Naxsi模块的集成,是基于Nginx已经部署了或已经存在系统中。
第一步:下载naxsi
[qiang@localhost home]$ wget http://naxsi.googlecode.com/files/naxsi-core-0.51-1.tgz
注:如果不能上网可以事先下载,再上传到服务器中。
第二步:解压naxsi
[qiang@localhost home]$ tar -zxvf naxsi-core-0.51-1.tgz
第三步:切换到naxsi-core-0.51-1目录,并复制其配置文件到nginx.conf同目录下
[qiang@localhost naxsi_config]$ cp naxsi_core.rules /etc/nginx/naxsi_core.rules
修改naxsi_core.rules的配置如下:
################################## ## INTERNAL RULES IDS:1-999 ## ################################## #@MainRule "msg:weird request, unable to parse" id:1; #@MainRule "msg:request too big, stored on disk and not parsed" id:2; #@MainRule "msg:invalid hex encoding, null bytes" id:10; #@MainRule "msg:unknown content-type" id:11; #@MainRule "msg:invalid formatted url" id:12; #@MainRule "msg:invalid POST format" id:13; #@MainRule "msg:invalid POST boundary" id:14; ################################## ## SQL Injections IDs:1000-1099 ## ################################## MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1000; MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001; MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; ## Hardcore rules MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; ##MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; ## end of hardcore rules MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008; MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; ##MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010; ##MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011; MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013; MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; ############################### ## OBVIOUS RFI IDs:1100-1199 ## ############################### MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102; MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103; MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104; MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105; MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106; MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107; MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108; MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109; ####################################### ## Directory traversal IDs:1200-1299 ## ####################################### MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202; MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203; MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204; MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206; ######################################## ## Cross Site Scripting IDs:1300-1399 ## ######################################## MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; MainRule "str:`" "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; MainRule "rx:%[2|3]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; MainRule "rx:%3[c|e]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1316; MainRule "rx:\\\u003[c|e]" "msg:tag encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1317; MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1318; #################################### ## Evading tricks IDs: 1400-1500 ## #################################### MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402; ############################# ## File uploads: 1500-1600 ## ############################# MainRule "rx:.ph|.asp|.ht" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500; MainRule "rx:.jsp" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1501; MainRule "rx:.html" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1502; MainRule "rx:.php" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1503;
注:(1)nginx.conf所有的目录是在nginx编译安装时,默认的配置是<prefix>/conf/nginx.conf。
(2)鉴于原有的naxsi_core.rules文件中规则不足,最好是采用本文档中的配置规则。
第四步:编译安装Nginx
[qiang@localhost nginx-1.5.7]#./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --add-module=/home/naxsi-core-0.51-1/naxsi_src --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx/nginx.pid --user=root --group=root --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/tmp/nginx/client --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fcgi --with-http_stub_status_module [root@localhost nginx-1.5.7]# make && make install
注:上述的参数可以根据实际情况选择,但是标红的需要有。
第五步:验证nginx是否安装成功
[qiang@localhost nginx-1.5.7]# nginx nginx: [warn] low address bits of 192.168.1.65/26 are meaningless in /etc/nginx/nginx.conf:78 [qiang@localhost nginx-1.5.7]# ps -ef |grep nginx root 3086 1 0 10:53 ? 00:00:00 nginx: master process nginx root 3087 3086 1 10:53 ? 00:00:00 nginx: worker process root 3088 3086 1 10:53 ? 00:00:00 nginx: worker process root 3089 3086 1 10:53 ? 00:00:00 nginx: worker process root 3090 3086 1 10:53 ? 00:00:00 nginx: worker process root 3093 3073 4 10:53 pts/1 00:00:00 grep nginx
第六步:配置过滤条件
切换目录到与nginx.conf同目录下,新建nbs.rules文件。
[qiang@localhost nginx]# vim nbs.rules ##LearningMode; #Enables learning mode--stop SecRulesEnabled; ##Disables learning ##SecRulesDisabled; DeniedUrl "/RequestDenied"; ## check rules CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 8" BLOCK; CheckRule "$EVADE >= 8" BLOCK; CheckRule "$XSS >= 8" BLOCK; ############################################################ ## STOP ALL RULES(如果不需要可以关闭全部过滤规则) ## ############################################################ #BasicRule wl:0; ################################## ## INTERNAL RULES IDS:1-999 ## ################################## BasicRule wl:1,2,10,11,12,13,14; ################################## ## SQL Injections IDs:1000-1099 ## ################################## BasicRule wl:1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1011,1012,1013,1014,1015,1016; ############################### ## OBVIOUS RFI IDs:1100-1199 ## ############################### BasicRule wl:1100,1101,1102,1103,1104,1105,1106,1107,1108,1109; ####################################### ## Directory traversal IDs:1200-1299 ## ####################################### BasicRule wl:1200,1202,1203,1204,1205,1206; ######################################## ## Cross Site Scripting IDs:1300-1399 ## ######################################## BasicRule wl:1310,1311,1312,1313,1314,1315,1318; #################################### ## Evading tricks IDs: 1400-1500 ## #################################### BasicRule wl:1400,1401,1402; ############################# ## File uploads: 1500-1600 ## ############################# BasicRule wl:1500,1501,1502,1503;
注:该nbs.rules文件的规则需要根据不同的业务应用制定。
第七步:配置nginx.conf
http { include naxsi_core.rules; include mime.types; default_type application/octet-stream; ....... server { listen 80; server_name localhost centoshost.com; charset utf-8; ....... location /wavsep/ { ....... include nbs.rules; ....... } location /RequestDenied { error_page 404 /404.html; }
第九步:重启nginx
[qiang@localhost nginx]# nginx -t -c /etc/nginx/nginx.conf nginx: [warn] low address bits of 192.168.1.65/26 are meaningless in /etc/nginx/nginx.conf:78 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [qiang@localhost nginx]# nginx -s reload nginx: [warn] low address bits of 192.168.1.65/26 are meaningless in /etc/nginx/nginx.conf:78
第十步:测试拦截规则是否启用
上述的规则仅过滤“<”、“>”和SQL的一些关键字(select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|waitfor)。
本文出自 “梦朝思夕” 博客,转载请与作者联系!