nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

What basic settings do you recommend to have security on my website? #445

Closed dertin closed 5 years ago

dertin commented 5 years ago

I thank you if you can tell me how I should make a configuration that gives me security on my website. This is the script that you used to install the server: https://github.com/dertin/lemp-stack-debian Thank you.

jvoisin commented 5 years ago

There is no recommended configuration, as naxsi is a whitelist-based WAF; each configuration is heavily tied to the underlying application.

dertin commented 5 years ago

Hi @jvoisin

I saw something to activate LearningMode But I did not find documentation of how it should be used and what it is for. I guess that generates rules from the use of the web application.

I also found the following. https://github.com/nbs-system/nxtool-ng

But I still do not know how it works. I try to read the documentation, but my mother tongue is not English, that makes it a bit difficult for me.

buixor commented 5 years ago

Hello @dertin !

If your website have little user interactions (ie. forms with free text etc.), learning might be a good candidate.

To do so, run naxsi in learning mode on your website, generate some traffic (or wait for legitimate users to do so), and then use nxtool to :

The documentation on the main page of nxtool should help you. However, this requires you to setup an elastic-search :)

Another solution might be to use lasagna which is supposed to be an "easy" whitelist generator for naxsi. While I didn't try it myself, it might be suitable for your usage :)

Let us know how we can help !

jvoisin commented 5 years ago

Wow, I didn't know about lasagna, shouldn't it be mentioned in the documentation @buixor ?