Nginx+ Naxsi

663 views

Published on

Marcin Grzybowski, Marcin Lipiec - Grupa Nokaut - Nginx+ Naxsi

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
663
On SlideShare
0
From Embeds
0
Number of Embeds
93
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Nginx+ Naxsi

  1. 1. Kim jesteśmy?marcin.grzybowski@nokaut.plmarcin.lipiec@nokaut.pl
  2. 2. Dlaczego Nginx to za mało
  3. 3. Apache! Apache. Apache? -> NGINX
  4. 4. naxsi - strukturanginx: moduł naxsinx_utils: nx_extract, nx_intercept
  5. 5. naxsi - struktura● szybki - brak regexpów● lekki - prosta logika w kodzie● przewidywalny - brak sygnatur● naiwny - brak transformacji
  6. 6. problemy na starcie● brak paczki z aktualną wersją● wysoka częstotliwość zmian● braki w dokumentacji● whitelist - konieczność konfiguracji
  7. 7. naxsi - co i jak?
  8. 8. naxsi - co i jak?
  9. 9. nginxhttp { include /etc/nginx/mime.types; include /etc/nginx/naxsi_core.rules; access_log /var/log/nginx/access.log; error_log /var/log/nginx/nokaut_error.log; (...)}
  10. 10. nginxlocation / { index index.php; include /etc/nginx/naxsi.rules; include /etc/nginx/whitelist_naxsi_rules; (...)}location /RequestDenied { return 500;}
  11. 11. naxsi rules#LearningMode;SecRulesEnabled;#SecRulesDisabled;DeniedUrl "/RequestDenied";## check rulesCheckRule "$SQL >= 8" BLOCK;CheckRule "$RFI >= 8" BLOCK;CheckRule "$TRAVERSAL >= 4" BLOCK;CheckRule "$EVADE >= 4" BLOCK;CheckRule "$XSS >= 8" BLOCK;
  12. 12. nginx error logNAXSI_FMT:ip=xxx&server=yyy|&uri=/test.html&total_processed=213&total_blocked=1&zone0=HEADERS&id0=1402&var_name0=content-type
  13. 13. naxsi core rules~ 35 bazowych regułMainRule "str:"" "msg:double quote""mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
  14. 14. whitelist########### Optimized Rules Suggestion ## total_count:17262 (22.06%) | double encoding !BasicRule wl:1315 "mz:$HEADERS_VAR:cookie";# total_count:14332 (18.31%) | mysql keyword (|)BasicRule wl:1005 "mz:$HEADERS_VAR:cookie";# total_count:14321 (18.3%) | probable sql/xssBasicRule wl:1011 "mz:$HEADERS_VAR:cookie";
  15. 15. nx_intercept / nx_extract[sql]# database typedbtype = sqliteusername = naxsipassword = trivialpasswordhostname = 127.0.0.1# name of databasedbname = naxsi_sig# path prefix for db, only needed for SQLitedata_path = /tmp/naxsi-ui/
  16. 16. nx_intercept / nx_extractpython nx_intercept.py -c naxsi-ui-learning.conf-l /var/log/nginx/nokaut_error.logpython nx_extract.py -c naxsi-ui-learning.conf
  17. 17. nx_extract
  18. 18. nx_extract

×