Web Defacement
Contents |
Web Defacement
Synopsis
Web defacement module checks whether the hash of the files on server disk are changed, when requests arrive at SEnginx, so as to recognize the defacement. When defacement occurs, web defacement module can restore the previous web pages.
This module is released with SEnginx. It can also be used in standard nginx release.
Note: This feature is a remedial solution for web defacement. Administrators must take necessary measures, such as SELinux, to effect a permanent cure.
Directives
web_defacement
| Syntax | web_defacement on/off |
| Default | off |
| Context | http/server/location |
Enable web defacement.
Example:
web_defacement on;
web_defacement_original
| Syntax | web_defacement_original /path/to/original/files |
| Default | none |
| Context | http/server/location |
Specify the directory of the files/pages to protect. Generally, it's the root directory of the files in the file system. If a relative path is used, the root of the path will be the 'conf' directory in SEnginx installation directory.
Example:
web_defacement_original /var/www/html;
web_defacement_hash_data
| Syntax | web_defacement_hash_data /path/to/hash/data/file |
| Default | none |
| Context | http/server/location |
Specify the location of the hash file of the page file to be protected. Hash files can be generated with 'web_defacement.pl' released together within SEnginx tar ball. If a relative path is used, the root of the path will be the 'conf' directory in SEnginx installation directory.
Example:
web_defacement_hash_data /usr/local/senginx/hash_data;
Generate hash files:
cd senginx-install-dir ./web_defacement.pl -d /path/to/original/files -o /path/to/hash/file;
Example:
cd /usr/local/senginx ./web_defacement.pl -d /var/www/html -o ./hash_data;
web_defacement_log
| Syntax | web_defacement_log on/off |
| Default | off |
| Context | http/server/location |
Send attack log when defacement detects. Attack logs will be sent as 'error' level and record into error.log. Users can configure the location of error.log.
Example:
web_defacement_log on;
web_defacement_index
| Syntax | web_defacement_index filename |
| Default | none |
| Context | http/server/location |
Specify the default index file. When a request of a path arrives, web defacement module will check the hash value of the default index file.
Example:
location /cn/ {
web_defacement_index index.html;
}
In this example, when a client request '/cn/', web defacement module will look for '/cn/index.html' to do the defacement checking. To note that the path must end up with '/', otherwise it'll be taken as a filename.
web_defacement_whitelist
| Syntax | web_defacement_whitelist ua_var_name=UA whitlist ip_var_name=IP whitelist ip_var_value=value; |
| Default | - |
| Context | HTTP/Server/Location |
| Available Version | Since version 1.5.11 |
This directive quotes the global IP whitelist and User-Agent whitelist. IP whitelist need to be used together with geo module of nginx.
Example:
#Define IP whitelist
geo $ip_wl {
ranges;
default 0;
127.0.0.1-127.0.0.1 1;
3.0.0.1-3.2.1.254 1;
}
#Define UA whitelist
whitelist_ua $ua_wl {
"autotest" ".*\.test\.com";
}
server {
location {
web_defacement_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
}
}
Variables
Web defacement module provides 2 variables for user-defined actions.
- $web_defacement
When the requested page is defaced, this variable is true.
- $web_defacement_file
When the requested page is defaced, this variable is the requested URL, which refers to the defaced file.
Examples
SEnginx working in web server mode
Suppose that all the files of a website is under the /var/www/html directory, and SEnginx is installed under /usr/local/senginx. According to the following steps to configure the web defacement module:
Change to senginx install directory
cd /usr/local/senginx
Run web_defacement.pl to generate hash_data file, which is /usr/local/senginx/hash_data
./web_defacement.pl
Modify nginx.conf, enable web defacement module and specify the location or server to protect:
server {
listen 80;
server_name localhost;
web_defacement on; #enable web defacement module
web_defacement_original /var/www/html; #specify directory of page files
web_defacement_hash_data /usr/local/senginx/hash_data; #specify hash files
location / {
web_defacement_index index.html; #specify default index filename
web_defacement_log on; #enable attack log
if ($web_defacement) { #specify actions when defacement occurs. In this case, the action is return 403.
#do other things here if need
return 403;
}
index index.html;
root /var/www/html;
}
location /other {
web_defacement off; #disable web defacement module in this location
... ...
}
}
Reboot or reload SEnginx
SEnginx working in reverse proxy mode
When SEnginx is working as a reverse proxy, how can it access the page files on the back-end servers? In this example, we use NFS to mount the remote server page directory. Suppose that the backend server IP is 1.1.1.1, and the backend server directory is /var/www/html, which is mounted under the /opt/original of SEnginx server.
The steps of mounting 1.1.1.1:/var/www/html to /opt/original of SEnginx server, and NFS configuration is not included here.
Please generate hash_data according to the above example. Note that the original directory should be /opt/original.
Modify nginx.conf:
server {
listen 80;
server_name localhost;
web_defacement on; #enable web defacement module
web_defacement_original /opt/original; #specify directory of page files
web_defacement_hash_data /usr/local/senginx/hash_data; #specify hash files
location / {
web_defacement_index index.html; #specify default index filename
web_defacement_log on; #enable attack log
if ($web_defacement) { #specify actions when defacement occurs. In this case, the action is return 403.
#do other things here if need
return 403;
}
proxy_pass http://1.1.1.1;
}
location /other {
web_defacement off; #disable web defacement module in this location
... ...
}
}
If not choose NFS, copy the page files manually to the SEnginx reverse server is another choice. The disadvantage is when the website is updated, you need to synchronize the changes.
Restore after defacement occurs
Web defacement module provides variables to show whether the defacement occurs, so you can deal with the subsequent actions after inspection flexibly in nginx configuration files. The following example shows how to restore the original pages when the pages are defaced. First of all, you need to backup the page files. If SEnginx is working in reverse proxy mode, you need to copy the backup files to the SEnginx server. Assume that the page files are backuped under /var/www/recover.
Please follow the above examples to config the reverse proxy or web server, and generate hash_data.
Modify nginx.conf:
server {
listen 80;
server_name localhost;
web_defacement on; #enable web defacement module
web_defacement_original /opt/original; #specify directory of page files
web_defacement_hash_data /usr/local/senginx/hash_data; #specify hash files
location /recover {
web_defacement off;
root /var/www;
}
location / {
web_defacement_index index.html; #specify default index filename
web_defacement_log on; #enable attack log
if ($web_defacement) { #if defacement occurs, redirect to the recover directory and restore from the backup page files.
rewrite ^(.*)$ /recover$1 last;
}
proxy_pass http://1.1.1.1;
}
location /other {
web_defacement off; #disable web defacement module in this location
... ...
}
}
