Nginx+Naxsi模块使用方法

发表于 | 分类于 | | 本文总阅读量
字数统计: 1.2k | 阅读时长 ≈ 6

Nginx+Naxsi模块使用方法

1、什么是Naxsi

1、Naxsi规则文件生成与说明

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
###默认Naxsi规则文件路径:
    naxsi-master\naxsi_config\naxsi_core.rules

###创建Naxsi规则使用方法:
    vim /usr/local/nginx/conf/my_naxsi.rules
    #LearningMode; #Enables learning mode 若开启该模式,不会拦截任何请求
    SecRulesEnabled;
    #SecRulesDisabled;

###拒绝URL地址指向
    DeniedUrl "/RequestDenied";

###白名单
    include "/usr/local/nginx/conf/wl.conf";
 
###check rules(满足得分项及拦截)
    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 4" BLOCK;
    CheckRule "$EVADE >= 4" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;

2、NGINX配置文件的引用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#针对支持模块化的nginx配置
load_module /../modules/ngx_http_naxsi_module.so;
events {
 ...
}
http {
 include     	/usr/local/nginx/conf/naxsi_core.rules;
 ...
 server {
  listen ...;
  server_name  ...;
  location / {
	include		/usr/local/nginx/conf/my_naxsi.rules	
   #naxsi logs goes there
   error_log /.../foo.log;
   ...
  }
  #This is where the blocked requests are going
  location = /RequestDenied {
  return 418;
  	}
 }
}

3、Naxsi支持的变量

1
2
3
4
5
URL   
ARGS get参数值
BODY post参数值
$HEADERS_VAR:Cookie  http请求头
FILE_EXT  multipart POST文件上传名

4、Naxsi支持的操作符:

1
2
3
str 字符串 
rx  正则匹配
均大小写不敏感

5、防护规则:naxsi_core.rules的配置与内容

1
2
3
4
5
6
7
8
9
10
11
	MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
	MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
    MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;

指令说明:
	rx: 正则匹配
	str: 字符串匹配
	msg: 规则含义
	mz: 匹配的HTTP协议部分
	s: 规则的类型与相应的评分
	id: 规则id

6、规则组成

1
2
3
4
5
6
7
(1) 内部规则1-999 协议解析中的异常问题
(2) SQL注入规则1000-1099
(3) OBVIOUS RFI规则1100-1100
(4) 目录遍历漏洞规则1200-1299
(5) XSS漏洞规则1300-1399
(6) Evading tricks规则1400-1500
(7) 文件上传1500-1600

7、规则实例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(1) get参数
 ARGS
 $ARGS_VAR (字符串匹配)
BasicRule wl:1100 "mz:$ARGS_VAR:redirect_to";
 $ARGS_VAR_X (正则匹配)

(2) post参数
BODY
$BODY_VAR
BasicRule wl:1000 "mz:$BODY_VAR:save";
$BODY_VAR_X

(3) 请求头
HEADERS
HEADERS_VAR
BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";
HEADERS_VAR_X

(4) URL
URL    (uri "?"前面的部分)
BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";
$URL_X

(5) 上传文件名
FILE_EXT 上传文件名

8、开源白名单规则

1
2
白名单规则集规则集-wordpress/DokuWiki/ruTorrent
git clone https://github.com/nbs-system/naxsi-rules.git

9、白名单实例:

1
2
3
4
5
6
7
8
9
10
11
12
13
###白名单配置文件:
/usr/local/nginx/conf/wl.conf

BasicRule wl:0 "mz:|URL";
BasicRule wl:0 "mz:|HEADERS";
BasicRule wl:1000,1005,1010,1011,1015,1310,1315 "mz:|HEADERS";
BasicRule wl:0 "mz:|BODY|NAME";
BasicRule wl:0 "mz:|BODY";
BasicRule wl:11 "mz:|$URL:/jfpt_common/ws/webServiceManage|BODY";
BasicRule wl:16 "mz:|$URL:/cjpt_xj/UrlLoginServlet|BODY";
BasicRule wl:0 "mz:|$URL:/ccbms/ajax/validator.php|ARGS";
BasicRule wl:1005 "mz:|$URL:/jfpt_common/jfsetting/commanage-orders!print.action|ARGS";
BasicRule wl:1000,1005 "mz:|$URL:/jfpt_common/jfsetting/commanage-orders!batchPrint.action|ARGS|NAME";

10、NGINX错误日志解析:nginx_error.log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
id0=1008 
MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;

id1=1010
MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;

id3=1302 (命中了两次)
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;

id4=1303(命中了两次)
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;

SQL得分为12=4+4+4
XSS得分为56=8+8+8+8*2+8*2

11、注意事项

  • Naxis的拦截机制是满足预设分值才进行阻断,所以 当触发了某条规则之后(naxsi_core.rules),就会进行逐步加分,当满足(my_naxsi.rules)中的CheckRule的分值就会触发拦截,详见日志,经验总结:“可以针对个别域名,创建多个规则,采用include的方式进行配置,规则的触发和分数阈值有很大关系,无法拦截或者出现多次拦截匹配等,都会加分,触发阈值就拦截”
    1
    2
    3
    4
    (1)分数阈值
    CheckRule "$SQL >= 8" BLOCK;
    (2)加分项
    MainRule "rx:\band\b|\bor\b" "msg:SQL, probable sql/xss" "mz:BODY" "s:$SQL:8" id:1009;
-------------本文结束感谢您的阅读-------------
LiGuanCheng wechat
如有问题,请与我微信交流或通过右下角“daovoice”与我联系~。
请我喝一杯咖啡~