WAF nginx - add rules naxsi

[RamSense]

Hi,
I have a own hosted wordpress site behind opnsense / nginx reverse proxy with naxsi waf enabled.
I found this site ( https://miketabor.com/a-few-steps-to-secure-a-wordpress-site/ ) with some Cloudflare WAF instructions. I wonder how I can translate them to being added to the nginx naxsi waf rules.

Who can help me step by step how to add those rules to what fields in Naxsi/nginx?

Code: [Select]

(http.request.full_uri contains "wp-config.") or
(http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".php") or
(http.request.uri.path contains "phpmyadmin") or
(http.request.uri.path contains "/xmlrpc.php") or
(http.request.full_uri contains "passwd") or
(http.request.uri.query contains "author_name=") or
(http.request.uri.query contains "author=" and not http.request.uri.path contains "/wp-admin/export.php") or
(http.request.uri contains "/wp-json/wp/v2/users/") or
(http.request.full_uri contains "../") or
(http.request.full_uri contains "..%2F") or
(http.request.full_uri contains "vuln.") or
(http.request.uri.query contains "base64") or
(http.request.uri.query contains "<script") or
(http.request.uri.query contains "%3Cscript") or
(http.request.uri.query contains "$_GLOBALS[") or
(http.request.uri.query contains "$_REQUEST[") or
(http.request.uri.query contains "$_POST[") or
(http.request.uri contains "

<?php") or (http.request.uri contains ".sql") or(http.request.uri contains ".bak") or(http.request.uri contains ".cfg") or(http.request.uri contains ".env") or(http.request.uri contains ".ini") or(http.request.uri contains ".log") or(http.request.full_uri contains "/license.txt") or(http.request.full_uri contains "/readme.html")

many thanks in advance!

[fabian]

Convert every rule to a main rule (some are likely already there if you import the standard ruleset) and assign them.

Some of those rules are totally nonsense for a default WP installation like blocking phpmyadmin since it is not there unless you install it or blocking file extensions that should not exist in a WP installation.

[RamSense]

thanks for your reply and info and do I understand it correctly that for instance, for the rule: (http.request.full_uri contains "/license.txt") it is as simple as;

add Naxsi rule:
Description: block /license.txt
Message: block /license.txt
ID: 99999 (some non existing high number? or leave empty?)
Rule Type: Main rule
Use Regular Expressions: <checked>
Match Value: /license.txt
Match Type: Blacklist
Search in Filename: <checked>
Score: 8

and the rule for getting a block while looking for the /license.txt file is being added? Or is there something to be added?

thanks for your help

[fabian]

Id just needs to be unique. It should not be < 1000 since that are the internal rules. The rest is up to you.

[RamSense]

Thank you for explaining. I did just made my own and first Naxsi rule id 2000 for blocking getting: /license.txt

And Opnsense gave the "Request Denied For Security Reasons" :-)

[RamSense]

I added some of the  above rules:

Match Value \.log|\.ini|\.env|\.cfg|\.bak|\.sql|\<?php
and /license.txt
and /readme.html

Are there users with self hosted (wordpress) sites behind opnsense - nginx - naxsi?

Are there any rules to be added manually? Or are the default Naxsi rules enough to protect e.g. Wordpress?

[PIv0]

Convert every rule to a main rule (some are likely already there if you import the standard ruleset) and assign them.

Some of those rules are totally nonsense for a default WP installation like blocking phpmyadmin since it is not there unless you install it or blocking file extensions that should not exist in a WP installation.

Hi!

I'm just learning the ins and outs of configuring WAF (naxsi) and have a lot of questions.

There are several sets of rules in the following format:
MainRule  "str:${" "msg:log4j attack detection " "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:42000086;

How do I import them into OPNSense? It takes a long time to create rules manually through the web interface and not everything is clear either.

Is there another way to import these rules?

[fabian]

There is an API in the background.

[PIv0]

There is an API in the background.

Hello!

Thanks a lot for the quick response.
I'm learning settings /usr/local/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php

And where can I find the description of the fields in order to correctly convert the rules?

[PIv0]

There is an API in the background.

Hello!

One more question.
I installed OPNSense version 22.1.9_1 and NGINX version 1.28_1.
With the NAXSI learning option enabled, the error log contains the rule codes from naxsi_core.rules (NAXSI_FMT, NAXSI_EXLOG), ignoring the fact that some of the policies were disabled, including those policies, rule codes that were found in the error log.

Is it supposed to be like this or is it a bug?