Marcin Grzybowski, Marcin Lipiec - Grupa Nokaut - Nginx+ Naxsi

2. Kim jesteśmy?
marcin.grzybowski@nokaut.pl
marcin.lipiec@nokaut.pl

3. Dlaczego Nginx to za mało

4. Apache! Apache. Apache? -> NGINX

5. naxsi - struktura
nginx: moduł naxsi
nx_utils: nx_extract, nx_intercept

6. naxsi - struktura
● szybki - brak regexpów
● lekki - prosta logika w kodzie
● przewidywalny - brak sygnatur
● naiwny - brak transformacji

7. problemy na starcie
● brak paczki z aktualną wersją
● wysoka częstotliwość zmian
● braki w dokumentacji
● whitelist - konieczność konfiguracji

9. naxsi - co i jak?

10. naxsi - co i jak?

11. nginx
http {
include /etc/nginx/mime.types;
include /etc/nginx/naxsi_core.rules;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/nokaut_error.log;
(...)
}

12. nginx
location / {
index index.php;
include /etc/nginx/naxsi.rules;
include /etc/nginx/whitelist_naxsi_rules;
(...)
}
location /RequestDenied {
return 500;
}

14. naxsi rules
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

15. nginx error log
NAXSI_FMT:ip=xxx&server=yyy|&uri=/test.
html&total_processed=213&total_blocked=1&zone0=HE
ADERS&id0=1402&var_name0=content-type

16. naxsi core rules
~ 35 bazowych reguł
MainRule "str:"" "msg:double quote"
"mz:
BODY|URL|ARGS|$HEADERS_VAR:
Cookie" "s:$SQL:8,$XSS:8" id:1001;

18. whitelist
########### Optimized Rules Suggestion #
# total_count:17262 (22.06%) | double encoding !
BasicRule wl:1315 "mz:$HEADERS_VAR:cookie";
# total_count:14332 (18.31%) | mysql keyword (|)
BasicRule wl:1005 "mz:$HEADERS_VAR:cookie";
# total_count:14321 (18.3%) | probable sql/xss
BasicRule wl:1011 "mz:$HEADERS_VAR:cookie";

19. nx_intercept / nx_extract
[sql]
# database type
dbtype = sqlite
username = naxsi
password = trivialpassword
hostname = 127.0.0.1
# name of database
dbname = naxsi_sig
# path prefix for db, only needed for SQLite
data_path = /tmp/naxsi-ui/

20. nx_intercept / nx_extract
python nx_intercept.py -c naxsi-ui-learning.conf
-l /var/log/nginx/nokaut_error.log
python nx_extract.py -c naxsi-ui-learning.conf

21. nx_extract

22. nx_extract