NAXSI is the final step for Nginx setup to protect from XSS and SQL injections. Here is basics to protect application on Cloud Server with Naxsi. You must have noticed that we have avoided Naxsi rules on basic guides on installation of WordPress on Nginx or more advanced guide to tweak nginx.conf.
Protect Application on Cloud Server With NAXSI
There are two commented out lines on /etc/nginx/sites-available/default :
1 2 | # Uncomment to enable naxsi on this location # include /etc/nginx/naxsi.rules |
Before making these lines active, you must have Nginx–Naxsi compiled, otherwise naxsi.rules will not work.
---
1 | apt-get install nginx-naxsi |
NAXSI can check and block GET, POST, HTTP headers and POST-request body by rules. NAXSI core rules are simple, but needs a bit learning. They block dangerous symbols, SQL related keywords and allows whitelist approach configuration creating a web application baseline. Obviously, if you uncomment include /etc/nginx/naxsi.rules and save the file and run nginx -t; if it returns error. Quite nicely written guide can be found on the official Wiki :
1 | https://code.google.com/p/naxsi/wiki/Howto |
Protect Application on Cloud Server With NAXSI : With WordPress
WordPress-NAXSI is quite difficult setup and configuration varies from version to version. This is an example set of rules for WordPress 3.5 :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # WP website itself BasicRule wl:1005,1010,1011,1308,1309,1315 "mz:$HEADERS_VAR:cookie"; # WP login screen BasicRule wl:1100 "mz:$ARGS_VAR:redirect_to"; BasicRule wl:1100 "mz:$BODY_VAR:redirect_to"; # WP backend BasicRule wl:1000 "mz:URL|$URL:/wp/wp-admin/update-core.php"; BasicRule wl:1000 "mz:URL|$URL:/wp/wp-admin/update.php"; BasicRule wl:1000 "mz:$BODY_VAR:_wp_http_referer"; BasicRule wl:1000 "mz:$ARGS_VAR:action"; # load and load[] GET variable BasicRule wl:1015 "mz:$ARGS_VAR:load"; BasicRule wl:1015 "mz:$ARGS_VAR:load[]"; # WP categories and add new BasicRule wl:1310,1311 "mz:$URL:/wp/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME"; |
The context is /etc/nginx/naxsi_core.rules. We can not provide you the result, but you should first run the command netstat -antup and save it as a text file for reference before starting working on WordPress-NAXSI. Basic rule for web app goes like this :
1 2 3 4 5 6 7 8 9 10 11 12 | # config mode section LearningMode; SecRulesEnabled; #SecRulesDisabled; DeniedUrl "/RequestDenied"; # # check rules section CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; |
