WordPress pingback mitigation

Sat May 20 16:35:02 UTC 2017

gariac Wrote:
-------------------------------------------------------
> I had run Naxsi with Doxi. Trouble is when it cause problems, it was
> really hard to figure out what rule was the problem. I suppose if you
> knew what each rule did, Naxsi would be fine. 
> 
> That said, my websites are so unsophisticated that it is far easier
> for me just to use maps. 
> 
> Case in point. When all this adobe struts hacking started, I noticed
> lots of 404s with the word "action" in the url request. I just added
> "action" to the map map and 444 them. 
> 
> If you have an url containing any word used in SQL, Naxsi/Doxi goes in
> blocking mode. I recall it was flagging on the word "update". I had a
> updates.html and Nasxi/Doxi was having a fit. 
> 
> In the end, it was far easier just to use maps. Other than a few
> modern constructs like "object-fit contain"‎, my sites have a 1990s
> look. Keeping things simple reduces the attack surface. 
> 
> I think even with Naxsi, you would need to set up a map to block bad
> referrers. I'm amazed at the nasty websites that link to me for no
> apparent reason. Case in point, I had a referral from the al Aqsa
> Martyrs Brigade. ‎ Terrorists! And numerous porn sites, all
> irrelevant. So Naxsi alone isn't sufficient. 
> 
>   Original Message  
> From: c0nw0nk
> Sent: Saturday, May 20, 2017 3:36 AM
> To: nginx at nginx.org
> Reply To: nginx at nginx.org
> Subject: Re: WordPress pingback mitigation
> 
> I take it you don't use a WAF of any kind i also think you should add
> it to
> a MAP at least instead of using IF.
> 
> The WAF I use for these same rules is found here.
> 
> https://github.com/nbs-system/naxsi
> 
> The rules for wordpress and other content management systems are found
> here.
> 
> http://spike.nginx-goodies.com/rules/ ( a downloadable list they use
> https://bitbucket.org/lazy_dogtown/doxi-rules )
> 
> 
> Naxsi is the best soloution I have found against problems like this
> especialy with their XSS and SQL extensions enabled.
> 
> LibInjectionXss;
> CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
> LibInjectionSql;
> CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
> 
> 
> Blocks allot of zero day exploits and unknown exploits / penetration
> testing
> techniques.
> 
> If you want to protect your sites it is definitely worth the look and
> use.
> 
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,274339,274341#msg-274341
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

It is not actually that hard to read the rules when you understand it.

The error.log file tells you.

As I helped someone before read and understand their error log output to
tell them what naxsi was telling them so they could learn understand and
identify what rule is the culprit to their problem.

Here is the prime example :
https://github.com/nbs-system/naxsi/issues/351#issuecomment-281710763

If you read that and see their error.log output from naxsi and view the log
it shows you in the log if it was for example "ARGS" or "HEAD" or "POST" etc
and the rule ID number responsible. So you can either null it out or create
a whitelist for that method.

I am not trying to shove it down your neck or anything like that just trying
to help and show a decent alternative that once you understand can do so
much more with. Like Nginx and Lua it pushes the boundaries to what can be
accomplished. I used to be very stuck in my ways and ignorant to these
features but once i start using them never looked back they are truly
fantastic.

As long as you fixed your problem that is all that matters :)

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274339,274345#msg-274345