Jump to content

Blesta + Naxsi


Recommended Posts


With modern day computing now going to the extremes having peace of mind and strong security in place is critical not only having Firewalls, Virus Scanners, Malware Scanners but you also need at least a basic WAF/IDS system in place since Blesta come's complete with "PHPIDS" I want to focus my time getting Blesta to work nicely with Naxsi as it stands I haven't try using them both yet but it'll be good to see just how they play and moving forward using them together along with other pieces of software to have a complete "performance protection suite" which covers you from more angles than a basic Firewall.

Taken from OWASP I would like to quote this text:



A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.


NAXSI means Nginx Anti Xss & Sql Injection.

Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, '<', '|' or 'drop' are not supposed to be part of a URI.

Being very simple, those patterns may match legitimate queries, it is Naxsi's administrator duty to add specific rules that will whitelist those legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx's error log, or (recommended) start the project by an intensive auto-learning phase that will automatically generate whitelisting rules regarding website's behaviour.

In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly.



Before I move further and hopefully get Blesta + Naxsi running together as everyone else tried running them both?


P.S I already have Blesta + Nginx running smooth which is half of the setup already completed but here is a nice article detailing the setup and installation in more details for anyone interested: https://www.axivo.com/community/threads/nginx-naxsi-firewall-setup-on-centos.206/

Link to comment
Share on other sites

I haven't heard of Naxis before, but curious where this goes. Will you be publishing a recommended rule set?


Just be using the default rule set which will likely need editing for everything to play nice. Maybe if a couple of others on these boards take to using it between us all we could bring up some kind of recommended rule set which this thread or something. Debian now have Nginx + Naxsi package so it's becoming popular.

Link to comment
Share on other sites

  • 11 months later...

I know this is an old question, but... ..here is a new answer :)
In order to use NAXSI with Blesta :
1) restric your server to your own ip - important while you are in learning mode
2) enable NAXSI in Learning mode
3) run this to create your whitelist rules :


mv /var/log/nginx/error.log  /var/log/nginx/error.log-bak
touch /var/log/nginx/error.log 
mv /var/log/nginx/access.log  /var/log/nginx/access.log-bak
touch /var/log/nginx/access.log
wget https://naxsi.googlecode.com/files/nx_util-1.0.tgz
tar -zxf nx_util-1.0.tgz
cd nx_util-1.0/nx_util

NOW : BROWSE YOUR BLESTA EVERYWHERE! Go in the admin, and submit all the forms. Do the same in the client area. Try every features.
You will generate some logs, in /var/log/nginx/error.log and /var/log/nginx/access.log.

We will use these logs to create our whitelist rules :


python nx_util.py -c nx_util.conf -l /var/log/nginx/*.log -o

You'll get some rules created based on your logs.  I suggest to review them first, and then only whitelist the ones you really need. 

Now add them to your whitelist file, and you are done.


Note : Don't forget to comment the line




in the file /etc/nginx/naxsi.rules


...and to restart nginx


Cheers :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...