Skip to content
  • 0 Votes
    1 Posts
    2k Views
    A

    Just don't install Naxsi 👍

    Dear friends,

    I have a problem with my nodebb Installation. After switching to a new Server I can't login anymore. Error: Forbidden

    Debian 8.0 x64
    nginx 1.9.4
    npm 3.3.4
    redis 2.8.17
    node 0.10.29

    My nginx Configuration:

    server { listen 80 default_server; server_name sondorsforum.com; return 301 https://sondorsforum.com$request_uri; } server { listen 80; server_name 5.189.143.37; return 503; } server { listen 443; server_name 5.189.143.37; return 503; } server { listen 443 ssl spdy default deferred; server_name sondorsforum.com; location / { include /etc/nginx/naxsi.rules; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://0.0.0.0:4567/; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; } ssl_certificate ssl/sondorsforum.com.pem; ssl_certificate_key ssl/sondorsforum.com.key; #ssl_trusted_certificate ssl/trustedbundle.pem; ssl_dhparam ssl/dh.pem; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; #ssl_stapling on; #ssl_stapling_verify on; #resolver 8.8.8.8 8.8.4.4 valid=300s; #resolver_timeout 5s; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # HSTS - uncomment if you have a valid SSL certificate #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header Alternate-Protocol 443:npn-spdy/2; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; pagespeed on; pagespeed FetchHttps enable,allow_self_signed; pagespeed FileCachePath /var/lib/nginx/nps_cache; pagespeed RewriteLevel PassThrough; pagespeed EnableFilters collapse_whitespace; pagespeed EnableFilters canonicalize_javascript_libraries; pagespeed EnableFilters combine_css; pagespeed EnableFilters combine_javascript; pagespeed EnableFilters elide_attributes; pagespeed EnableFilters extend_cache; pagespeed EnableFilters flatten_css_imports; pagespeed CssFlattenMaxBytes 5120; pagespeed EnableFilters lazyload_images; pagespeed EnableFilters rewrite_javascript; pagespeed EnableFilters rewrite_images; pagespeed EnableFilters insert_dns_prefetch; pagespeed EnableFilters prioritize_critical_css; # This will correctly rewrite your subresources with https:// URLs and thus avoid mixed content warnings. # Note, that you should only enable this option if you are behind a load-balancer that will set this header, # otherwise your users will be able to set the protocol PageSpeed uses to interpret the request. # pagespeed RespectXForwardedProto on; auth_basic_user_file htpasswd/.htpasswd; include /etc/nginx/sites-custom/*.conf; location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi.conf; fastcgi_intercept_errors on; fastcgi_ignore_client_abort off; fastcgi_buffers 256 16k; fastcgi_buffer_size 128k; fastcgi_connect_timeout 3s; fastcgi_send_timeout 120s; fastcgi_read_timeout 120s; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; } location ~ /\. { deny all; access_log off; log_not_found off; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Uncomment, if you need to remove index.php from the # URL. Usefull if you use Codeigniter, Zendframework, etc. # or just need to remove the index.php # #location / { # try_files $uri $uri/ /index.php?$args; #} location ~* ^.+\.(css|js)$ { rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last; expires 30d; access_log off; log_not_found off; add_header Pragma public; add_header Cache-Control "max-age=2592000, public"; } location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ { expires 30d; access_log off; log_not_found off; add_header Pragma public; add_header Cache-Control "max-age=2592000, public"; } }

    Naxsi.rules file if necessary:

    LearningMode; SecRulesEnabled; DeniedUrl "/RequestDenied"; # Rules CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK;

    naxsi_core.rules

    ################################## ## INTERNAL RULES IDS:1-999 ## ################################## #@MainRule "msg:weird request, unable to parse" id:1; #@MainRule "msg:request too big, stored on disk and not parsed" id:2; #@MainRule "msg:invalid hex encoding, null bytes" id:10; #@MainRule "msg:unknown content-type" id:11; #@MainRule "msg:invalid formatted url" id:12; #@MainRule "msg:invalid POST format" id:13; #@MainRule "msg:invalid POST boundary" id:14; #@MainRule "msg:invalid JSON" id:15; #@MainRule "msg:empty POST" id:16; #@MainRule "msg:libinjection_sql" id:17; #@MainRule "msg:libinjection_xss" id:18; ################################## ## SQL Injections IDs:1000-1099 ## ################################## MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000; MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001; MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002; ## Hardcore rules MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003; MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004; MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005; MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006; ## end of hardcore rules MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007; MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008; MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009; MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010; MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011; MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013; MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015; MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016; MainRule "str:@@" "msg:double @@" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017; ############################### ## OBVIOUS RFI IDs:1100-1199 ## ############################### MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100; MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101; MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102; MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103; MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104; MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105; MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106; MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107; MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108; MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109; ####################################### ## Directory traversal IDs:1200-1299 ## ####################################### MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200; MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202; MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203; MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204; MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205; #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206; ######################################## ## Cross Site Scripting IDs:1300-1399 ## ######################################## MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302; MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303; MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310; MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311; MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312; MainRule "str:`" "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314; MainRule "rx:%[2|3]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315; #################################### ## Evading tricks IDs: 1400-1500 ## #################################### MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400; MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401; ############################# ## File uploads: 1500-1600 ## ############################# MainRule "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

    In error log I found this:

    2015/09/27 16:02:22 [error] 20505#0: *1163 NAXSI_FMT: ip=108.xx.221.xx7&server=sondorsforum.com&uri=/socket.io/&learning=1&vers=0.54&total_processed=633&total_blocked=553&block=1&zone0=BODY&id0=11&var_name0=, client: 1x8.1xx.221.xx7, server: sondorsforum.com, request: "POST /socket.io/?EIO=3&transport=polling&t=1443362898342-122709&sid=Z6hgNYilz7n697KEAAAs HTTP/1.1", host: "sondorsforum.com", referrer: "https://sondorsforum.com/topic/55/kt-lcd3-display-connector-type-pins/15" 2015/09/27 16:02:25 [error] 20505#0: *1166 NAXSI_FMT: ip=10x.162.2xx.1x5&server=sondorsforum.com&uri=/socket.io/&learning=1&vers=0.54&total_processed=635&total_blocked=554&block=1&cscore0=$XSS&score0=40&zone0=HEADERS&id0=1315&var_name0=cookie&zone1=BODY&id1=11&var_name1=, client: 10x.162.2xx.1x5, server: sondorsforum.com, request: "POST /socket.io/?EIO=3&transport=polling&t=1443362548069-1547&sid=JdOnEYo8eOjo92KZAAA1 HTTP/1.1", host: "sondorsforum.com", referrer: "https://sondorsforum.com/topic/70/kt-lcd3-settings-for-sondors" 2015/09/27 16:02:25 [error] 20505#0: *1166 NAXSI_FMT: ip=108.12x.2x2.1x5&server=sondorsforum.com&uri=/socket.io/&learning=1&vers=0.54&total_processed=636&total_blocked=555&block=1&cscore0=$XSS&score0=40&zone0=HEADERS&id0=1315&var_name0=cookie, client: 1x8.16x.2x2.1x5, server: sondorsforum.com, request: "GET /socket.io/?EIO=3&transport=polling&t=1443362548905-1548&sid=JdOnEYo8eOjo92KZAAA1 HTTP/1.1", host: "sondorsforum.com", referrer: "https://sondorsforum.com/topic/70/kt-lcd3-settings-for-sondors" 2015/09/27 16:02:29 [error] 20505#0: *1169 NAXSI_FMT: ip=16x.1x8.88.x06&server=sondorsforum.com&uri=/socket.io/&learning=1&vers=0.54&total_processed=637&total_blocked=556&block=1&cscore0=$SQL&score0=40&cscore1=$XSS&score1=200&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie&zone4=BODY&id4=11&var_name4=, client: x6x.1x8.8x.x06, server: sondorsforum.com, request: "POST /socket.io/?EIO=3&transport=polling&t=1443362548637-13651&sid=uaVLv6IIo-6DDqrCAAA2 HTTP/1.1", host: "sondorsforum.com", referrer: "https://sondorsforum.com/unread"

    Thanks for your help