Blesta + Naxsi

[DandyDandy]

Hi,

With modern day computing now going to the extremes having peace of mind and strong security in place is critical not only having Firewalls, Virus Scanners, Malware Scanners but you also need at least a basic WAF/IDS system in place since Blesta come's complete with "PHPIDS" I want to focus my time getting Blesta to work nicely with Naxsi as it stands I haven't try using them both yet but it'll be good to see just how they play and moving forward using them together along with other pieces of software to have a complete "performance protection suite" which covers you from more angles than a basic Firewall.

Taken from OWASP I would like to quote this text:

 

 

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

 

NAXSI means Nginx Anti Xss & Sql Injection.

Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, '<', '|' or 'drop' are not supposed to be part of a URI.

Being very simple, those patterns may match legitimate queries, it is Naxsi's administrator duty to add specific rules that will whitelist those legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx's error log, or (recommended) start the project by an intensive auto-learning phase that will automatically generate whitelisting rules regarding website's behaviour.

In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly.

 

 

Before I move further and hopefully get Blesta + Naxsi running together as everyone else tried running them both?

 

P.S I already have Blesta + Nginx running smooth which is half of the setup already completed but here is a nice article detailing the setup and installation in more details for anyone interested: https://www.axivo.com/community/threads/nginx-naxsi-firewall-setup-on-centos.206/

[Paul]

I haven't heard of Naxis before, but curious where this goes. Will you be publishing a recommended rule set?

[DandyDandy]

I haven't heard of Naxis before, but curious where this goes. Will you be publishing a recommended rule set?

 

Just be using the default rule set which will likely need editing for everything to play nice. Maybe if a couple of others on these boards take to using it between us all we could bring up some kind of recommended rule set which this thread or something. Debian now have Nginx + Naxsi package so it's becoming popular.

[cloudrck]

Yeah I've been looking into this as well. Been meaning to setup a dev area.

[L3Y]

Hi,
 
I know this is an old question, but... ..here is a new answer
 
In order to use NAXSI with Blesta :
 
1) restric your server to your own ip - important while you are in learning mode
2) enable NAXSI in Learning mode
3) run this to create your whitelist rules :
 

 

mv /var/log/nginx/error.log  /var/log/nginx/error.log-bak

touch /var/log/nginx/error.log 

mv /var/log/nginx/access.log  /var/log/nginx/access.log-bak

touch /var/log/nginx/access.log

wget https://naxsi.googlecode.com/files/nx_util-1.0.tgz

tar -zxf nx_util-1.0.tgz

cd nx_util-1.0/nx_util

NOW : BROWSE YOUR BLESTA EVERYWHERE! Go in the admin, and submit all the forms. Do the same in the client area. Try every features.
You will generate some logs, in /var/log/nginx/error.log and /var/log/nginx/access.log.

We will use these logs to create our whitelist rules :

 

python nx_util.py -c nx_util.conf -l /var/log/nginx/*.log -o

 
You'll get some rules created based on your logs.  I suggest to review them first, and then only whitelist the ones you really need. 
 

Now add them to your whitelist file, and you are done.

 

Note : Don't forget to comment the line

 

LearningMode;

 

in the file /etc/nginx/naxsi.rules

 

...and to restart nginx
 

 

Cheers

[L3Y]

Oh! don't forget if you exclude something, sometimes it can means the script is vulnerable.  Care should be taken

 

...and NEVER disable a rule by commenting.  Only add whitelists.