1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone using naxsi with nginx?

Discussion in 'Server Configuration and Hosting' started by Floren, May 31, 2012.

  1. Floren

    Floren Well-Known Member

    I finished a week ago the new nginx packages for CentOS/Redhat that support naxsi. This is a very sweet addition to nginx, I have no idea how I missed that product. So far, only Axivo offers the firewall packages for CentOS/Redhat. :)
    Right now, I have 4 packages created:
    • nginx-common.x86_64 - nginx common config files, logs, init scripts, etc.
    • nginx.x86_64 - nginx binary with all modules enabled
    • nginx-debug.x86_64 - nginx binary with all modules enabled + debug mode
    • nginx-naxsi.x86_64 - nginx binary with all modules enabled + naxsi firewall
    It is very easy to switch on between various setups:
    I did not released them to public as I'm still testing everything internally. So far, I'm using the basic firewall rules provided by naxsi team. I'm also in the process of writing the missing CentOS 5 packages needed for the sweet naxsi UI. Once everything is tested, I will post a nice tutorial.

    Example of XenForo naxsi log output errors on one of my dev servers (with default firewall rules):
    Code:
    2012/05/31 00:37:19 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=1&total_blocked=1&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com"
    2012/05/31 00:37:24 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/forums/announcements.4/&total_processed=2&total_blocked=2&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /forums/announcements.4/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/"
    2012/05/31 00:37:25 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=3&total_blocked=3&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/forums/announcements.4/"
    2012/05/31 00:37:32 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/forums/general-discussions.12/&total_processed=4&total_blocked=4&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /forums/general-discussions.12/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/"
    2012/05/31 00:37:34 [error] 16094#0: *1 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=5&total_blocked=5&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/forums/general-discussions.12/"
    2012/05/31 01:10:35 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/forums/pre-sale-inquiries.5/&total_processed=6&total_blocked=6&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /forums/pre-sale-inquiries.5/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/"
    2012/05/31 01:10:36 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/threads/optimization-services.134/&total_processed=7&total_blocked=7&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /threads/optimization-services.134/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/forums/pre-sale-inquiries.5/"
    2012/05/31 01:10:41 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=8&total_blocked=8&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/threads/optimization-services.134/"
    2012/05/31 01:10:42 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/forums/feedback.6/&total_processed=9&total_blocked=9&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /forums/feedback.6/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/"
    2012/05/31 01:10:45 [error] 16094#0: *18 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/&total_processed=10&total_blocked=10&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET / HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/forums/feedback.6/"
    I hope more people will adopt naxsi. It is a good product, regardless the little coding errors they have in their source. The only naxsi version I managed to compile into Nginx 1.2.0 was 0.46-1, while disabling the "warnings as errors" cflag.

    It is a learning curve for me and if you use nginx on Debian or FreeBSD, you should be aware of it. I'm trying to let the CentOS users taste the added security into nginx, so please share your experiences here. As usual, the Axivo RPM's will be provided for free to everyone using CentOS/Redhat 5/6.

    Edit: Is official, the Axivo RPM's are now released to public:
    http://www.axivo.com/go/naxsi

    Enjoy. :)
     
    whyweprotest likes this.
  2. Vohn

    Vohn Member

    Imo based on your example i can decipher naxsi error and make it a whitelist rules as:
    Whitelist
    Code:
    BasicRule wl:1005 "mz:$URL:/|$HEADERS_VAR:cookie" ;
    BasicRule wl:1010 "mz:$URL:/|$HEADERS_VAR:cookie" ;
    BasicRule wl:1011 "mz:$URL:/|$HEADERS_VAR:cookie" ;
    BasicRule wl:1315 "mz:$URL:/|$HEADERS _VAR:cookie" ;
    
    Those ids are referenced from naxsi_core.rules :
    Code:
    MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
    MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
    MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
    MainRule "rx:%[2|3]."  "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
    
     
    Floren likes this.
  3. Floren

    Floren Well-Known Member

    Hi Vohn, welcome to the party. :)
    For reference, I'm posting the standard rules provided by naxsi.

    /etc/nginx/naxsi.rules
    Code:
    LearningMode;
    SecRulesEnabled;
    #SecRulesDisabled;
    DeniedUrl "/RequestDenied";
     
    ## check rules
    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 4" BLOCK;
    CheckRule "$EVADE >= 4" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;
    /etc/nginx/naxsi_core.rules
    Code:
    ##################################
    ## INTERNAL RULES IDS:1-10      ##
    ##################################
    #weird_request : 1
    #big_body : 2
    #no_content_type : 3
     
    #MainRule "str:123FREETEXT" "msg:learning test pattern"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:BLOCK" id:0;
     
    ##################################
    ## SQL Injections IDs:1000-1099 ##
    ##################################
    MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
    MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
    MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
    ## Hardcore rules
    MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
    MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
    MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
    MainRule "rx:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
    ## end of hardcore rules
    MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
    MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
    MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
    MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
    MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
    MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
    MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
    MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
     
    ###############################
    ## OBVIOUS RFI IDs:1100-1199 ##
    ###############################
    MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
    MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
    MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
    MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
     
    #######################################
    ## Directory traversal IDs:1200-1299 ##
    #######################################                                     
    MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
    MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
    MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
    MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
    MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
    #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
     
    ########################################
    ## Cross Site Scripting IDs:1300-1399 ##
    ########################################
    MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
    MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
    MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
    MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
    MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
    MainRule "str:`"  "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
    MainRule "rx:%[2|3]."  "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
     
    ####################################
    ## Evading tricks IDs: 1400-1500 ##
    ####################################
    MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
    MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
    MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;
     
    #############################
    ## File uploads: 1500-1600 ##
    #############################
    MainRule "rx:.ph*|.asp*" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
    What do you do with the above rules you posted? You remove them?
    I see all the rule id's you mentioned being present into core rules... Hey, I'm a newbie. :)
     
  4. Vohn

    Vohn Member

    I am also a newbie so don't worry :), about the naxsi_core.rules it act as standard points to act upon on, in exception we excluding some or many of whitelisted rules. you cann't delete any of contents inside the naxsi_core.rules as it will invalidated any omitted references from the whilelisted rules.

    Afaik the problem with naxsi in exchange of more speedy than mod security is, it doesn't support regex in it's rules, so we have problems for dynamic uri for example :
    Code:
    BasicRule wl:1001 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
    BasicRule wl:1008 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
    BasicRule wl:1009 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
    BasicRule wl:1015 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
    BasicRule wl:1016 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
    BasicRule wl:1302 "mz:$URL:/threads/dynamic-content/add-reply|$BODY_VAR:message_html";
    BasicRule wl:1001 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
    BasicRule wl:1008 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
    BasicRule wl:1009 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
    BasicRule wl:1015 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
    BasicRule wl:1016 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
    BasicRule wl:1302 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
    BasicRule wl:1303 "mz:$URL:/posts/7/save-inline|$BODY_VAR:message_html";
    BasicRule wl:1100 "mz:$URL:/posts/7/save-inline|$BODY_VAR:_xfrelativeresolver";
    
    and so on, so we need to use the nginx per-location rules assignment
    for examples my location tags inside nginx "server" tag based on my current observation:
    Code:
    location ~* ^/forums/[^/]+/ {
            include "/usr/local/etc/nginx/naxsi/domain.com.forums.rules";
                    try_files $uri $uri/ /index.php?$uri&$args;
            }
     
            location ~* ^/threads/[^/]+/ {
            include "/usr/local/etc/nginx/naxsi/domain.com.threads.rules";
                    try_files $uri $uri/ /index.php?$uri&$args;
            }
     
            location ~* ^/posts/[^/]+/ {
                    include "/usr/local/etc/nginx/naxsi/domain.com.posts.rules";
                    try_files $uri $uri/ /index.php?$uri&$args;                           
            }
     
            location ~* ^/reports/[^/]+/ {
            include "/usr/local/etc/nginx/naxsi/domain.com.reports.rules";
                    try_files $uri $uri/ /index.php?$uri&$args;
            }
     
            location ~* ^/inline-mod/[^/]+/ {
            include "/usr/local/etc/nginx/naxsi/domain.com.inlinemod.rules";
                    try_files $uri $uri/ /index.php?$uri&$args;
            }
     
            location ~* ^/profile-posts/[^/]+/ {
            include "/usr/local/etc/nginx/naxsi/domain.com.profileposts.rules";
                    try_files $uri $uri/ /index.php?$uri&$args;
            }
    
    So instead above on the domain.com.threads.rules :
    Code:
    BasicRule wl:1001 "mz:$URL:add-reply|$BODY_VAR:message_html";
    BasicRule wl:1008 "mz:$URL:add-reply|$BODY_VAR:message_html";
    BasicRule wl:1009 "mz:$URL:add-reply|$BODY_VAR:message_html";
    BasicRule wl:1015 "mz:$URL:add-reply|$BODY_VAR:message_html";
    BasicRule wl:1016 "mz:$URL:add-reply|$BODY_VAR:message_html";
    BasicRule wl:1302 "mz:$URL:add-reply|$BODY_VAR:message_html";
    
    To save the hassle to automatically generated white-listed rules you need to use contrib/naxsi-ui/nx_extract.py & ./nx_intercept.py
    run both with
    Code:
    python contrib/naxsi-ui/nx_extract.py /path/to/naxsi-ui.conf
    python contrib/naxsi-ui/nx_intercept.py -c /path/to/naxsi-ui.conf
    
    Example naxsi-ui.conf
    Code:
    [mysql]
    username=naxsi
    password=password
    hostname=10.2.2.2
    dbname=naxsi
    [nx_extract]
    port = 8081
    rules_path=/usr/local/etc/nginx/naxsi_core.rules
    #rules_path=/usr/local/etc/nginx/naxsi/luminousify.com.posts.rules
    username = admin
    password = password
    [nx_intercept]
    port=4242
    
    And don't forget in your nginx server tags to includes the following :
    Code:
            location /RequestDenied {
            allow your_ip;
            #deny all;
            proxy_pass http://localhost:4242; //the port assignment needs to match nx_intercept
            }
    
    And browse to http://server_ip:8081 (naxsi web interfaces), browse around the forums, make all possible actions that users & admin do, and go back to naxsi web interfaces and generate rules, in there you need to rewrite the rules as above examples.

    Btw there is still problems with some rules for example for attachment uploads
    Code:
    BasicRule wl:1310 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
    BasicRule wl:1311 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:content_data[thread_id]" ;
    BasicRule wl:1500 "mz:$URL:/attachments/do-upload.json|$BODY_VAR:upload" ; --> this one works
     
    NAXSI_FMT: ip=ommited&server=domain.com&uri=/attachments/do-upload.json&total_processed=3&total_blocked=1&
    zone0=BODY|NAME&id0=1310&var_name0=content_data[thread_id]
    zone1=BODY|NAME&id1=1311&var_name1=content_data[thread_id]
    
    As per BasicRule guidelines there is no such things as BODY|NAME parameter, so looks like a bugs ( i have reported it) or do you have any idea?.

    I have planned to write some guide on naxsi, and going to sleep first :coffee:.

    Do any other peoples interested in these ? , as the nature of this is quite tedious and cumbersome to maintain the rules i think it will be good if we make a repo so it would be easy to versioning and sharing.
     
  5. Floren

    Floren Well-Known Member

    I see. BTW, you can cleanup the config like that:
    Code:
    location / {
    	try_files $uri $uri/ /index.php?$uri&$args;
    }
    
    location /forums/ {
    	include /etc/nginx/domain.com.forums.rules;
    }
    
    location /threads/ {
    	include /etc/nginx/domain.com.threads.rules;
    }
    ...
     
  6. Floren

    Floren Well-Known Member

    Weird, I can upload fine images:

    IMG_31052012_031346.png

    Let me check the logs and see what error I get...
    Edit: Did I missed something into compile? I see the error but I can post fine the attachment:
    Code:
    2012/05/31 03:12:11 [error] 12487#0: *24 NAXSI_FMT: ip=192.168.1.1&server=hermes.axivo.com&uri=/attachments/grid-jpg.63/&total_processed=16&total_blocked=16&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie, client: 192.168.1.1, server: hermes.axivo.com, request: "GET /attachments/grid-jpg.63/ HTTP/1.1", host: "hermes.axivo.com", referrer: "http://hermes.axivo.com/threads/test-thread.176/"
    What is happening to you when you try to post an attachment, do you get an nginx error?
     
  7. Vohn

    Vohn Member

    I am not sure if the dynamic uri that are detected by naxsi would be proper plain /add-reply, if the uri returned from nginx as /forums/threads-tittle/add-reply, it won't match the rules add-reply, as the point for the regex for the matching dynamic future generated uri. For productions you need to comment in LearningMode; and restart nginx.
     
  8. Floren

    Floren Well-Known Member

    I am already in LearningMode. :)
    What I need to know is: What is happening if naxsi blocks an action in XenForo. Do you see a nginx error page?

    Edit: Doh, you meant to comment LearningMode.
    Let me try it and see how broken is everything... :ROFLMAO:

    So far, most of the stuff works except viewing/adding attachments:

    IMG_31052012_033104.png

    Hours of fun ahead, LOL.
     
  9. Vohn

    Vohn Member

    What i've meant is comment in as #LearningMode to disable learning mode, as in learning practically you don't enable naxsi, only logging the attempts, and yes it should shows up as in your nginx error on your server tag as NAXSI_FMT, well it's will be a headache for sure :cool:.
     
  10. Floren

    Floren Well-Known Member

    See my edited post above. :)
    BTW, I use no fancy rules and I can post/edit fine a thread, without special rules and with LearningMode disabled.
    What naxsi version you use? I run on 0.46-1 now. I hope you run on 0.45 which would explain the separate rules you created for each canonical link type.
     
  11. Vohn

    Vohn Member

    Nope i've also on 0.46-1, i think you haven't includes the rules include for all location & php processing matches :
    Code:
     
          location / {
                    root  /local/www;
                    include "/usr/local/etc/nginx/naxsi/domain.com.rules";
                    #Xenforo Rewrite Rules
                    try_files $uri $uri/ /index.php?$uri&$args;
                    index index.php index.html index.htm;
     
            }
     
            location ~ \.php$ {
                    root /local/www;
                    include "/usr/local/etc/nginx/naxsi/domain.com.rules";
                    fastcgi_split_path_info ^(.+\.php)(.*)$;
                    fastcgi_pass  backend;
                    fastcgi_index index.php;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                    fastcgi_param PATH_INFO $fastcgi_script_name;
                    include /usr/local/etc/nginx/fastcgi_params;
                    fastcgi_ignore_client_abort    off;
            }
     
    

    my domain.com.rules as oppose to your naxsi.rules
    Code:
     
     
    #LearningMode;
    SecRulesEnabled;
    #SecRulesDisabled;
    DeniedUrl "/RequestDenied";
     
    #include "/usr/local/etc/nginx/naxsi/naxsi.rules";
     
    ## check rules
    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 4" BLOCK;
    CheckRule "$EVADE >= 4" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;
     
    More whitelisted below for uri /
    

    If you do it right without any further whitelisting rules it won't work , as i need to underline again, naxsi is using hashtables, so the matching for either of any variables inside the BasicRule quotes is fixed/strict line per line needs to be the exact match of the written whitelist :
    Code:
    BasicRule wl:ID [mz:[$URL:target_url]|[match_zone]|[$ARGS_VAR:varname]|[$BODY_VARS:varname]|[$HEADERS_VAR:varname]]
    
    These canonical solutions is directly proposed from the naxsi author as he is further explained as i was above.

    Btw the work for my bug report already been begun as he is confirmed my reported rules generator bugs.
     
  12. Floren

    Floren Well-Known Member

    You are right, I forgot to add the naxsi.rules file into .php location. Now, everything is pretty much broken. :)

    IMG_31052012_174845.png
     
  13. Floren

    Floren Well-Known Member

    Vohn, can you give me an example how to insert the COOKIE white list into naxsi_core.rules?
    I'm going to use an include for that, but I just need to understand how everything works. I did not have time to look at the documentation, I'm working on missing CentOS 5 rpm's for naxsi UI.
     
  14. Vohn

    Vohn Member

    I am using these , pre-generated from the generator
    Code:
    BasicRule wl:1315 "mz:$HEADERS_VAR:cookie";
    BasicRule wl:1015 "mz:$BODY_VAR:_xftoken";
    BasicRule wl:1015 "mz:$ARGS_VAR:_xftoken";
    BasicRule wl:1015 "mz:$URL:/css.php|$ARGS_VAR:css";
    
     
  15. Floren

    Floren Well-Known Member

    Thanks Vohn. I finished all CentOS 5 rpm dependencies for naxsi UI:
    • python-fpconst-0.7.3-1.el5.noarch.rpm
    • python-hashlib-20081119-1.el5.x86_64.rpm
    • python-setuptools-0.6.27-1.el5.noarch.rpm
    • python-twisted-core-8.2.0-1.el5.x86_64.rpm
    • python-twisted-core-doc-8.2.0-1.el5.x86_64.rpm
    • python-twisted-core-zsh-8.2.0-1.el5.x86_64.rpm
    • python-twisted-web-8.2.0-1.el5.x86_64.rpm
    • python-zope-filesystem-1.0.0-1.el5.x86_64.rpm
    • python-zope-interface-3.8.0-1.el5.x86_64.rpm
    • SOAPpy-0.11.6-1.el5.noarch.rpm
    Now, I need to build a service wrapper for the learning daemons. Into source, I see 2 config files, both looking like:
    Code:
    [nx_extract]
    username = naxsi_web
    password = test
    port = 8081
    rules_path = /usr/local/nginx/sec-rules/core.rules
    [nx_intercept]
    port = 8080
    [mysql]
    username = root
    password =
    hostname = 127.0.0.1
    dbname = naxsi_sig
    The nx_extract section has a username and password related to what? Is this a web login for protected UI area?
    I presume this is where the learned rules are saved:
    /usr/local/nginx/sec-rules/core.rules

    Thanks.
     
  16. Floren

    Floren Well-Known Member

    Anyone good with Python that could help fix the bugs into UI scripts?
    Code:
    Traceback (most recent call last):
      File "nx_intercept.py", line 6, in ?
        from nx_parser import signature_parser
      File "/usr/share/nginx/naxsi-ui/nx_parser.py", line 142
        str(capture_id), datetime.now() if date is None else date, str(match_id)))
    Removing the IF solves the issue, but I get a new error:
    Code:
    Filling database with %s. ALL PREVIOUS CONTENT WILL BE DROPPED !!!!!
    Done.
    Traceback (most recent call last):
      File "nx_intercept.py", line 162, in ?
        exit(42)
    TypeError: 'str' object is not callable
    I reported the issues, but I would rather not wait for a reply if you have a fix. :)
    Waiting on that, before I can release the RPM's to public. I would appreciate your help, the UI is most important part to generate the proper rules for your site.

    Vohn, you run naxsi on what platform, Debian?
     
  17. Vohn

    Vohn Member

    Yes the username & password variables related to nx web ui login credential, hmm i don't have that python trouble on 2.7.3, maybe you could try that version a try?.

    I am on freebsd 9 stable, i am still waiting for the bugs in generator to be fixed before launching my site. Btw you could get faster supports on naxsi mailing list .
     
  18. Floren

    Floren Well-Known Member

    I'm revisiting this thread as I finally fixed the python issues and compiled the RPM's for CentOS 6.
    I have the forums into root directory. What did you added into your nginx config file for the server block?
    Technically, I have set only the RequestDenied location, based on naxsi tutorial:
    Code:
    http {
    	...
    	include				/etc/nginx/naxsi_core.rules;
    	...
    
    	server {
    		listen			192.168.1.7:80 default_server;
    		server_name		apollo.axivo.com;
    		...
    
    		location / {
    			try_files	$uri $uri/ /index.php?$uri&$args;
    			include		naxsi.rules;
    		}
    
    		location /RequestDenied {
    			proxy_pass	http://192.168.1.7:8080;    
    		}
    
    		location ~ \.php$ {
    			fastcgi_pass	fastcgi;
    			include		fastcgi.conf;
    			include		naxsi.rules;
    		}
    		...
    	}
    }
    Do I need anything else? When I try to access the UI on apollo.axivo.com:8081 nothing happens. I even tried 192.168.1.7:8081, same result.
    Both intercept and extract daemons run properly:
    Those are wrappers who execute the actual python commands as daemon.
    The naxsi-ui.conf file:
    Code:
    [mysql]
    username	= root
    password	= somepass
    hostname	= 127.0.0.1
    dbname		= naxsi
    
    [nx_extract]
    username	= Floren
    password	= somepass
    port		= 8081
    rules_path	= /etc/nginx/naxsi.rules
    
    [nx_intercept]
    port		= 8080
    I htpasswd protect the site so Naxsi needs the web user Floren to access it.
     
  19. Floren

    Floren Well-Known Member

    Do you know if this is fixed into 0.47 version?
    I run now 0.47 on nginx and the database is getting populated properly. Yet for some reason, I cannot access 192.168.1.7:8081 even if python is listening on proper ports:
    Code:
    # netstat -tulpn | grep :80
    tcp        0      0 0.0.0.0:8080                0.0.0.0:*                  LISTEN      22293/python
    tcp        0      0 192.168.1.7:80              0.0.0.0:*                  LISTEN      22202/nginx
    tcp        0      0 0.0.0.0:8081                0.0.0.0:*                  LISTEN      22296/python
     
  20. Vohn

    Vohn Member

    Sorry i was away because of my relocation, anyway you should add allowed ip in request denied tag :
    Code:
            location /RequestDenied {
            allow all;
            allow ip;
            #deny all;
            proxy_pass http://localhost:4242;
            }
    
    I haven't get the chances to test it out again as i have some problems with my isp blocking remote port higher than 10.000, hopefully i will try again soon and share with you the results.
     

Share This Page