Naxsi for Apache2
Clone or download
Pull request Compare This branch is 40 commits ahead, 8 commits behind Annihil:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmake/modules
deps/libinjection
tests
.gitignore
.travis.yml
CMakeLists.txt
JsonValidator.cpp
JsonValidator.hpp
LICENSE
README.md
RuleParser.cpp
RuleParser.h
RuntimeScanner.cpp
RuntimeScanner.hpp
Util.cpp
Util.h
mod_defender.cpp
mod_defender.hpp
mod_defender_body.cpp

README.md

ModDefender logo

travis-ci
Mod Defender is an Apache2 module aiming to block attacks thanks to a whitelist policy
It is an almost complete replication of NAXSI, which is for Nginx
It uses the same configs format and is thus fully compatible with NXAPI/NXTOOL

Advantages

  • Human readable log: colored output to watch Mainrules and Basicrules processing
  • JSON match log: easier parsing and more compact logs
  • Combined log: regular and extensive match log are mixed so that content and name of variable in question are presents on the same line

Required packages

  • apache2 dev package to provide Apache2 headers
  • apr package to provide Apache Portal Runtime library and headers
  • gcc & g++ >= 4.9 (for std::regex)
  • GNU make
  • cmake >= 3.2

Installation

Debian

  1. Install required packages

    sudo apt-get install apache2-dev make gcc g++ cmake
  2. Compile the source

    cmake -H. -Bbuild
    cmake --build build -- -j4
  3. Install the module

    sudo cp build/mod_defender.so /usr/lib/apache2/modules/
  4. Create its module load file

    cat << EOF | sudo tee /etc/apache2/mods-available/defender.load > /dev/null
    LoadModule defender_module /usr/lib/apache2/modules/mod_defender.so
    <IfModule defender_module>
    Include /etc/defender/core.rules
    </IfModule>
    EOF
  5. Add mod_defender settings in the desired location / directory / proxy blocks

    <VirtualHost *:80>
        ServerName ...
        DocumentRoot ...
    
        <Location ...>
            <IfModule defender_module>
            # Defender toggle
            Defender On
            # Match log path
            MatchLog ${APACHE_LOG_DIR}/defender_match.log
            # JSON Match log path
            JSONMatchLog ${APACHE_LOG_DIR}/defender_json_match.log
            # Request body limit
            RequestBodyLimit 8388608
            # Learning mode toggle
            LearningMode On
            # Extensive Learning log toggle
            ExtensiveLog Off
            # Libinjection SQL toggle
            LibinjectionSQL Off
            # Libinjection XSS toggle
            LibinjectionXSS Off
            ## Score action
            CheckRule "$SQL >= 8" BLOCK
            CheckRule "$RFI >= 8" BLOCK
            CheckRule "$TRAVERSAL >= 4" BLOCK
            CheckRule "$EVADE >= 4" BLOCK
            CheckRule "$XSS >= 8" BLOCK
            CheckRule "$UPLOAD >= 8" BLOCK
    
            # Whitelists (BasicRule)
            Include /etc/defender/my_whitelist.rules
            </IfModule>
        </Location>
    <VirtualHost>
    
  6. Create Mod Defender conf directory

    sudo mkdir /etc/defender/
  7. Populate it with the core rules

    sudo wget -O /etc/defender/core.rules \
    https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules
  8. Enable the module

    sudo a2enmod defender
  9. Restart Apache2 to take effect

    sudo service apache2 restart

FreeBSD

  1. Install required packages

    pkg install apr make gcc cmake
  2. Compile the source

    cmake -H. -Bbuild
    cmake --build build -- -j4
  3. Install the module

    cp build/mod_defender.so /usr/local/libexec/apache24/
  4. Create its module load file

    cat << EOF | tee /usr/local/etc/apache24/modules.d/250_defender.conf > /dev/null
    LoadModule defender_module libexec/apache24/mod_defender.so
    <IfModule defender_module>
    Include etc/defender/core.rules
    </IfModule>
    EOF
  5. Add mod_defender settings in the desired location / directory / proxy blocks

    <VirtualHost *:80>
        ServerName ...
        DocumentRoot ...
    
        <Location ...>
            <IfModule defender_module>
            # Defender toggle
            Defender On
            # Match log path
            MatchLog /var/log/defender_match.log
            # JSON Match log path
            JSONMatchLog /var/log/defender_json_match.log
            # Request body limit
            RequestBodyLimit 8388608
            # Learning mode toggle
            LearningMode On
            # Extensive Learning log toggle
            ExtensiveLog Off
            # Libinjection SQL toggle
            LibinjectionSQL Off
            # Libinjection XSS toggle
            LibinjectionXSS Off
            ## Score action
            CheckRule "$SQL >= 8" BLOCK
            CheckRule "$RFI >= 8" BLOCK
            CheckRule "$TRAVERSAL >= 4" BLOCK
            CheckRule "$EVADE >= 4" BLOCK
            CheckRule "$XSS >= 8" BLOCK
            CheckRule "$UPLOAD >= 8" BLOCK
    
            # Whitelists (BasicRule)
            Include etc/defender/my_whitelist.rules
            </IfModule>
        </Location>
    <VirtualHost>
    
  6. Create Mod Defender conf directory

    mkdir /usr/local/etc/defender/
  7. Populate it with the core rules

    wget -O /usr/local/etc/defender/core.rules \
    https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules
  8. Restart Apache2 to take effect

    service apache24 restart

Configuration hierarchy

Top (above <VirtualHost>)

# Score rules
Include /etc/defender/core.rules
MainRule "..."

<Location> / <Directory> / <Proxy> blocks

# Action rules
CheckRule "..."

# Whitelist rules
BasicRule "..."

Credits

NAXSI's team from nbs-system