xzf openssl-1.1.0f.tar.gz
--2018-09-01 10:16:30-- https://www.openssl.org/source/openssl-1.1.0f.tar.gz
Resolving www.openssl.org (www.openssl.org)... 23.206.207.115, 2600:1417:73:1a0::c1e, 2600:1417:73:196::c1e
Connecting to www.openssl.org (www.openssl.org)|23.206.207.115|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5278176 (5.0M) [application/x-gzip]
Saving to: ‘openssl-1.1.0f.tar.gz’
100%[===================================================================================================================================================>] 5,278,176 603KB/s in 14s
2018-09-01 10:16:45 (359 KB/s) - ‘openssl-1.1.0f.tar.gz’ saved [5278176/5278176]
Naxsi
[root@linuxhelp ~]# wget https://github.com/nbs-system/naxsi/archive/master.zip
--2018-09-01 15:21:25-- https://github.com/nbs-system/naxsi/archive/master.zip
Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112
Connecting to github.com (github.com)|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/nbs-system/naxsi/zip/master [following]
--2018-09-01 15:21:26-- https://codeload.github.com/nbs-system/naxsi/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.253.121, 192.30.253.120
Connecting to codeload.github.com (codeload.github.com)|192.30.253.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’
[ <=> ] 233,218 197KB/s in 1.2s
2018-09-01 15:21:29 (197 KB/s) - ‘master.zip’ saved [233218]
Extract the package by use the command as follow
[root@linuxhelp ~]# unzip master.zip
Archive: master.zip
f2380e7d0cda3e451446914dcf71cb149d4b494e
creating: naxsi-master/
extracting: naxsi-master/.gitattributes
inflating: naxsi-master/.travis.yml
inflating: naxsi-master/LICENSE
inflating: naxsi-master/README.md
creating: naxsi-master/naxsi_config/
inflating: naxsi-master/naxsi_config/naxsi_core.rules
creating: naxsi-master/naxsi_src/
.
.
.
inflating: naxsi-master/t/fuzz/mini-json-post
extracting: naxsi-master/t/fuzz/mini-ko-get
inflating: naxsi-master/t/fuzz/mini-multipart-post
extracting: naxsi-master/t/fuzz/mini-ok-get
inflating: naxsi-master/t/fuzz/mini-unknown-CT-post
inflating: naxsi-master/t/fuzz/mini-urlencded-post-2
inflating: naxsi-master/t/fuzz/mini-urlencoded-post
inflating: naxsi-master/t/fuzz/small-multipart-post
Next run configure with prefix, modules, dependent packages, location, configuration file location and so on
[root@linuxhelp nginx-1.14.0]# ./configure --prefix=/etc/nginx \
> --sbin-path=/usr/sbin/nginx \
> --modules-path=/usr/lib64/nginx/modules \
> --conf-path=/etc/nginx/nginx.conf \
> --error-log-path=/var/log/nginx/error.log \
> --pid-path=/var/run/nginx.pid \
> --lock-path=/var/run/nginx.lock \
> --user=nginx \
> --add-module=../naxsi-master/naxsi_src --group=nginx \
> --build=CentOS \
> --builddir=nginx-1.14.0 \
> --with-select_module \
> --with-poll_module \
> --with-threads \
> --with-file-aio \
> --with-http_ssl_module \
> --with-http_v2_module \
> --with-http_realip_module \
> --with-http_addition_module \
> --with-http_xslt_module=dynamic \
> --with-http_image_filter_module=dynamic \
> --with-http_geoip_module=dynamic \
> --with-http_sub_module \
> --with-http_dav_module \
> --with-http_flv_module \
> --with-http_mp4_module \
> --with-http_gunzip_module \
> --with-http_gzip_static_module \
> --with-http_auth_request_module \
> --with-http_random_index_module \
> --with-http_secure_link_module \
> --with-http_degradation_module \
> --with-http_slice_module \
> --with-http_stub_status_module \
> --http-log-path=/var/log/nginx/access.log \
> --http-client-body-temp-path=/var/cache/nginx/client_temp \
> --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
> --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
> --with-mail=dynamic \
> --with-mail_ssl_module \
> --with-stream=dynamic \
> --with-stream_ssl_module \
> --with-stream_realip_module \
> --with-stream_geoip_module=dynamic \
> --with-stream_ssl_preread_module \
> --with-compat \
> --with-pcre=../pcre-8.40 \
> --with-pcre-jit \
> --with-zlib=../zlib-1.2.11 \
> --with-openssl=../openssl-1.1.0f \
> --with-openssl-opt=no-nextprotoneg \
> --with-debug
.
.
.
.
Configuration summary
+ using threads
+ using PCRE library: ../pcre-8.40
+ using OpenSSL library: ../openssl-1.1.0f
+ using zlib library: ../zlib-1.2.11
nginx path prefix: "/etc/nginx"
nginx binary file: "/usr/sbin/nginx"
nginx modules path: "/usr/lib64/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/var/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/cache/nginx/client_temp"
nginx http proxy temporary files: "/var/cache/nginx/proxy_temp"
nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp"
nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp"
nginx http scgi temporary files: "/var/cache/nginx/scgi_temp"
Next compile and install by using the following command
[root@linuxhelp nginx-1.14.0]# make
\make -f nginx-1.14.0/Makefile
make[1]: Entering directory `/root/nginx-1.14.0'
cd ../pcre-8.40 \
&& if [ -f Makefile ]; then make distclean; fi \
&& CC="cc" CFLAGS="-O2 -fomit-frame-pointer -pipe " \
./configure --disable-shared --enable-jit
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for style of include used by make... GNU
checking for gcc... cc
checking whether the C compiler works... yes
.
.
.
.
nginx-1.14.0/src/stream/ngx_stream_upstream_least_conn_module.o \
nginx-1.14.0/src/stream/ngx_stream_upstream_zone_module.o \
nginx-1.14.0/src/stream/ngx_stream_ssl_preread_module.o \
nginx-1.14.0/ngx_stream_module_modules.o \
-shared
sed -e "s|PREFIX|/etc/nginx|" \
-e "s|PID_PATH|/var/run/nginx.pid|" \
-e "s|CONF_PATH|/etc/nginx/nginx.conf|" \
-e "s|ERROR_LOG_PATH|/var/log/nginx/error.log|" \
< man/nginx.8 > nginx-1.14.0/nginx.8
make[1]: Leaving directory `/root/nginx-1.14.0'
Finally run make install to complete with your installation procedure
[root@linuxhelp nginx-1.14.0]# make install
make -f nginx-1.14.0/Makefile install
make[1]: Entering directory `/root/nginx-1.14.0'
test -d '/etc/nginx' || mkdir -p '/etc/nginx'
test -d '/usr/sbin' \
|| mkdir -p '/usr/sbin'
test ! -f '/usr/sbin/nginx' \
|| mv '/usr/sbin/nginx' \
'/usr/sbin/nginx.old'
cp nginx-1.14.0/nginx '/usr/sbin/nginx'
test -d '/etc/nginx' \
|| mkdir -p '/etc/nginx'
cp conf/koi-win '/etc/nginx'
cp conf/koi-utf '/etc/nginx'
cp conf/win-utf '/etc/nginx'
test -f '/etc/nginx/mime.types' \
|| cp conf/mime.types '/etc/nginx'
cp conf/mime.types '/etc/nginx/mime.types.default'
test -f '/etc/nginx/fastcgi_params' \
|| cp conf/fastcgi_params '/etc/nginx'
cp conf/fastcgi_params \
'/etc/nginx/fastcgi_params.default'
test -f '/etc/nginx/fastcgi.conf' \
|| cp conf/fastcgi.conf '/etc/nginx'
cp conf/fastcgi.conf '/etc/nginx/fastcgi.conf.default'
test -f '/etc/nginx/uwsgi_params' \
|| cp conf/uwsgi_params '/etc/nginx'
.
.
.
.
cp nginx-1.14.0/ngx_mail_module.so '/usr/lib64/nginx/modules/ngx_mail_module.so'
test ! -f '/usr/lib64/nginx/modules/ngx_stream_module.so' \
|| mv '/usr/lib64/nginx/modules/ngx_stream_module.so' \
'/usr/lib64/nginx/modules/ngx_stream_module.so.old'
cp nginx-1.14.0/ngx_stream_module.so '/usr/lib64/nginx/modules/ngx_stream_module.so'
make[1]: Leaving directory `/root/nginx-1.14.0'
Now create symlink for /usr/lib64/nginx/modules to /etc/nginx/modules directory, so that you can load dynamic modules in nginx configuration like this load_module modules/ngx_foo_module.so
[root@linuxhelp nginx-1.14.0]# ln -s /usr/lib64/nginx/modules /etc/nginx/modules
Next move inside /etc/nginx
[root@linuxhelp nginx-1.14.0]# cd /etc/nginx/
[root@linuxhelp nginx]# ls -l
total 68
-rw-r--r-- 1 root root 1077 Sep 1 11:06 fastcgi.conf
-rw-r--r-- 1 root root 1077 Sep 1 11:06 fastcgi.conf.default
-rw-r--r-- 1 root root 1007 Sep 1 11:06 fastcgi_params
-rw-r--r-- 1 root root 1007 Sep 1 11:06 fastcgi_params.default
drwxr-xr-x 2 root root 40 Sep 1 11:06 html
-rw-r--r-- 1 root root 2837 Sep 1 11:06 koi-utf
-rw-r--r-- 1 root root 2223 Sep 1 11:06 koi-win
-rw-r--r-- 1 root root 5170 Sep 1 11:06 mime.types
-rw-r--r-- 1 root root 5170 Sep 1 11:06 mime.types.default
lrwxrwxrwx 1 root root 24 Sep 1 11:08 modules -> /usr/lib64/nginx/modules
-rw-r--r-- 1 root root 2656 Sep 1 11:06 nginx.conf
-rw-r--r-- 1 root root 2656 Sep 1 11:06 nginx.conf.default
-rw-r--r-- 1 root root 636 Sep 1 11:06 scgi_params
-rw-r--r-- 1 root root 636 Sep 1 11:06 scgi_params.default
-rw-r--r-- 1 root root 664 Sep 1 11:06 uwsgi_params
-rw-r--r-- 1 root root 664 Sep 1 11:06 uwsgi_params.default
-rw-r--r-- 1 root root 3610 Sep 1 11:06 win-utf
Move inside html directory which is the default document root for nginx
[root@linuxhelp nginx]# cd html
[root@linuxhelp html]# pwd
/etc/nginx/html
This comprises of index.html (Default welcome page)
[root@linuxhelp html]# ls -l
total 8
-rw-r--r-- 1 root root 537 Sep 1 15:29 50x.html
-rw-r--r-- 1 root root 612 Sep 1 15:29 index.html
To check installed modules along with the core parameters
[root@linuxhelp nginx]# nginx -V
nginx version: nginx/1.14.0 (CentOS)
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --add-module=../naxsi-master/naxsi_src --group=nginx --build=CentOS --builddir=nginx-1.14.0 --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl=../openssl-1.1.0f --with-openssl-opt=no-nextprotoneg --with-debug
Create the NGINX system user and group
[root@linuxhelp nginx]# useradd --system --home /var/cache/nginx --shell /sbin/nologin --comment "nginx user" --user-group nginx
Next check the nginx configuration by using the following command
[root@linuxhelp nginx]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed
If the above command throws some error then,
[root@linuxhelp nginx]# mkdir -p /var/cache/nginx && sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Next configure daemon service by
[root@linuxhelp nginx]# vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
Relaod the daemon and start and enable your nginx.service by
[root@linuxhelp nginx]# systemctl daemon-reload
Starting and enabling it
[root@linuxhelp nginx]# systemctl start nginx
[root@linuxhelp nginx]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
Now check the status of it
[root@linuxhelp nginx]# systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2018-09-01 11:14:22 IST; 10s ago
Docs: https://nginx.org/en/docs/
Main PID: 87463 (nginx)
CGroup: /system.slice/nginx.service
├─87463 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─87464 nginx: worker process
Sep 01 11:14:22 www.linuxhelp1.com systemd[1]: Starting nginx - high performance web server...
Sep 01 11:14:22 www.linuxhelp1.com nginx[87459]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Sep 01 11:14:22 www.linuxhelp1.com nginx[87459]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Sep 01 11:14:22 www.linuxhelp1.com systemd[1]: Failed to read PID from file /var/run/nginx.pid: Invalid argument
Sep 01 11:14:22 www.linuxhelp1.com systemd[1]: Started nginx - high performance web server.
Navigate to the Naxsi directory
[root@linuxhelp ~]# cd naxsi-master/
[root@linuxhelp naxsi-master]# ls -l
total 44
-rw-r--r-- 1 root root 35141 Aug 28 16:04 LICENSE
drwxr-xr-x 2 root root 30 Aug 28 16:04 naxsi_config
drwxr-xr-x 3 root root 191 Aug 28 16:04 naxsi_src
drwxr-xr-x 5 root root 163 Aug 28 16:04 nxapi
-rw-r--r-- 1 root root 3386 Aug 28 16:04 README.md
drwxr-xr-x 4 root root 4096 Aug 28 16:04 t
Now move inside naxsi_config and view the naxsi core rules
[root@linuxhelp naxsi-master]# cd naxsi_config
[root@linuxhelp naxsi_config]# ls -l
total 8
rw-r--r-- 1 root root 5798 Aug 28 16:04 naxsi_core.rules
Include this file path inside nginx main configuration file and create a server tag for simple configuration
[root@linuxhelp naxsi_config]# vim /etc/nginx/nginx.conf
.
.
.
http {
include /etc/nginx/naxsi_core.rules;
.
.
.
}
server {
listen 80;
server_name www.linuxhelp1.com;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
include /etc/nginx/naxsi.rules;
}
}
.
.
.
}
Save and exit the configuration file, Next the /etc/nginx/naxsi.rules is what we custmoize the naxsi rules by creating a manual file called "naxsi.rules"
Create a document root location for virtual host
[root@linuxhelp nginx]# mkdir -p /usr/share/nginx/html
[root@linuxhelp nginx]# cd /usr/share/nginx/html
[root@linuxhelp html]# vim index.html
<h1>
Welcome to linuxhelp.com
</h1>
Open custom naxsi rules and add the following
[root@linuxhelp html]# vim /etc/nginx/naxsi.rules
LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl “/RequestDenied.txt”;
##Check & Blocking Rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
Now save and exit, finally restart your nginx service First check your webserver by providing any text inside its document root location. Access your web interface by http://yourdomain
So now am adding ASCII value for in our URL as http://yourdomain?a=
The site remains working but check your error log for more info
[root@linuxhelp html]# tailf /var/log/nginx/error.log
This is because your naxsi WAF is working but it is enabled in learning mode in naxsi rules if you disable the learning and execute the same in web interface then your result would be like as follows
root@linuxhelp html]# vim /etc/nginx/naxsi.rules
#LearningMode; //Disabling learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl “/RequestDenied.txt”;
##Check & Blocking Rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
Save and exit, now restart your nginx service and access web interface by the same url http://yourdomain?a=<
With this, the method to install NAXSI Web Application Firewall on CentOS 7 comes to an end.
Comments ( 0 )
No comments available