{"id":1882,"date":"2019-01-23T23:41:42","date_gmt":"2019-01-23T20:41:42","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1882"},"modified":"2024-03-11T22:01:53","modified_gmt":"2024-03-11T19:01:53","slug":"install-and-configure-naxsi-nginx-waf-on-ubuntu-18-04-lts","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-naxsi-nginx-waf-on-ubuntu-18-04-lts\/","title":{"rendered":"Install and Configure NAXSI Nginx WAF on Ubuntu 18.04 LTS"},"content":{"rendered":"\n

Welcome to our guide on how to install and configure NAXSI Nginx WAF on Ubuntu 18.04 LTS.<\/p>\n\n\n

\n
\"Install<\/a><\/figure><\/div>\n\n\n

NAXSI is an acronym for Nginx Anti XSS and SQL injection. It is an opensource, high performance and low rules maintenance web application firewall (WAF) module for NGINX. Unlike other WAFs that rely on signatures to detect and prevent web attacks such as SQLi, XSS etc, Naxsi relies on unexpected characters contained on the HTTP GET and POST requests. To achieve this, it uses simple rules that contains 99% of the known patterns involved in web vulnerabilities.<\/span><\/p>\n\n\n\n

Installing NAXSI Nginx WAF on Ubuntu 18.04 LTS<\/h2>\n\n\n\n

Install Nginx-Naxsi on Ubuntu 18.04 LTS<\/h3>\n\n\n\n

Update and upgrade your system packages;<\/p>\n\n\n\n

apt update\napt upgrade<\/code><\/pre>\n\n\n\n
Install the required dependencies.<\/p>\n\n\n\n
apt install libpcre3-dev libssl-dev unzip build-essential daemon libxml2-dev libxslt1-dev libgd-dev libgeoip-dev<\/code><\/pre>\n\n\n\n
This guide assumes that this is a totally new Nginx deployment. Since Nginx-Naxsi package is not available on the default Ubuntu 18.04 repositories, you have to download and compile both Nginx and Naxsi from the source.<\/p>\n\n\n\n
Download the latest sources of Nginx from here<\/a>. You can simply obtain the link and pull it with wget<\/code> as shown below;<\/p>\n\n\n\n
wget http:\/\/nginx.org\/download\/nginx-1.15.8.tar.gz<\/code><\/pre>\n\n\n\n
Unzip the source code;<\/p>\n\n\n\n
tar xzf nginx-1.15.8.tar.gz<\/code><\/pre>\n\n\n\n
Download and unzip naxis.<\/p>\n\n\n\n
wget https:\/\/github.com\/nbs-system\/naxsi\/archive\/master.zip<\/code><\/pre>\n\n\n\n
unzip master.zip<\/code><\/pre>\n\n\n\n
Configure Nginx for Naxsi support<\/h3>\n\n\n\n
Navigate to Nginx source directory and run the configure<\/code> script to prepare Nginx for compilation as shown below;<\/p>\n\n\n\n
cd nginx-1.15.8<\/code><\/pre>\n\n\n\n
\n.\/configure \\\n--conf-path=\/etc\/nginx\/nginx.conf \\\n--add-module=..\/naxsi-master\/naxsi_src\/ \\\n--error-log-path=\/var\/log\/nginx\/error.log \\\n--http-client-body-temp-path=\/var\/lib\/nginx\/body \\\n--http-fastcgi-temp-path=\/var\/lib\/nginx\/fastcgi \\\n--http-log-path=\/var\/log\/nginx\/access.log \\\n--http-proxy-temp-path=\/var\/lib\/nginx\/proxy \\\n--lock-path=\/var\/lock\/nginx.lock \\\n--pid-path=\/var\/run\/nginx.pid \\\n--user=www-data \\\n--group=www-data \\\n--with-http_ssl_module \\\n--without-mail_pop3_module \\\n--without-mail_smtp_module \\\n--without-mail_imap_module \\\n--without-http_uwsgi_module \\\n--without-http_scgi_module \\\n--prefix=\/usr\n<\/code><\/pre>\n\n\n\n
If all is well, you should be able to see the configuration summary;<\/p>\n\n\n\n
\n...\ncreating objs\/Makefile\n\nConfiguration summary\n  + using system PCRE library\n  + using system OpenSSL library\n  + using system zlib library\n\n  nginx path prefix: \"\/usr\"\n  nginx binary file: \"\/usr\/sbin\/nginx\"\n  nginx modules path: \"\/usr\/modules\"\n  nginx configuration prefix: \"\/etc\/nginx\"\n  nginx configuration file: \"\/etc\/nginx\/nginx.conf\"\n  nginx pid file: \"\/var\/run\/nginx.pid\"\n  nginx error log file: \"\/var\/log\/nginx\/error.log\"\n  nginx http access log file: \"\/var\/log\/nginx\/access.log\"\n  nginx http client request body temporary files: \"\/var\/lib\/nginx\/body\"\n  nginx http proxy temporary files: \"\/var\/lib\/nginx\/proxy\"\n  nginx http fastcgi temporary files: \"\/var\/lib\/nginx\/fastcgi\"\n<\/code><\/pre>\n\n\n\n
The above command generates a Makefile<\/code> that can be used to compile Nginx. The compilation is done using the make<\/code> command.<\/p>\n\n\n\n
make<\/code><\/pre>\n\n\n\n
Once the compilation is done, run the install script.<\/p>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n
Once the installation is complete, create Nginx dynamic data libraries directories.<\/p>\n\n\n\n
mkdir -p \/var\/lib\/nginx\/{body,fastcgi}<\/code><\/pre>\n\n\n\n
Configuring Nginx NAXSI<\/h3>\n\n\n\n
To begin with, copy the Naxsi core rules, naxsi_core.rules<\/code> to Nginx configuration directory. The core rules are what makes the base of a WAF.<\/p>\n\n\n\n
cp ~\/naxsi-master\/naxsi_config\/naxsi_core.rules \/etc\/nginx\/<\/code><\/pre>\n\n\n\n
Now that the rules are in place, you need to enable these rules to act on per location basis. You can also define different types of attacks that can be blocked by Naxsi.<\/p>\n\n\n\n
vim \/etc\/nginx\/naxsi.rules<\/code><\/pre>\n\n\n\n
\nSecRulesEnabled;\nDeniedUrl \"\/RequestDenied\";\n\n## Check Naxsi rules\nCheckRule \"$SQL >= 8\" BLOCK;\nCheckRule \"$RFI >= 8\" BLOCK;\nCheckRule \"$TRAVERSAL >= 4\" BLOCK;\nCheckRule \"$EVADE >= 4\" BLOCK;\nCheckRule \"$XSS >= 8\" BLOCK;\n<\/code><\/pre>\n\n\n\n