定制轻量高效的WAF Naxsi [一]

2017-09-19 by klion

0x01 关于naxsi
同为开源waf,但跟Modsecurity的不同是,它对nginx的兼容性非常好,而且不依赖现有规则库其实,我们心里都很清楚,单单基于规则库的拦截可能需要经常更新,且容易被绕过,防御起来比较被动,naxsi安装定制都非常简单方便,占用系统资源相对较少,对实际业务的适用性更强[方便的白名单设置],有一定的学习能力,不过,实际测试中貌似暂时只能拦截从get或者post过来的数据,这也是个小遗憾

0x02 依然是拿之前编译好的lnmp环境[具体如何编译配置,请参考博客相关文章]来做演示,我这里先把之前的配置文件备份下,等会儿好直接拿过来用

1	php5.5.38 + mysql-5.5.32 + nginx-1.12.1 + centOS6.8_x64

# netstat -tulnp | grep "80"
# pkill nginx
# cp /usr/local/nginx/conf/nginx.conf ./
# cp /usr/local/nginx/conf/extra/bwapp.conf  ./
# rm -rf /usr/local/nginx*

0x03 下载naxsi,重新编译安装nginx,主要是要把naxsi模块加载进去,这里的nginx直接用的最新版的稳定版本

# git clone https://github.com/nbs-system/naxsi.git
# wget http://nginx.org/download/nginx-1.12.1.tar.gz
# yum install pcre pcre-devel openssl openssl-devel -y
# useradd -s /sbin/nologin -M nginx
# tar xf nginx-1.12.1.tar.gz
# cd nginx-1.12.1
# ./configure --prefix=/usr/local/nginx-1.12.1 --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --with-file-aio --with-http_dav_module --add-module=../naxsi/naxsi_src/
# make && make install
# ln -s /usr/local/nginx-1.12.1/ /usr/local/nginx
# cd /usr/local/nginx/conf/
# mv nginx.conf nginx.conf.bak && egrep -v "^$|#" nginx.conf.bak >> nginx.conf

0x04 在nginx主配置文件中引入naxsi核心规则文件,注意,要放到http段内

# cp /root/naxsi/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/
# vi /usr/local/nginx/conf/nginx.conf
http {
......
    include /usr/local/nginx/conf/naxsi_core.rules;
......
}

先来简单看看naxsi的心脏是个什么样子,抽空我们再来详细说它,这次先混个脸熟,其实,有经验的小伙伴一眼就能看出来了

1	# vi /usr/local/nginx/conf/naxsi_core.rules

0x05 再到指定的server中引入子规则文件,其实,这里纯粹是为了方便,所以才把规则都放到一个文件中,这样当你有很多个server时,只要在server中只需要include一下就好了

# vi /usr/local/nginx/conf/naxsi.rules

SecRulesEnabled;	# 启用naxsi
# LearningMode;		# 是否启用学习模式,只记录,不拦截,方便自己设置白名单
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
error_log /var/log/naxsi_attach.log;

# mkdir /usr/local/nginx/conf/extra
# cp bwapp.conf /usr/local/nginx/conf/extra
# vi -o nginx.conf  /usr/local/nginx/conf/nginx.conf
# vi /usr/local/nginx/conf/extra/bwapp.conf
server{
......
	location ~ .*\.(php|php5)?$ {
        	include  /usr/local/nginx/conf/naxsi.rules;
        	fastcgi_pass 127.0.0.1:9000;
        	fastcgi_index index.php;
        	include fastcgi.conf;
    	}
......
}
# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx