Naxsi模块的集成,是基于Nginx已经部署了或已经存在系统中。
第一步:下载naxsi
|
1
|
[qiang@localhost home]$ wget http:
//naxsi
.googlecode.com
/files/naxsi-core-0
.51-1.tgz
|
注:如果不能上网可以事先下载,再上传到服务器中。
第二步:解压naxsi
|
1
|
[qiang@localhost home]$
tar
-zxvf naxsi-core-0.51-1.tgz
|
第三步:切换到naxsi-core-0.51-1目录,并复制其配置文件到nginx.conf同目录下
|
1
|
[qiang@localhost naxsi_config]$
cp
naxsi_core.rules
/etc/nginx/naxsi_core
.rules
|
修改naxsi_core.rules的配置如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
##################################
## INTERNAL RULES IDS:1-999 ##
##################################
#@MainRule "msg:weird request, unable to parse" id:1;
#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
#@MainRule "msg:invalid hex encoding, null bytes" id:10;
#@MainRule "msg:unknown content-type" id:11;
#@MainRule "msg:invalid formatted url" id:12;
#@MainRule "msg:invalid POST format" id:13;
#@MainRule "msg:invalid POST boundary" id:14;
##################################
## SQL Injections IDs:1000-1099 ##
##################################
MainRule
"rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop"
"msg:sql keywords"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:8"
id
:1000;
MainRule
"str:\""
"msg:double quote"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:8,$XSS:8"
id
:1001;
MainRule
"str:0x"
"msg:0x, possible hex encoding"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:2"
id
:1002;
## Hardcore rules
MainRule
"str:/*"
"msg:mysql comment (/*)"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:8"
id
:1003;
MainRule
"str:*/"
"msg:mysql comment (*/)"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:8"
id
:1004;
MainRule
"str:|"
"msg:mysql keyword (|)"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:8"
id
:1005;
##MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
## end of hardcore rules
MainRule
"str:--"
"msg:mysql comment (--)"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:4"
id
:1007;
MainRule
"str:;"
"msg:; in stuff"
"mz:BODY|URL|ARGS"
"s:$SQL:4,$XSS:8"
id
:1008;
MainRule
"str:="
"msg:equal in var, probable sql/xss"
"mz:ARGS|BODY"
"s:$SQL:2"
id
:1009;
##MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
##MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule
"str:'"
"msg:simple quote"
"mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie"
"s:$SQL:4,$XSS:8"
id
:1013;
MainRule
"str:,"
"msg:, in stuff"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:4"
id
:1015;
MainRule
"str:#"
"msg:mysql comment (#)"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$SQL:4"
id
:1016;
###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
MainRule
"str:http://"
"msg:http:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1100;
MainRule
"str:https://"
"msg:https:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1101;
MainRule
"str:ftp://"
"msg:ftp:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1102;
MainRule
"str:php://"
"msg:php:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1103;
MainRule
"str:sftp://"
"msg:sftp:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1104;
MainRule
"str:zlib://"
"msg:zlib:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1105;
MainRule
"str:data://"
"msg:data:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1106;
MainRule
"str:glob://"
"msg:glob:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1107;
MainRule
"str:phar://"
"msg:phar:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1108;
MainRule
"str:file://"
"msg:file:// scheme"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$RFI:8"
id
:1109;
#######################################
## Directory traversal IDs:1200-1299 ##
#######################################
MainRule
"str:.."
"msg:double dot"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$TRAVERSAL:4"
id
:1200;
MainRule
"str:/etc/passwd"
"msg:obvious probe"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$TRAVERSAL:4"
id
:1202;
MainRule
"str:c:\\"
"msg:obvious windows path"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$TRAVERSAL:4"
id
:1203;
MainRule
"str:cmd.exe"
"msg:obvious probe"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$TRAVERSAL:4"
id
:1204;
MainRule
"str:\\"
"msg:backslash"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$TRAVERSAL:4"
id
:1205;
MainRule
"str:/"
"msg:slash in args"
"mz:ARGS|BODY|$HEADERS_VAR:Cookie"
"s:$TRAVERSAL:2"
id
:1206;
########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
MainRule
"str:<"
"msg:html open tag"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8"
id
:1302;
MainRule
"str:>"
"msg:html close tag"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8"
id
:1303;
MainRule
"str:["
"msg:[, possible js"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$XSS:4"
id
:1310;
MainRule
"str:]"
"msg:], possible js"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$XSS:4"
id
:1311;
MainRule
"str:~"
"msg:~ character"
"mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie"
"s:$XSS:4"
id
:1312;
MainRule
"str:`"
"msg:grave accent !"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8"
id
:1314;
MainRule
"rx:%[2|3]."
"msg:double encoding !"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8"
id
:1315;
MainRule
"rx:%3[c|e]."
"msg:double encoding !"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8"
id
:1316;
MainRule
"rx:\\\u003[c|e]"
"msg:tag encoding !"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8"
id
:1317;
MainRule
"str:&#"
"msg: utf7/8 encoding"
"mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$EVADE:4"
id
:1318;
####################################
## Evading tricks IDs: 1400-1500 ##
####################################
MainRule
"str:&#"
"msg: utf7/8 encoding"
"mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie"
"s:$EVADE:4"
id
:1400;
MainRule
"str:%U"
"msg: M$ encoding"
"mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie"
"s:$EVADE:4"
id
:1401;
MainRule negative
"rx:multipart/form-data|application/x-www-form-urlencoded"
"msg:Content is neither mulipart/x-www-form.."
"mz:$HEADERS_VAR:Content-type"
"s:$EVADE:4"
id
:1402;
#############################
## File uploads: 1500-1600 ##
#############################
MainRule
"rx:.ph|.asp|.ht"
"msg:asp/php file upload!"
"mz:FILE_EXT"
"s:$UPLOAD:8"
id
:1500;
MainRule
"rx:.jsp"
"msg:asp/php file upload!"
"mz:FILE_EXT"
"s:$UPLOAD:8"
id
:1501;
MainRule
"rx:.html"
"msg:asp/php file upload!"
"mz:FILE_EXT"
"s:$UPLOAD:8"
id
:1502;
MainRule
"rx:.php"
"msg:asp/php file upload!"
"mz:FILE_EXT"
"s:$UPLOAD:8"
id
:1503;
|
注:(1)nginx.conf所有的目录是在nginx编译安装时,默认的配置是<prefix>/conf/nginx.conf。
(2)鉴于原有的naxsi_core.rules文件中规则不足,最好是采用本文档中的配置规则。
第四步:编译安装Nginx
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[qiang@localhost nginx-1.5.7]
#./configure --prefix=/usr
--sbin-path=
/usr/sbin/nginx
--conf-path=
/etc/nginx/nginx
.conf
--add-module=
/home/naxsi-core-0
.51-1
/naxsi_src
--error-log-path=
/var/log/nginx/error
.log
--pid-path=
/var/run/nginx/nginx
.pid
--user=root
--group=root
--with-http_ssl_module
--with-http_flv_module
--with-http_gzip_static_module
--http-log-path=
/var/log/nginx/access
.log
--http-client-body-temp-path=
/var/tmp/nginx/client
--http-proxy-temp-path=
/var/tmp/nginx/proxy
--http-fastcgi-temp-path=
/var/tmp/nginx/fcgi
--with-http_stub_status_module
[root@localhost nginx-1.5.7]
# make && make install
|
注:上述的参数可以根据实际情况选择,但是标红的需要有。
第五步:验证nginx是否安装成功
|
1
2
3
4
5
6
7
8
9
|
[qiang@localhost nginx-1.5.7]
# nginx
nginx: [warn] low address bits of 192.168.1.65
/26
are meaningless
in
/etc/nginx/nginx
.conf:78
[qiang@localhost nginx-1.5.7]
# ps -ef |grep nginx
root 3086 1 0 10:53 ? 00:00:00 nginx: master process nginx
root 3087 3086 1 10:53 ? 00:00:00 nginx: worker process
root 3088 3086 1 10:53 ? 00:00:00 nginx: worker process
root 3089 3086 1 10:53 ? 00:00:00 nginx: worker process
root 3090 3086 1 10:53 ? 00:00:00 nginx: worker process
root 3093 3073 4 10:53 pts
/1
00:00:00
grep
nginx
|
第六步:配置过滤条件
切换目录到与nginx.conf同目录下,新建nbs.rules文件。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
[qiang@localhost nginx]
# vim nbs.rules
##LearningMode;
#Enables learning mode--stop
SecRulesEnabled;
##Disables learning
##SecRulesDisabled;
DeniedUrl
"/RequestDenied"
;
## check rules
CheckRule
"$SQL >= 8"
BLOCK;
CheckRule
"$RFI >= 8"
BLOCK;
CheckRule
"$TRAVERSAL >= 8"
BLOCK;
CheckRule
"$EVADE >= 8"
BLOCK;
CheckRule
"$XSS >= 8"
BLOCK;
############################################################
## STOP ALL RULES(如果不需要可以关闭全部过滤规则) ##
############################################################
#BasicRule wl:0;
##################################
## INTERNAL RULES IDS:1-999 ##
##################################
BasicRule wl:1,2,10,11,12,13,14;
##################################
## SQL Injections IDs:1000-1099 ##
##################################
BasicRule wl:1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1011,1012,1013,1014,1015,1016;
###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
BasicRule wl:1100,1101,1102,1103,1104,1105,1106,1107,1108,1109;
#######################################
## Directory traversal IDs:1200-1299 ##
#######################################
BasicRule wl:1200,1202,1203,1204,1205,1206;
########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
BasicRule wl:1310,1311,1312,1313,1314,1315,1318;
####################################
## Evading tricks IDs: 1400-1500 ##
####################################
BasicRule wl:1400,1401,1402;
#############################
## File uploads: 1500-1600 ##
#############################
BasicRule wl:1500,1501,1502,1503;
|
注:该nbs.rules文件的规则需要根据不同的业务应用制定。
第七步:配置nginx.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
http {
include naxsi_core.rules;
include mime.types;
default_type application
/octet-stream
;
.......
server {
listen 80;
server_name localhost centoshost.com;
charset utf-8;
.......
location
/wavsep/
{
.......
include nbs.rules;
.......
}
location
/RequestDenied
{
error_page 404
/404
.html;
}
|
第九步:重启nginx
|
1
2
3
4
5
6
|
[qiang@localhost nginx]
# nginx -t -c /etc/nginx/nginx.conf
nginx: [warn] low address bits of 192.168.1.65
/26
are meaningless
in
/etc/nginx/nginx
.conf:78
nginx: the configuration
file
/etc/nginx/nginx
.conf syntax is ok
nginx: configuration
file
/etc/nginx/nginx
.conf
test
is successful
[qiang@localhost nginx]
# nginx -s reload
nginx: [warn] low address bits of 192.168.1.65
/26
are meaningless
in
/etc/nginx/nginx
.conf:78
|
第十步:测试拦截规则是否启用
上述的规则仅过滤“<”、“>”和SQL的一些关键字(select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|waitfor)。
版权声明:原创作品,如需转载,请与作者联系。否则将追究法律责任
本文转自 梦朝思夕 51CTO博客,原文链接:http://blog.51cto.com/qiangmzsx/1380566
