<div dir="ltr">Hi<div><br></div><div>can you give an example of using a map instead of the if statement ?</div><div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 21 May 2017 at 02:35, c0nw0nk <span dir="ltr"><<a href="mailto:nginx-forum@forum.nginx.org" target="_blank">nginx-forum@forum.nginx.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">gariac Wrote:<br>
------------------------------<wbr>-------------------------<br>
<div><div class="h5">> I had run Naxsi with Doxi. Trouble is when it cause problems, it was<br>
> really hard to figure out what rule was the problem. I suppose if you<br>
> knew what each rule did, Naxsi would be fine. <br>
><br>
> That said, my websites are so unsophisticated that it is far easier<br>
> for me just to use maps. <br>
><br>
> Case in point. When all this adobe struts hacking started, I noticed<br>
> lots of 404s with the word "action" in the url request. I just added<br>
> "action" to the map map and 444 them. <br>
><br>
> If you have an url containing any word used in SQL, Naxsi/Doxi goes in<br>
> blocking mode. I recall it was flagging on the word "update". I had a<br>
> updates.html and Nasxi/Doxi was having a fit. <br>
><br>
> In the end, it was far easier just to use maps. Other than a few<br>
> modern constructs like "object-fit contain", my sites have a 1990s<br>
> look. Keeping things simple reduces the attack surface. <br>
><br>
> I think even with Naxsi, you would need to set up a map to block bad<br>
> referrers. I'm amazed at the nasty websites that link to me for no<br>
> apparent reason. Case in point, I had a referral from the al Aqsa<br>
> Martyrs Brigade. Terrorists! And numerous porn sites, all<br>
> irrelevant. So Naxsi alone isn't sufficient. <br>
><br>
> Original Message <br>
> From: c0nw0nk<br>
> Sent: Saturday, May 20, 2017 3:36 AM<br>
> To: <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
> Reply To: <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
> Subject: Re: WordPress pingback mitigation<br>
><br>
> I take it you don't use a WAF of any kind i also think you should add<br>
> it to<br>
> a MAP at least instead of using IF.<br>
><br>
> The WAF I use for these same rules is found here.<br>
><br>
> <a href="https://github.com/nbs-system/naxsi" rel="noreferrer" target="_blank">https://github.com/nbs-system/<wbr>naxsi</a><br>
><br>
> The rules for wordpress and other content management systems are found<br>
> here.<br>
><br>
> <a href="http://spike.nginx-goodies.com/rules/" rel="noreferrer" target="_blank">http://spike.nginx-goodies.<wbr>com/rules/</a> ( a downloadable list they use<br>
> <a href="https://bitbucket.org/lazy_dogtown/doxi-rules" rel="noreferrer" target="_blank">https://bitbucket.org/lazy_<wbr>dogtown/doxi-rules</a> )<br>
><br>
><br>
> Naxsi is the best soloution I have found against problems like this<br>
> especialy with their XSS and SQL extensions enabled.<br>
><br>
> LibInjectionXss;<br>
> CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;<br>
> LibInjectionSql;<br>
> CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;<br>
><br>
><br>
> Blocks allot of zero day exploits and unknown exploits / penetration<br>
> testing<br>
> techniques.<br>
><br>
> If you want to protect your sites it is definitely worth the look and<br>
> use.<br>
><br>
> Posted at Nginx Forum:<br>
> <a href="https://forum.nginx.org/read.php?2,274339,274341#msg-274341" rel="noreferrer" target="_blank">https://forum.nginx.org/read.<wbr>php?2,274339,274341#msg-274341</a><br>
><br>
> ______________________________<wbr>_________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
> <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
> ______________________________<wbr>_________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
> <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
<br>
<br>
</div></div>It is not actually that hard to read the rules when you understand it.<br>
<br>
The error.log file tells you.<br>
<br>
As I helped someone before read and understand their error log output to<br>
tell them what naxsi was telling them so they could learn understand and<br>
identify what rule is the culprit to their problem.<br>
<br>
Here is the prime example :<br>
<a href="https://github.com/nbs-system/naxsi/issues/351#issuecomment-281710763" rel="noreferrer" target="_blank">https://github.com/nbs-system/<wbr>naxsi/issues/351#issuecomment-<wbr>281710763</a><br>
<br>
If you read that and see their error.log output from naxsi and view the log<br>
it shows you in the log if it was for example "ARGS" or "HEAD" or "POST" etc<br>
and the rule ID number responsible. So you can either null it out or create<br>
a whitelist for that method.<br>
<br>
I am not trying to shove it down your neck or anything like that just trying<br>
to help and show a decent alternative that once you understand can do so<br>
much more with. Like Nginx and Lua it pushes the boundaries to what can be<br>
accomplished. I used to be very stuck in my ways and ignorant to these<br>
features but once i start using them never looked back they are truly<br>
fantastic.<br>
<br>
As long as you fixed your problem that is all that matters :)<br>
<br>
Posted at Nginx Forum: <a href="https://forum.nginx.org/read.php?2,274339,274345#msg-274345" rel="noreferrer" target="_blank">https://forum.nginx.org/read.<wbr>php?2,274339,274345#msg-274345</a><br>
<div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a></div></div></blockquote></div><br></div>