« Previous 1 2 3
Protecting your web application infrastructure with the Nginx Naxsi firewall
Fire Protection
Live Examples
Figure 4 shows the report from a Naxsi firewall that has been exposed to several automated attacks on the web since March 15. As of March 12, the associated networks were blocked at the firewall; as of March 28, the same attacks continued from other IPs, which were then blocked on the firewall four days later. As of April 8, the provider of the IP ranges from which the attacks originated was informed; since then, the attack statistics just contain the normal background level. The attack provided valuable data and was harmless, in that it attempted to use SQL injection to compromise several instances of Dokuwiki. But Dokuwiki works without file-based databases, so: no SQL, no injection. Figure 5 breaks down the suspicious patterns by their attack types.
Listing 7 shows the cumulative report (Doxi result) for six firewalls over a period of four weeks. You can see scans of old vulnerabilities (42000122, 42000089), various exploit scanners (42000227, 42000145, 42000181), and attempts to find vulnerabilities via brute force, even if the corresponding software is not installed.
Listing 7
Doxi Results from six WAFs for 30 days
ID | Count ------------------------------------ 42000122 | 2506 | DN SCAN WP Timthumb - Access 42000004 | 1209 | DN APP_SERVER CGI_file access 42000089 | 1202 | DN WEB_APPS XMLRPC - Access detected (misc Wordpress/Magento-Vulns) 42000002 | 1182 | DN APP_SERVER PHP-file-access 42000227 | 977 | DN SCAN Scanner ZmEu exploit scanner 42000059 | 740 | DN WEB_APPS Possible unwanted Upload / Access To mm-forms-community upload dir 42000003 | 337 | DN APP_SERVER ASP_file access 1007 | 296 | mysql comment (--) 42000082 | 292 | DN WEB_SERVER Tomcat - Manager - Access 42000077 | 242 | DN WEB_SERVER LIBWWW_perl-UA detected 42000071 | 187 | DN WEB_APPS PHPMYADMIN setup.php - Access 1011 | 152 | parenthesis, probable sql/xss 42000210 | 127 | DN APP_SERVER Tomcat Auth Brute Force attempt (admin) 42000020 | 121 | DN APP_SERVER ASPX_file access 42000145 | 113 | DN SCAN Scanner morfeus 42000181 | 112 | DN SCAN Scanner webster pro 42000244 | 112 | DN SCAN PHPMyAdmin - Scanner (2) 42000253 | 110 | DN WEB_SERVER possible INC - File - Access 1003 | 99 | mysql comment (/*) 1004 | 96 | mysql comment (*/) 42000169 | 86 | DN SCAN Scanner Nmap 42000243 | 80 | DN SCAN PHPMyAdmin - Scanner 1006 | 75 | mysql keyword (&&) 1302 | 72 | html open tag 42000216 | 74 | DN APP_SERVER Tomcat admin-admin login credentials 1102 | 68 | ftp:// scheme 42000073 | 63 | DN SCAN Python-urllib UA, possible Scanner 1205 | 55 | backslash 1312 | 52 | ~ character 42000065 | 50 | DN WEB_APPS Magento XMLRPC-Exploit Attempt 42000222 | 47 | DN SCAN Open-Proxy ScannerBot (webcollage-UA) 42000031 | 20 | DN SCAN Muieblackcat scanner 42000043 | 8 | DN SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected 42000126 | 8 | DN WEB_APPS WordPress Uploadify-Access 42000151 | 8 | DN SCAN Scanner whatweb 42000229 | 7 | DN APP_SERVER ColdFusion - Vuln-URL-Access administrator 42000230 | 7 | DN APP_SERVER ColdFusion - Vuln-URL-Access adminapi 42000248 | 7 | DN SCAN SQL-Injection Scanner CZxt2
On normal days, an average of between 50 and 150 blocked requests occur per IP per domain, where the attacking IPs are blocked after several attempts; otherwise, the number of attacks per day averages between 300 and 500.
Performance
A number of benchmarks have compared Nginx with other prominent web servers [13] [14], and Nginx asserts itself as one of the fastest open source web servers. A server with Nginx normally remains responsive even under heavy load, so that login and admin tasks are possible if something should go wrong. In comparison, rogue Apache servers quickly become difficult to manage on Linux.
With Naxsi in its armory, Nginx's performance drops, as you might expect; in our test on a quad-core server with 2GB of RAM, performance dropped by about 30 percent. The result of a corresponding benchmark appears in Figure 6.
Conclusions
Nginx is ideal for use as a front end for application servers, regardless of whether they are based on Apache and PHP, Tomcat, JBoss, Rails, Django, Flask, Node.js, or ${insert your favorite application server here}
. Using Nginx can speed up existing web applications by several orders of magnitude, and the more visitors a website has, the more likely Nginx is worth using. Naxsi equips the web server with web application firewall functions, without sacrificing too much performance. Whitelists and a learning function on Naxsi ensure that all requirements are met to protect the server against automated exploit attempts.
Infos
- Nginx Home: http://www.nginx.org/
- Webserver Statistics: http://w3techs.com/technologies/cross/web_server/ranking
- Controlling Nginx: http://nginx.org/en/docs/control.html
- SPDY for Nginx: http://nginx.org/patches/spdy/README.txt
- Nginx-Wiki: http://wiki.nginx.org/
- Naxsi code: http://code.google.com/p/naxsi/
- Nginx Sticky module: http://code.google.com/p/nginx-sticky-module/
- Cache Purge: https://github.com/FRiCKLE/ngx_cache_purge/
- Results of the Mod Security SQL Injection Challenge: https://code.google.com/p/naxsi/wiki/Naxsi_Vs_ObfuscatedAttackPatterns
- Doxi Rules: https://bitbucket.org/lazy_dogtown/doxi-rules/src/
- WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector: http://eromang.zataz.com/2011/09/20/wordpress-timthumb-rfi-vulnerability-used-as-botnet-recruitment-vector/
- Doxi Tools: https://bitbucket.org/lazy_dogtown/doxi
- Nginx vs. Cherokee vs. Apache vs. Lighttpd: http://www.whisperdale.net/11-nginx-vs-cherokee-vs-apache-vs-lighttpd.html
- Apache, Nginx, Varnish, and G-WAN: http://nbonvin.wordpress.com/2011/03/14/apache-vs-nginx-vs-varnish-vs-gwan/
« Previous 1 2 3