WEBVTT 00:00.330 --> 00:02.490 Welcome to the Knowledge Portal Video series. 00:02.670 --> 00:09.060 In the last lecture, we looked into what a web application firewall is and why is it necessary? 00:09.300 --> 00:15.000 We also looked into how we can manually compile Enginex from source. 00:16.020 --> 00:23.910 Now, today we'll be installing one of the web application firewall College nags along with the Nginx. 00:24.000 --> 00:28.710 Now we'll have to do that by compiling Nginx from the source itself. 00:29.010 --> 00:38.670 Now if I go to the browser, this is a GitHub page, so basically the open source web for nginx. 00:39.540 --> 00:46.650 Now in order to install Nazi we will have to compile Nginx from the source itself. 00:47.600 --> 00:50.510 Now we have already seen on how we can do it from the source. 00:50.510 --> 00:53.660 So let's start on doing that. 00:53.660 --> 00:55.640 So I'll go to user local source. 00:56.300 --> 00:58.070 This is where we'll be. 00:59.700 --> 01:01.640 Compiling our Enginex package. 01:01.650 --> 01:06.600 Now I have a bit of documentation so it becomes a bit quicker. 01:06.630 --> 01:08.460 Otherwise it will take a lot of time. 01:08.640 --> 01:14.530 Now the first thing that we'll do is we'll download the Nginx. 01:14.820 --> 01:16.290 So here it is. 01:16.290 --> 01:19.470 Nginx 1.9.5. tar dot js. 01:19.740 --> 01:26.670 You can download it from the nginx website itself or I'll also be posting the documentation on how to 01:26.670 --> 01:27.180 do it. 01:28.700 --> 01:34.580 Now we have downloaded the nginx package, so let's untar it. 01:34.580 --> 01:38.720 So I'll say tar x, y, z and nginx. 01:39.020 --> 01:39.650 Okay. 01:39.650 --> 01:43.220 So now we have nginx 1.9.5 folder. 01:44.310 --> 01:51.870 Second thing that will be necessary is we have to download the package itself because Nazi is a vast. 01:52.750 --> 01:59.470 Basically Nazi acts as a third party module for Nginx, so we'll be installing it along with the module. 02:00.320 --> 02:02.180 Directives itself. 02:03.230 --> 02:09.650 So let me download the Nazi package and let's unzip it. 02:12.270 --> 02:12.870 Okay. 02:13.050 --> 02:15.570 So essentially now we have two directories. 02:15.600 --> 02:17.460 One is nginx and one is. 02:20.380 --> 02:25.130 Now before we start compiling again, we have already seen this in the previous lecture as well. 02:25.150 --> 02:27.480 You need to have a proper modules. 02:28.910 --> 02:31.100 For compilation as well as. 02:31.980 --> 02:33.310 Related to geoip. 02:33.340 --> 02:34.720 If you are installing it. 02:35.260 --> 02:38.650 Pcre devel is also a very important module. 02:38.650 --> 02:42.700 If you do not have this you will not be able to compile nginx from the source. 02:43.180 --> 02:49.210 Now I already have these packages in case you don't have do go ahead and install it. 02:49.980 --> 02:50.870 Now if I do. 02:50.940 --> 02:53.370 LS There are two directories over here. 02:53.400 --> 02:55.920 One is Nazi and one is Nginx. 02:56.340 --> 03:01.680 Let's go to the Nginx directory and this is the configure script. 03:02.470 --> 03:06.310 Which we will be used to set the various directives. 03:06.930 --> 03:16.200 Now, again, as we have seen in the last previous lecture as well on compiling links from the source, 03:16.290 --> 03:18.660 we run the configure script. 03:18.870 --> 03:23.400 The prefix is where the Nginx configuration will lie. 03:23.610 --> 03:25.800 This is the system binary path. 03:25.800 --> 03:34.440 This is the configuration path where the nginx conf lies and in the add module parameter, the first 03:34.440 --> 03:39.660 module that we are adding is the name, which is the firewall module. 03:39.780 --> 03:43.200 Along with that we are adding various other modules. 03:43.200 --> 03:51.780 Now these is just a temporary list, but if you are in production environment then there will be a lot 03:51.780 --> 03:55.410 of different modules that you will have to add. 03:55.440 --> 04:01.200 But just for our lab purposes, we'll be adding just a minimal set of modules. 04:01.830 --> 04:06.570 Now I'll just copy this and I'll paste it over here. 04:09.760 --> 04:11.230 And let's run this. 04:15.190 --> 04:15.760 Okay. 04:15.760 --> 04:20.320 Now essentially if I do an LS over here, then a makefile will be created. 04:20.470 --> 04:22.000 Let's do a make. 04:29.200 --> 04:33.400 This will not take much time since we do not have a lot of modules. 04:45.420 --> 04:46.080 Okay. 04:46.080 --> 04:48.120 And the last step is make install. 04:49.760 --> 04:51.500 So finally we are done. 04:52.310 --> 04:53.150 The essential. 04:53.150 --> 04:59.330 If we go to Nginx directory, we should have the configuration related files. 04:59.420 --> 05:05.750 Now we have already seen the Init.d script that we have to put in the Init.d directory. 05:05.780 --> 05:08.810 Now I have not removed the script from the server. 05:09.080 --> 05:11.480 If you go to init.d. 05:13.740 --> 05:15.090 Let's do an engine X. 05:15.540 --> 05:18.030 Now, I have not removed this script. 05:18.060 --> 05:24.780 We had already seen on how to put this script inside the init folder in the previous lectures. 05:25.480 --> 05:26.170 So. 05:27.670 --> 05:30.430 Let's do a service engine status. 05:30.730 --> 05:35.800 And essentially it is saying Service Engine X is running, so let's just restart it. 05:39.480 --> 05:46.380 Okay, so finally we are up and running with Nginx, but what we have done till now is. 05:47.250 --> 05:55.070 We have just configured the or we have just installed the NOx module along with Nginx. 05:55.080 --> 06:00.120 So now comes the time for configuring the Nazi module. 06:04.280 --> 06:07.400 So let's go to usr local source. 06:10.480 --> 06:18.220 And essentially in the Nazi hyphen master directory there is a folder called as Nazi underscore config. 06:18.310 --> 06:20.800 So let's take this particular file. 06:23.550 --> 06:26.100 And inside this there are certain rules. 06:26.100 --> 06:32.960 So if I open court rules, so these are rules related to SQL injection. 06:32.970 --> 06:37.770 We also have rules related to directory traversal, cross-site scripting, etcetera. 06:37.890 --> 06:46.050 Now these rules will be used for checking the Http request to check if the. 06:47.130 --> 06:51.060 A request that is coming is related to hacking activity or not. 06:51.600 --> 06:58.980 We will be copying this particular rule file inside the e.t.c. nginx. 07:00.310 --> 07:01.150 Directory. 07:01.360 --> 07:04.930 So let's go back to the Nginx directory. 07:06.320 --> 07:07.340 And. 07:10.230 --> 07:13.710 This is where our rule file is basically stored. 07:15.280 --> 07:23.770 Now we'll have to tell the Nginx to see the rules when it checks for the requests. 07:24.250 --> 07:29.710 So for that, we'll open the nginx configuration and. 07:30.950 --> 07:33.470 We'll put an include directive. 07:34.700 --> 07:43.000 I'll say include ATC nginx noc c underscore code dot rules. 07:43.010 --> 07:44.240 I hope the. 07:47.910 --> 07:53.670 Part is correct and I'm not making any mistakes, so let's verify it once. 07:55.320 --> 07:56.880 And yes, it is correct. 07:57.780 --> 08:05.950 Now, there is one more thing that you will have to do is to configure the server section. 08:05.970 --> 08:15.750 Now, we have included the Nazi rules, but we also have to include things in the server location. 08:15.750 --> 08:20.250 So what I'll do, let's create a sample server block over here. 08:21.540 --> 08:22.380 I'll say server. 08:27.310 --> 08:29.430 Let me put listen. 08:29.470 --> 08:29.860 80. 08:33.520 --> 08:36.220 Server name would be example.com. 08:37.390 --> 08:42.340 And for this particular configuration, the location, let's. 08:45.530 --> 08:47.660 Say the root is dub. 08:47.660 --> 08:48.200 Dub dub. 08:50.970 --> 08:56.490 xHTML and indexes index dot HTML. 08:57.390 --> 09:03.240 So just stay with me on this and we'll look into why are we doing this. 09:03.630 --> 09:12.990 So if I open one more text file, let's just copy this and I'll say not dot rules. 09:15.320 --> 09:17.180 And I'll paste it over here. 09:18.660 --> 09:25.320 Now what we'll be essentially doing is we'll use a include directive and we'll post this particular 09:25.320 --> 09:27.510 file within the server block. 09:27.660 --> 09:35.310 So what essentially will happen is server block will have this particular Nazi rules file, which is 09:35.310 --> 09:38.850 basically telling for a particular request. 09:38.880 --> 09:48.450 Uri, do check that Uri and contents against this particular rules related to SQL Directory traversal 09:48.600 --> 09:50.730 or cross-site scripting, etcetera. 09:51.630 --> 09:56.530 One more thing that this particular file is doing is denied URL. 09:56.550 --> 10:05.310 So if this particular rules are matched, then this is the text file that. 10:06.450 --> 10:07.870 A Nazi should show. 10:07.900 --> 10:12.550 You can even show a four, four, three or something like that. 10:12.850 --> 10:20.410 Now, let me save this file and let's go back to the Nginx.conf. 10:24.050 --> 10:24.950 And. 10:29.150 --> 10:30.350 Let me go back to. 10:40.140 --> 10:46.740 And I'll say include atc nginx c dot rules. 10:49.500 --> 10:50.280 This is it. 10:51.030 --> 10:54.210 Let's do nginx hyphen t and everything is successful. 10:55.160 --> 10:56.450 Let's do nginx reload. 10:57.830 --> 10:58.430 Perfect. 10:58.760 --> 11:02.420 So essentially our valve is configured. 11:02.450 --> 11:05.660 Now, question is, how will we be able to test it? 11:05.960 --> 11:17.360 So if we look into here, basically it says that, for example, these are the things that are not supposed 11:17.360 --> 11:18.220 to be a part of. 11:18.710 --> 11:25.670 So what we'll do is we'll put this as a part of Uri and check if the Nazi can actually detect this particular 11:25.670 --> 11:26.450 behavior. 11:26.750 --> 11:29.810 So what we'll do let's go to the log file. 11:29.810 --> 11:31.880 I'll go var log Nginx. 11:32.630 --> 11:35.030 And essentially there are two log files. 11:35.030 --> 11:35.990 Let me do a tail. 11:36.860 --> 11:40.130 Let tail f on both of them. 11:40.170 --> 11:41.780 So essentially there is. 11:42.690 --> 11:43.830 No log file over here. 11:44.430 --> 11:46.980 Now let me go to example.com. 11:48.740 --> 11:52.490 And this will essentially not work because what we have done is. 11:54.250 --> 11:59.470 Uh, let's open the nginx nginx.conf. 12:00.940 --> 12:12.160 What we had done here is we had defined the route, which is HTML, but we have not actually created 12:12.160 --> 12:13.470 this particular directory. 12:13.480 --> 12:16.270 So let me actually create this directory. 12:16.330 --> 12:17.890 Var HTML. 12:18.580 --> 12:20.380 Let me go over here. 12:21.610 --> 12:26.350 And let's create a sample file index dot HTML and let's say hi. 12:28.090 --> 12:29.080 This is it. 12:29.080 --> 12:37.480 And one more thing that we'll have to do is essentially if we go to Nginx and Nancy dot rules. 12:38.740 --> 12:43.000 So here there is a request denied dot txt. 12:43.600 --> 12:52.180 Now essentially we'll have to create this particular text file within HTML because this is our root 12:52.180 --> 12:52.990 location. 12:55.330 --> 12:56.350 So if I. 12:57.070 --> 12:57.820 Let's say. 12:59.580 --> 13:01.140 Not so fast. 13:03.190 --> 13:06.460 Okay, now let's reload Nginx. 13:07.860 --> 13:08.460 Great. 13:09.830 --> 13:14.390 So let's come back to the log file where we were Enginex. 13:14.930 --> 13:17.390 Let's do a tail on both the log files. 13:17.720 --> 13:20.150 So essentially if I open example.com. 13:21.370 --> 13:22.540 It should say hi. 13:23.140 --> 13:27.010 And if we look into the log as well, it is saying hi. 13:27.820 --> 13:33.310 Now let's try to include some characters which are vast, can easily detect. 13:34.490 --> 13:40.580 So let's say I put say A is equal to person three C. 13:40.610 --> 13:43.370 Person three C is a guy. 13:45.090 --> 13:47.370 Equivalent of the open, curly brackets. 13:47.370 --> 13:52.830 And essentially what this should do is this should trigger a related event. 13:52.860 --> 13:58.590 So if I put a enter and here you see it is giving the output as well. 13:58.620 --> 14:06.480 But here, if we look into the log file within the error log file, the Nazi is giving us that someone 14:06.480 --> 14:11.700 is trying to do a exercise related activity on your website. 14:11.700 --> 14:16.350 So it is saying what kind of attack a person is trying to do. 14:16.380 --> 14:20.250 It is also showing the IP address from which the request is coming. 14:20.400 --> 14:23.940 It is also shows the request related Uri. 14:24.360 --> 14:29.160 But if we note that Nazi is actually not blocked this request. 14:29.580 --> 14:36.480 The reason is because by default the Nazi works on learning mode, so it will not block, but it will 14:36.480 --> 14:42.480 just show you various events which it thinks that it might be a attack. 14:42.870 --> 14:49.210 Now, if we want to block such kind of attacks, then. 14:50.040 --> 14:51.210 And it's simple. 14:51.240 --> 14:55.200 Go to Nazi rules and hear the first directive is learning mode. 14:55.350 --> 14:59.100 Let's disable this learning mode and. 15:00.240 --> 15:01.850 Let's reload the nginx. 15:02.110 --> 15:10.830 If I refresh this page, it should essentially say not found or it can essentially give you the custom 15:10.830 --> 15:11.670 message that. 15:12.570 --> 15:14.220 You want to have a warrior? 15:15.500 --> 15:22.610 So this is it about configuring the basic Web application firewall. 15:23.180 --> 15:28.850 I hope this has been informative for you, and I'll also be posting the documentation on how you can 15:28.850 --> 15:30.860 do this in your own server. 15:31.040 --> 15:32.810 This is it about this lecture. 15:32.960 --> 15:34.640 And thank you for watching.