« Previous 1 2 3

Protecting your web application infrastructure with the Nginx Naxsi firewall

Fire Protection

Live Examples

Figure 4 shows the report from a Naxsi firewall that has been exposed to several automated attacks on the web since March 15. As of March 12, the associated networks were blocked at the firewall; as of March 28, the same attacks continued from other IPs, which were then blocked on the firewall four days later. As of April 8, the provider of the IP ranges from which the attacks originated was informed; since then, the attack statistics just contain the normal background level. The attack provided valuable data and was harmless, in that it attempted to use SQL injection to compromise several instances of Dokuwiki. But Dokuwiki works without file-based databases, so: no SQL, no injection. Figure 5 breaks down the suspicious patterns by their attack types.

Figure 4: Naxsi report from a sensor.
Figure 5: Breakdown of attacks by type.

Listing 7 shows the cumulative report (Doxi result) for six firewalls over a period of four weeks. You can see scans of old vulnerabilities (42000122, 42000089), various exploit scanners (42000227, 42000145, 42000181), and attempts to find vulnerabilities via brute force, even if the corresponding software is not installed.

Listing 7

Doxi Results from six WAFs for 30 days

       ID |  Count
------------------------------------
 42000122 |     2506 | DN SCAN WP Timthumb - Access
 42000004 |     1209 | DN APP_SERVER CGI_file access
 42000089 |     1202 | DN WEB_APPS XMLRPC - Access detected (misc Wordpress/Magento-Vulns)
42000002 |     1182 | DN APP_SERVER PHP-file-access
 42000227 |      977 | DN SCAN Scanner ZmEu exploit scanner
42000059 |      740 | DN WEB_APPS Possible unwanted Upload / Access To mm-forms-community upload dir
42000003 |      337 | DN APP_SERVER ASP_file access
     1007 |      296 | mysql comment (--)
 42000082 |      292 | DN WEB_SERVER Tomcat - Manager - Access
 42000077 |      242 | DN WEB_SERVER LIBWWW_perl-UA detected
42000071 |      187 | DN WEB_APPS PHPMYADMIN setup.php - Access
     1011 |      152 | parenthesis, probable sql/xss
42000210 |      127 | DN APP_SERVER Tomcat Auth Brute Force attempt (admin)
42000020 |      121 | DN APP_SERVER ASPX_file access
 42000145 |      113 | DN SCAN Scanner morfeus
 42000181 |      112 | DN SCAN Scanner webster pro
42000244 |      112 | DN SCAN PHPMyAdmin - Scanner (2)
42000253 |      110 | DN WEB_SERVER possible INC - File - Access
     1003 |       99 | mysql comment (/*)
     1004 |       96 | mysql comment (*/)
42000169 |       86 | DN SCAN Scanner Nmap
42000243 |       80 | DN SCAN PHPMyAdmin - Scanner
     1006 |       75 | mysql keyword (&&)
     1302 |       72 | html open tag
42000216 |       74 | DN APP_SERVER Tomcat admin-admin login credentials
     1102 |       68 | ftp:// scheme
42000073 |       63 | DN SCAN Python-urllib UA, possible Scanner
     1205 |       55 | backslash
     1312 |       52 | ~ character
42000065 |       50 | DN WEB_APPS Magento XMLRPC-Exploit Attempt
42000222 |       47 | DN SCAN Open-Proxy ScannerBot (webcollage-UA)
 42000031 |       20 | DN SCAN Muieblackcat scanner
42000043 |        8 | DN SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected
42000126 |        8 | DN WEB_APPS WordPress Uploadify-Access
42000151 |        8 | DN SCAN Scanner whatweb
42000229 |        7 | DN APP_SERVER ColdFusion - Vuln-URL-Access administrator
42000230 |        7 | DN APP_SERVER ColdFusion - Vuln-URL-Access adminapi
42000248 |        7 | DN SCAN SQL-Injection Scanner CZxt2

On normal days, an average of between 50 and 150 blocked requests occur per IP per domain, where the attacking IPs are blocked after several attempts; otherwise, the number of attacks per day averages between 300 and 500.

Performance

A number of benchmarks have compared Nginx with other prominent web servers [13] [14], and Nginx asserts itself as one of the fastest open source web servers. A server with Nginx normally remains responsive even under heavy load, so that login and admin tasks are possible if something should go wrong. In comparison, rogue Apache servers quickly become difficult to manage on Linux.

With Naxsi in its armory, Nginx's performance drops, as you might expect; in our test on a quad-core server with 2GB of RAM, performance dropped by about 30 percent. The result of a corresponding benchmark appears in Figure 6.

Figure 6: Using the Naxsi web application firewall slows down the server by about 30 percent.

Conclusions

Nginx is ideal for use as a front end for application servers, regardless of whether they are based on Apache and PHP, Tomcat, JBoss, Rails, Django, Flask, Node.js, or ${insert your favorite application server here} . Using Nginx can speed up existing web applications by several orders of magnitude, and the more visitors a website has, the more likely Nginx is worth using. Naxsi equips the web server with web application firewall functions, without sacrificing too much performance. Whitelists and a learning function on Naxsi ensure that all requirements are met to protect the server against automated exploit attempts.

Infos

  1. Nginx Home: http://www.nginx.org/
  2. Webserver Statistics: http://w3techs.com/technologies/cross/web_server/ranking
  3. Controlling Nginx: http://nginx.org/en/docs/control.html
  4. SPDY for Nginx: http://nginx.org/patches/spdy/README.txt
  5. Nginx-Wiki: http://wiki.nginx.org/
  6. Naxsi code: http://code.google.com/p/naxsi/
  7. Nginx Sticky module: http://code.google.com/p/nginx-sticky-module/
  8. Cache Purge: https://github.com/FRiCKLE/ngx_cache_purge/
  9. Results of the Mod Security SQL Injection Challenge: https://code.google.com/p/naxsi/wiki/Naxsi_Vs_ObfuscatedAttackPatterns
  10. Doxi Rules: https://bitbucket.org/lazy_dogtown/doxi-rules/src/
  11. WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector: http://eromang.zataz.com/2011/09/20/wordpress-timthumb-rfi-vulnerability-used-as-botnet-recruitment-vector/
  12. Doxi Tools: https://bitbucket.org/lazy_dogtown/doxi
  13. Nginx vs. Cherokee vs. Apache vs. Lighttpd: http://www.whisperdale.net/11-nginx-vs-cherokee-vs-apache-vs-lighttpd.html
  14. Apache, Nginx, Varnish, and G-WAN: http://nbonvin.wordpress.com/2011/03/14/apache-vs-nginx-vs-varnish-vs-gwan/

The Author

Markus Manzke works as a system architect and system engineer at MARE system in Kiel, a company that focuses on e-commerce and SME hosting. In his spare time, he develops WAF/IDS signatures for open source projects and puts the daylight hours to good use for watersports on the Baltic.

« Previous 1 2 3

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Lead Image © Kirill Kurashov, 123RF.com
    The OpenResty distribution for Nginx
    Event-based request processing makes Nginx an agile web server. With the OpenResty packages, it becomes a fast application server based on the Lua scripting language.
    more »
  • Better compression of web pages
    Google develops a software tool that is a genuine alternative to Gzip, with improved website compression rates that save bandwidth for server operators.
    more »
  • Lead Image © Tatiana Popov, 123RF.com
    Security first with the Hiawatha web server
    The small but secure Hiawatha web server provides an appealing alternative to the complex Apache and other alternatives.
    more »
  • Interview: Nginx's Gus Robertson
    The Nginx web server platform is not as well known as another open source web alternative known as Apache, but the fast and frugal Nginx is growing in popularity around the world as web admins contend with increased traffic and the challenges of container and cloud environments. We talked to Nginx CEO Gus Robertson.
    more »
  • Lead Image © Soloviova Liudmyla, 123RF.com
    Activate HTTP/2 on web servers
    HTTP/2 offers reduced website load times and other performance benefits, along with the promise of server push.
    more »
comments powered by Disqus