• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Anyone using naxsi with nginx?

Floren

Well-known member
#1
I finished a week ago the new nginx packages for CentOS/Redhat that support naxsi. This is a very sweet addition to nginx, I have no idea how I missed that product. So far, only Axivo offers the firewall packages for CentOS/Redhat. :)
# yum --enablerepo=axivodev list nginx*
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.ubiquityservers.com
* extras: mirror.science.uottawa.ca
* updates: yum.singlehop.com
Installed Packages
nginx-common.x86_64 1.2.0-1.el5 installed
nginx-naxsi.x86_64 1.2.0-1.el5 installed
Available Packages
nginx.x86_64 1.2.0-1.el5 axivodev
nginx-debug.x86_64 1.2.0-1.el5 axivodev
Right now, I have 4 packages created:
  • nginx-common.x86_64 - nginx common config files, logs, init scripts, etc.
  • nginx.x86_64 - nginx binary with all modules enabled
  • nginx-debug.x86_64 - nginx binary with all modules enabled + debug mode
  • nginx-naxsi.x86_64 - nginx binary with all modules enabled + naxsi firewall
It is very easy to switch on between various setups:
# yum --enablerepo=axivodev remove nginx-naxsi
# yum --enablerepo=axivodev install nginx
I did not released them to public as I'm still testing everything internally. So far, I'm using the basic firewall rules provided by naxsi team. I'm also in the process of writing the missing CentOS 5 packages needed for the sweet naxsi UI. Once everything is tested, I will post a nice tutorial.

Example of XenForo naxsi log output errors on one of my dev servers (with default firewall rules):
Code:
2012/05/31 00:37:19 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=1&total_blocked=1&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com"
2012/05/31 00:37:24 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/forums/announcements.4/&total_processed=2&total_blocked=2&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /forums/announcements.4/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/"
2012/05/31 00:37:25 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=3&total_blocked=3&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/forums/announcements.4/"
2012/05/31 00:37:32 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/forums/general-discussions.12/&total_processed=4&total_blocked=4&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /forums/general-discussions.12/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/"
2012/05/31 00:37:34 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=5&total_blocked=5&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/forums/general-discussions.12/"
2012/05/31 01:10:35 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/forums/pre-sale-inquiries.5/&total_processed=6&total_blocked=6&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /forums/pre-sale-inquiries.5/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/"
2012/05/31 01:10:36 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/threads/optimization-services.134/&total_processed=7&total_blocked=7&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /threads/optimization-services.134/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/forums/pre-sale-inquiries.5/"
2012/05/31 01:10:41 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=8&total_blocked=8&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/threads/optimization-services.134/"
2012/05/31 01:10:42 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/forums/feedback.6/&total_processed=9&total_blocked=9&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /forums/feedback.6/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/"
2012/05/31 01:10:45 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=10&total_blocked=10&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/forums/feedback.6/"
I hope more people will adopt naxsi. It is a good product, regardless the little coding errors they have in their source. The only naxsi version I managed to compile into Nginx 1.2.0 was 0.46-1, while disabling the "warnings as errors" cflag.

It is a learning curve for me and if you use nginx on Debian or FreeBSD, you should be aware of it. I'm trying to let the CentOS users taste the added security into nginx, so please share your experiences here. As usual, the Axivo RPM's will be provided for free to everyone using CentOS/Redhat 5/6.

Edit: Is official, the Axivo RPM's are now released to public:
http://www.axivo.com/go/naxsi

Enjoy. :)
 
#2
Imo based on your example i can decipher naxsi error and make it a whitelist rules as:
2012/05/31 00:37:19 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=1&total_blocked=1&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com"
Whitelist
Code:
BasicRule wl:1005 "mz:$URL:/|$HEADERS_VAR:cookie" ;
BasicRule wl:1010 "mz:$URL:/|$HEADERS_VAR:cookie" ;
BasicRule wl:1011 "mz:$URL:/|$HEADERS_VAR:cookie" ;
BasicRule wl:1315 "mz:$URL:/|$HEADERS _VAR:cookie" ;
Those ids are referenced from naxsi_core.rules :
Code:
MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule "rx:%[2|3]."  "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
 

Floren

Well-known member
#3
Hi Vohn, welcome to the party. :)
For reference, I'm posting the standard rules provided by naxsi.

/etc/nginx/naxsi.rules
Code:
LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
 
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
/etc/nginx/naxsi_core.rules
Code:
##################################
## INTERNAL RULES IDS:1-10      ##
##################################
#weird_request : 1
#big_body : 2
#no_content_type : 3
 
#MainRule "str:123FREETEXT" "msg:learning test pattern"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:BLOCK" id:0;
 
##################################
## SQL Injections IDs:1000-1099 ##
##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
## Hardcore rules
MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
MainRule "rx:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
## end of hardcore rules
MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
 
###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
 
#######################################
## Directory traversal IDs:1200-1299 ##
#######################################                                     
MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
 
########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
MainRule "str:`"  "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
MainRule "rx:%[2|3]."  "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
 
####################################
## Evading tricks IDs: 1400-1500 ##
####################################
MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;
 
#############################
## File uploads: 1500-1600 ##
#############################
MainRule "rx:.ph*|.asp*" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
What do you do with the above rules you posted? You remove them?
I see all the rule id's you mentioned being present into core rules... Hey, I'm a newbie. :)
 
#4
I am also a newbie so don't worry :), about the naxsi_core.rules it act as standard points to act upon on, in exception we excluding some or many of whitelisted rules. you cann't delete any of contents inside the naxsi_core.rules as it will invalidated any omitted references from the whilelisted rules.

Afaik the problem with naxsi in exchange of more speedy than mod security is, it doesn't support regex in it's rules, so we have problems for dynamic uri for example :
Code:
BasicRule wl:1001 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
BasicRule wl:1008 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
BasicRule wl:1009 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
BasicRule wl:1015 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
BasicRule wl:1016 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
BasicRule wl:1302 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
BasicRule wl:1001 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
BasicRule wl:1008 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
BasicRule wl:1009 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
BasicRule wl:1015 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
BasicRule wl:1016 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
BasicRule wl:1302 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
BasicRule wl:1303 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
BasicRule wl:1100 "mz:$URL:/posts/7/save-inline|$BODY_VAR:_xfrelativeresolver";
and so on, so we need to use the nginx per-location rules assignment
for examples my location tags inside nginx "server" tag based on my current observation:
Code:
location ~* ^/forums/[^/]+/ {
        include "/usr/local/etc/nginx/naxsi/domain.com.forums.rules";
                try_files $uri $uri/ /index.php?$uri&$args;
        }
 
        location ~* ^/threads/[^/]+/ {
        include "/usr/local/etc/nginx/naxsi/domain.com.threads.rules";
                try_files $uri $uri/ /index.php?$uri&$args;
        }
 
        location ~* ^/posts/[^/]+/ {
                include "/usr/local/etc/nginx/naxsi/domain.com.posts.rules";
                try_files $uri $uri/ /index.php?$uri&$args;                           
        }
 
        location ~* ^/reports/[^/]+/ {
        include "/usr/local/etc/nginx/naxsi/domain.com.reports.rules";
                try_files $uri $uri/ /index.php?$uri&$args;
        }
 
        location ~* ^/inline-mod/[^/]+/ {
        include "/usr/local/etc/nginx/naxsi/domain.com.inlinemod.rules";
                try_files $uri $uri/ /index.php?$uri&$args;
        }
 
        location ~* ^/profile-posts/[^/]+/ {
        include "/usr/local/etc/nginx/naxsi/domain.com.profileposts.rules";
                try_files $uri $uri/ /index.php?$uri&$args;
        }
So instead above on the domain.com.threads.rules :
Code:
BasicRule wl:1001 "mz:$URL:add-reply|$BODY_VAR:message_html";
BasicRule wl:1008 "mz:$URL:add-reply|$BODY_VAR:message_html";
BasicRule wl:1009 "mz:$URL:add-reply|$BODY_VAR:message_html";
BasicRule wl:1015 "mz:$URL:add-reply|$BODY_VAR:message_html";
BasicRule wl:1016 "mz:$URL:add-reply|$BODY_VAR:message_html";
BasicRule wl:1302 "mz:$URL:add-reply|$BODY_VAR:message_html";
To save the hassle to automatically generated white-listed rules you need to use contrib/naxsi-ui/nx_extract.py & ./nx_intercept.py
run both with
Code:
python contrib/naxsi-ui/nx_extract.py /path/to/naxsi-ui.conf
python contrib/naxsi-ui/nx_intercept.py -c /path/to/naxsi-ui.conf
Example naxsi-ui.conf
Code:
[mysql]
username=naxsi
password=password
hostname=10.2.2.2
dbname=naxsi
[nx_extract]
port = 8081
rules_path=/usr/local/etc/nginx/naxsi_core.rules
#rules_path=/usr/local/etc/nginx/naxsi/luminousify.com.posts.rules
username = admin
password = password
[nx_intercept]
port=4242
And don't forget in your nginx server tags to includes the following :
Code:
        location /RequestDenied {
        allow your_ip;
        #deny all;
        proxy_pass http://localhost:4242; //the port assignment needs to match nx_intercept
        }
And browse to http://server_ip:8081 (naxsi web interfaces), browse around the forums, make all possible actions that users & admin do, and go back to naxsi web interfaces and generate rules, in there you need to rewrite the rules as above examples.

Btw there is still problems with some rules for example for attachment uploads
Code:
BasicRule wl:1310 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
BasicRule wl:1311 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
BasicRule wl:1500 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:upload" ; --> this one works
 
NAXSI_FMT: ip=ommited&server=domain.com&uri=/attachments/do-upload.json&total_processed=3&total_blocked=1&
zone0=BODY|NAME&id0=1310&var_name0=content_data[thread_id]
zone1=BODY|NAME&id1=1311&var_name1=content_data[thread_id]
As per BasicRule guidelines there is no such things as BODY|NAME parameter, so looks like a bugs ( i have reported it) or do you have any idea?.

I have planned to write some guide on naxsi, and going to sleep first :coffee:.

Do any other peoples interested in these ? , as the nature of this is quite tedious and cumbersome to maintain the rules i think it will be good if we make a repo so it would be easy to versioning and sharing.
 

Floren

Well-known member
#5
I see. BTW, you can cleanup the config like that:
Code:
location / {
	try_files $uri $uri/ /index.php?$uri&$args;
}

location /forums/ {
	include /etc/nginx/domain.com.forums.rules;
}

location /threads/ {
	include /etc/nginx/domain.com.threads.rules;
}
...
 

Floren

Well-known member
#6
Btw there is still problems with some rules for example for attachment uploads
Code:
BasicRule wl:1310 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
BasicRule wl:1311 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
BasicRule wl:1500 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:upload" ; --> this one works
 
NAXSI_FMT: ip=ommited&server=domain.com&uri=/attachments/do-upload.json&total_processed=3&total_blocked=1&
zone0=BODY|NAME&id0=1310&var_name0=content_data[thread_id]
zone1=BODY|NAME&id1=1311&var_name1=content_data[thread_id]
Weird, I can upload fine images:

IMG_31052012_031346.png

Let me check the logs and see what error I get...
Edit: Did I missed something into compile? I see the error but I can post fine the attachment:
Code:
2012/05/31 03:12:11 [error] 12487#0: *24 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/attachments/grid-jpg.63/&total_processed=16&total_blocked=16&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /attachments/grid-jpg.63/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/threads/test-thread.176/"
What is happening to you when you try to post an attachment, do you get an nginx error?
 
#7
I am not sure if the dynamic uri that are detected by naxsi would be proper plain /add-reply, if the uri returned from nginx as /forums/threads-tittle/add-reply, it won't match the rules add-reply, as the point for the regex for the matching dynamic future generated uri. For productions you need to comment in LearningMode; and restart nginx.
 

Floren

Well-known member
#8
I am already in LearningMode. :)
What I need to know is: What is happening if naxsi blocks an action in XenForo. Do you see a nginx error page?

Edit: Doh, you meant to comment LearningMode.
Let me try it and see how broken is everything... :ROFLMAO:

So far, most of the stuff works except viewing/adding attachments:

IMG_31052012_033104.png

Hours of fun ahead, LOL.
 
#9
What i've meant is comment in as #LearningMode to disable learning mode, as in learning practically you don't enable naxsi, only logging the attempts, and yes it should shows up as in your nginx error on your server tag as NAXSI_FMT, well it's will be a headache for sure :cool:.
 

Floren

Well-known member
#10
What i've meant is comment in as #LearningMode to disable learning mode.
See my edited post above. :)
BTW, I use no fancy rules and I can post/edit fine a thread, without special rules and with LearningMode disabled.
What naxsi version you use? I run on 0.46-1 now. I hope you run on 0.45 which would explain the separate rules you created for each canonical link type.
 
#11
Nope i've also on 0.46-1, i think you haven't includes the rules include for all location & php processing matches :
Code:
      location / {
                root  /local/www;
                include "/usr/local/etc/nginx/naxsi/domain.com.rules";
                #Xenforo Rewrite Rules
                try_files $uri $uri/ /index.php?$uri&$args;
                index index.php index.html index.htm;
 
        }
 
        location ~ \.php$ {
                root /local/www;
                include "/usr/local/etc/nginx/naxsi/domain.com.rules";
                fastcgi_split_path_info ^(.+\.php)(.*)$;
                fastcgi_pass  backend;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_script_name;
                include /usr/local/etc/nginx/fastcgi_params;
                fastcgi_ignore_client_abort    off;
        }

my domain.com.rules as oppose to your naxsi.rules
Code:
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
 
#include "/usr/local/etc/nginx/naxsi/naxsi.rules";
 
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
 
More whitelisted below for uri /

If you do it right without any further whitelisting rules it won't work , as i need to underline again, naxsi is using hashtables, so the matching for either of any variables inside the BasicRule quotes is fixed/strict line per line needs to be the exact match of the written whitelist :
Code:
BasicRule wl:ID [mz:[$URL:target_url]|[match_zone]|[$ARGS_VAR:varname]|[$BODY_VARS:varname]|[$HEADERS_VAR:varname]]
These canonical solutions is directly proposed from the naxsi author as he is further explained as i was above.

Btw the work for my bug report already been begun as he is confirmed my reported rules generator bugs.
 

Floren

Well-known member
#13
Vohn, can you give me an example how to insert the COOKIE white list into naxsi_core.rules?
I'm going to use an include for that, but I just need to understand how everything works. I did not have time to look at the documentation, I'm working on missing CentOS 5 rpm's for naxsi UI.
 
#14
I am using these , pre-generated from the generator
Code:
BasicRule wl:1315 "mz:$HEADERS_VAR:cookie";
BasicRule wl:1015 "mz:$BODY_VAR:_xftoken";
BasicRule wl:1015 "mz:$ARGS_VAR:_xftoken";
BasicRule wl:1015 "mz:$URL:/css.php|$ARGS_VAR:css";
 

Floren

Well-known member
#15
Thanks Vohn. I finished all CentOS 5 rpm dependencies for naxsi UI:
  • python-fpconst-0.7.3-1.el5.noarch.rpm
  • python-hashlib-20081119-1.el5.x86_64.rpm
  • python-setuptools-0.6.27-1.el5.noarch.rpm
  • python-twisted-core-8.2.0-1.el5.x86_64.rpm
  • python-twisted-core-doc-8.2.0-1.el5.x86_64.rpm
  • python-twisted-core-zsh-8.2.0-1.el5.x86_64.rpm
  • python-twisted-web-8.2.0-1.el5.x86_64.rpm
  • python-zope-filesystem-1.0.0-1.el5.x86_64.rpm
  • python-zope-interface-3.8.0-1.el5.x86_64.rpm
  • SOAPpy-0.11.6-1.el5.noarch.rpm
Now, I need to build a service wrapper for the learning daemons. Into source, I see 2 config files, both looking like:
Code:
[nx_extract]
username = naxsi_web
password = test
port = 8081
rules_path = /usr/local/nginx/sec-rules/core.rules
[nx_intercept]
port = 8080
[mysql]
username = root
password =
hostname = 127.0.0.1
dbname = naxsi_sig
The nx_extract section has a username and password related to what? Is this a web login for protected UI area?
I presume this is where the learned rules are saved:
/usr/local/nginx/sec-rules/core.rules

Thanks.
 

Floren

Well-known member
#16
Anyone good with Python that could help fix the bugs into UI scripts?
Code:
Traceback (most recent call last):
  File "nx_intercept.py", line 6, in ?
    from nx_parser import signature_parser
  File "/usr/share/nginx/naxsi-ui/nx_parser.py", line 142
    str(capture_id), datetime.now() if date is None else date, str(match_id)))
Removing the IF solves the issue, but I get a new error:
Code:
Filling database with %s. ALL PREVIOUS CONTENT WILL BE DROPPED !!!!!
Done.
Traceback (most recent call last):
  File "nx_intercept.py", line 162, in ?
    exit(42)
TypeError: 'str' object is not callable
I reported the issues, but I would rather not wait for a reply if you have a fix. :)
Waiting on that, before I can release the RPM's to public. I would appreciate your help, the UI is most important part to generate the proper rules for your site.

Vohn, you run naxsi on what platform, Debian?
 
#17
Yes the username & password variables related to nx web ui login credential, hmm i don't have that python trouble on 2.7.3, maybe you could try that version a try?.

I am on freebsd 9 stable, i am still waiting for the bugs in generator to be fixed before launching my site. Btw you could get faster supports on naxsi mailing list .
 

Floren

Well-known member
#18
I'm revisiting this thread as I finally fixed the python issues and compiled the RPM's for CentOS 6.
I have the forums into root directory. What did you added into your nginx config file for the server block?
Technically, I have set only the RequestDenied location, based on naxsi tutorial:
Code:
http {
	...
	include				/etc/nginx/naxsi_core.rules;
	...

	server {
		listen			192.168.1.7:80 default_server;
		server_name		apollo.axivo.com;
		...

		location / {
			try_files	$uri $uri/ /index.php?$uri&$args;
			include		naxsi.rules;
		}

		location /RequestDenied {
			proxy_pass	http://192.168.1.7:8080;    
		}

		location ~ \.php$ {
			fastcgi_pass	fastcgi;
			include		fastcgi.conf;
			include		naxsi.rules;
		}
		...
	}
}
Do I need anything else? When I try to access the UI on apollo.axivo.com:8081 nothing happens. I even tried 192.168.1.7:8081, same result.
Both intercept and extract daemons run properly:
# service naxsi-ui status
naxsi-ui-extract (pid 5238) is running...
naxsi-ui-intercept (pid 5235) is running...
Those are wrappers who execute the actual python commands as daemon.
The naxsi-ui.conf file:
Code:
[mysql]
username	= root
password	= somepass
hostname	= 127.0.0.1
dbname		= naxsi

[nx_extract]
username	= Floren
password	= somepass
port		= 8081
rules_path	= /etc/nginx/naxsi.rules

[nx_intercept]
port		= 8080
I htpasswd protect the site so Naxsi needs the web user Floren to access it.
 

Floren

Well-known member
#19
Btw the work for my bug report already been begun as he is confirmed my reported rules generator bugs.
Do you know if this is fixed into 0.47 version?
I run now 0.47 on nginx and the database is getting populated properly. Yet for some reason, I cannot access 192.168.1.7:8081 even if python is listening on proper ports:
Code:
# netstat -tulpn | grep :80
tcp        0      0 0.0.0.0:8080                0.0.0.0:*                  LISTEN      22293/python
tcp        0      0 192.168.1.7:80              0.0.0.0:*                  LISTEN      22202/nginx
tcp        0      0 0.0.0.0:8081                0.0.0.0:*                  LISTEN      22296/python
 
#20
Sorry i was away because of my relocation, anyway you should add allowed ip in request denied tag :
Code:
        location /RequestDenied {
        allow all;
        allow ip;
        #deny all;
        proxy_pass http://localhost:4242;
        }
I haven't get the chances to test it out again as i have some problems with my isp blocking remote port higher than 10.000, hopefully i will try again soon and share with you the results.