Nginx+Naxsi部署专业级Web应用防火墙

Naxsi简介:

Naxsi是一个开放源代码、高效、低维护规则的Nginx web应用防火墙模块。Naxsi的主要目标是帮助人们加固他们的web应用程序,以抵御SQL注入、跨站脚本、跨域伪造请求、本地和远程文件包含漏洞。

安装配置naxsi模块步骤如下:

一.首先要搭建lnmp环境并添加lua模块:

添加lua模块步骤如下:
1.下载并安装lua模块:
wget http://luajit.org/download/LuaJIT-2.0.1.tar.gz
tar zxvfLuaJIT-2.0.1.tar.gz
cd LuaJIT-2.0.1
make && make install

2.下载ngx_devel_kit 和nginx_lua_module并解压
tar zxvfngx_devel_kit-0.2.19.tar.gz
tar zxvflua-nginx-module-0.9.2.tar.gz

3.进入nginx源码文件夹,编译安装nginx
 a.导入环境变量

export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0

 b.查看nginx的先前的configure配置
/usr/local/webserver/nginx/sbin/nginx -V

nginxversion: nginx/1.2.9
  configurearguments: --user=www --group=www --prefix=/usr/local/webserver/nginx --with-    http_stub_status_module --with-http_ssl_module
 c.重新编译安装nginx:
cd /tools/nginx-1.2.9
./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=/tools/ngx_devel_kit-0.2.19 --add-module=/tools/lua-nginx-module-0.9.2

make -j2
make install

 此时检查nginx配置文件语法会出现错误:
/usr/local/webserver/nginx/sbin/nginx -t

  /usr/local/webserver/nginx/sbin/nginx:error while loading shared libraries:
  libluajit-5.1.so.2: cannot open sharedobject file: No such file or directory

原因是找不到libluajit-5.1.so.2
 解决方法:
find / -name "libluajit-5.1.so.2"

  /usr/local/lib/libluajit-5.1.so.2   
echo "/usr/local/lib" >>/etc/ld.so.conf
ldconfig
/usr/local/webserver/nginx/sbin/nginx -t

  nginx:the configuration file /usr/local/webserver/nginx/conf/nginx.conf syntax is ok
  nginx:configuration file /usr/local/webserver/nginx/conf/nginx.conf test issuccessful
 配置OK。

二.下载naxsi模块:
wget http://naxsi.googlecode.com/files/naxsi-core-0.50.tgz
tar zxvf naxsi-core-0.50.tgz

三.关联naxsi模块:
先查看nginx的原有./configure配置,然后复制后并添加naxsi模块的路径:

cd /tools/nginx-1.2.9
./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=/tools/ngx_devel_kit-0.2.19 --add-module=/tools/lua-nginx-module-0.9.2 --add-module=/tools/naxsi-core-0.50/naxsi_src/

make && make install 

四.配置naxsi模块:
官网说明见:
http://code.google.com/p/naxsi/wiki/Howto#Installing_nginx_+_naxsi
1.将naxsi_config目录下核心配置naxsi_core.rules拷贝到nginx/conf/目录下:

cp /tools/naxsi-core-0.50/naxsi_config/naxsi_core.rules /usr/local/webserver/nginx/conf/

2.在nginx/conf/目录下新建naxsi_nbs.rules文件,用以配置使用;
touch naxsi_nbs.rules

3.配置nginx.conf文件:
user www;
worker_processes  1;
events {
  worker_connections  1024;
}
http {
  include      mime.types;
include/usr/local/webserver/nginx/conf/naxsi_core.rules;
  default_type application/octet-stream;
  sendfile        on;
  keepalive_timeout  65;
  server {
        listen      80;
        server_name  localhost;
        location / {
            root  html;
            index  index.html index.htm;
        }
        error_page  500 502 503 504  /50x.html;
        location = /50x.html {
            root  html;
      }
location /xss {
        include naxsi_nbs.rules;
        include naxsi_BasicRule.conf;
        default_type 'test/plain';
        content_by_lua '
          ngx.say("({\'Test xss ,come inplease!!!\'})");
        ';
        root html;
        }
        location /RequestDenied {
        return 403;
        }
        error_page 403 /403.html;
  }
}

4.配置规则文件naxsi_nbs.rules
#LearningMode; #Enables learningmode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8"BLOCK;
CheckRule "$RFI >= 8"BLOCK;
CheckRule "$TRAVERSAL >=4"
BLOCK; CheckRule "$EVADE >=4" BLOCK;
CheckRule "$XSS >= 8"BLOCK;

5.配置白名单文件naxsi_BasicRule.conf
12 BasicRule wl:0"mz:$ARGS_VAR:script";
BasicRule wl:0"mz:$ARGS_VAR:id";

 这表示xss攻击正常是被拦截的,若被添加白名单,则不被拦截:此处是Get 参数名若为id 或者script,则不被拦截;
 BasicRule的规则说明,具体参见:http://code.google.com/p/naxsi/wiki/BasicRule
五.测试naxsi模块
1.检查语法并重启nginx服务:
12 /usr/local/webserver/nginx/sbin/nginx -t
/usr/local/webserver/nginx/sbin/nginx -s reload

2.测试连接:
http://192.168.1.11/xss/xss/
http://192.168.1.11/xss/xss/?id=40/**/and/**/1=1
http://192.168.1.11/xss/xss/?name=40/**/and/**/1=1
http://192.168.1.11/xss/xss/?name=%28%29
http://192.168.1.11/xss/xss/?term=%3Cscript%3Ewindow.open%28%22
http://192.168.1.11/xss/xss/?title=meta%20http-equiv=%22refresh%22%20content=%220;%22

测试结果:
 1通过
 2通过,因为配置到白名单
 3不通过,含有条件注入
 4不通过,特殊字符
 5不通过,参数内容含脚本注入
 6不通过



转载声明:本文为红盾科技技术分享平台的原创文章,转载请注明原文地址,谢谢合作

发表评论: