Wordpress with WAF



  • Here is a one click install bash script for Ubuntu 1804. This setups up a wordpress instance with nginx and NAXSI WAF. This is so much awesome. Just run the script and you will have Wordpress, Mariadb, NGINX, and a WAF automatically spun up. All you need to do is browse to IP and setup Wordpress 🙂

    Tested on Ubuntu 18.04 LTS.

    You guys need to try it out 🙂

    #***********************************************************
    # Run Updates and install Pre-requisites
    #***********************************************************
    
    
    apt update -y
    #apt upgrade -y
    apt -y install libpcre3-dev libssl-dev unzip build-essential daemon libxml2-dev libxslt1-dev libgd-dev libgeoip-dev zlib1g-dev libpcre3
    
    
    #***********************************************************
    # Download and extract NGINX and NAXSI
    #***********************************************************
    
    mkdir ~/nginx-waf
    wget https://nginx.org/download/nginx-1.16.1.tar.gz -O ~/nginx-waf/nginx.tar.gz
    tar xzf ~/nginx-waf/nginx.tar.gz -C ~/nginx-waf
    wget https://github.com/nbs-system/naxsi/archive/master.zip -O ~/nginx-waf/waf.zip
    unzip ~/nginx-waf/waf.zip -d ~/nginx-waf/
    
    
    #***********************************************************
    # Create script to compile NGINX with NAXSI firewall
    #***********************************************************
    
    cat > ~/nginx-waf/nginx-1.16.1/install.sh <<\EOF
    cd ~/nginx-waf/nginx-1.16.1/
    ./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --user=www-data --group=www-data --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --prefix=/usr
    make
    make install
    EOF
    
    #***********************************************************
    # Compile NGINX and NAXSI
    #***********************************************************
    
    sh ~/nginx-waf/nginx-1.16.1/install.sh
    
    sleep 10s
    
    
    #***********************************************************
    # Configure NGINX to use fastcgi
    #***********************************************************
    
    mkdir -p /var/lib/nginx/{body,fastcgi}
    
    
    #***********************************************************
    # Configure Firewall Rules
    #***********************************************************
    
    cp ~/nginx-waf/naxsi-master/naxsi_config/naxsi_core.rules /etc/nginx/
    
    
    
    cat > /etc/nginx/naxsi.rules <<\EOF
    SecRulesEnabled;
    DeniedUrl "/RequestDenied";
    ## Check Naxsi rules
    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 4" BLOCK;
    CheckRule "$EVADE >= 4" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;
    EOF
    
    
    #***********************************************************
    # Create nginx config file with NAXSI configurations included
    #***********************************************************
    
    
    cat > /etc/nginx/nginx.conf <<\EOF
    #user  nobody;
    worker_processes  1;
    
    #error_log  logs/error.log;
    #error_log  logs/error.log  notice;
    #error_log  logs/error.log  info;
    
    #pid        logs/nginx.pid;
    
    
    events {
        worker_connections  1024;
    }
    
    
    http {
        include       mime.types;
        include       /etc/nginx/naxsi_core.rules;
            include     /etc/nginx/conf.d/*.conf;
            include     /etc/nginx/sites-enabled/*;
    
    
        default_type  application/octet-stream;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
    
        #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
        #                  '$status $body_bytes_sent "$http_referer" '
        #                  '"$http_user_agent" "$http_x_forwarded_for"';
    
        #access_log  logs/access.log  main;
    
        sendfile        on;
        #tcp_nopush     on;
    
        #keepalive_timeout  0;
        keepalive_timeout  65;
    
        #gzip  on;
    
        server {
            listen       80;
            server_name  localhost;
            root /;
    
            #charset koi8-r;
    
            #access_log  logs/host.access.log  main;
    
            location / {
                include /etc/nginx/naxsi.rules;
                    root   html;
                    index  index.html index.htm;
            }
    
            #error_page  404              /404.html;
    
            # redirect server error pages to the static page /50x.html
            #
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
            }
    
            # proxy the PHP scripts to Apache listening on 127.0.0.1:80
            #
            #location ~ \.php$ {
            #    proxy_pass   http://127.0.0.1;
            #}
    
            # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    
            location ~ \.php$ {
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
                fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
                include fastcgi_params;
            }
    
            # deny access to .htaccess files, if Apache's document root
            # concurs with nginx's one
            #
            #location ~ /\.ht {
            #    deny  all;
            #}
        }
    
    
        # another virtual host using mix of IP-, name-, and port-based configuration
        #
        #server {
        #    listen       8000;
        #    listen       somename:8080;
        #    server_name  somename  alias  another.alias;
    
        #    location / {
        #        root   html;
        #        index  index.html index.htm;
        #    }
        #}
    
    
        # HTTPS server
        #
        #server {
        #    listen       443 ssl;
        #    server_name  localhost;
    
        #    ssl_certificate      cert.pem;
        #    ssl_certificate_key  cert.key;
    
        #    ssl_session_cache    shared:SSL:1m;
        #    ssl_session_timeout  5m;
    
        #    ssl_ciphers  HIGH:!aNULL:!MD5;
        #    ssl_prefer_server_ciphers  on;
    
        #    location / {
        #        root   html;
        #        index  index.html index.htm;
        #    }
        #}
    
    }
    
    EOF
    
    sleep 1s
    
    #***********************************************************
    # Create NGINX upstart script
    #***********************************************************
    
    cat > /etc/init.d/nginx <<\EOF
    #! /bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 
     DAEMON=/usr/sbin/nginx 
     NAME=nginx 
     DESC=nginx
     
     test -x $DAEMON || exit 0 
     # Include nginx defaults if available 
     if [ -f /etc/nginx ] ; then 
             . /etc/nginx 
     fi
     
     set -e
     
     case "$1" in 
         start)
             echo -n "Starting $DESC: " 
             start-stop-daemon --start --quiet --pidfile /var/run/nginx.pid \ 
                 --exec $DAEMON -- $DAEMON_OPTS 
             echo "$NAME." 
             ;; 
         stop) 
             echo -n "Stopping $DESC: " 
             start-stop-daemon --stop --quiet --pidfile /var/run/nginx.pid \ 
                 --exec $DAEMON 
             echo "$NAME." 
             ;; 
         restart|force-reload) 
             echo -n "Restarting $DESC: " 
             start-stop-daemon --stop --quiet --pidfile \ 
                 /var/run/nginx.pid --exec $DAEMON 
             sleep 1 start-stop-daemon --start --quiet --pidfile \ 
                 /var/run/nginx.pid --exec $DAEMON -- $DAEMON_OPTS 
             echo "$NAME." 
             ;; 
         reload) 
             echo -n "Reloading $DESC configuration: " 
             start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/nginx.pid \ 
                 --exec $DAEMON 
             echo "$NAME." 
             ;; 
         *) 
             N=/etc/init.d/$NAME 
             echo "Usage: $N {start|stop|restart|force-reload}" >&2 
             exit 1 
             ;; 
     esac
     
     exit 0
    
    EOF
    
    
    systemctl daemon-reload
    
    #***********************************************************
    # Create custom NGINX service file
    #***********************************************************
    
    cat > /lib/systemd/system/nginx.service <<\EOF
    [Unit]
    Description=A high performance web server and a reverse proxy server
    Documentation=man:nginx(8)
    After=syslog.target network.target remote-fs.target nss-lookup.target
    [Service]
    Type=forking
    PIDFile=/run/nginx.pid
    ExecStartPre=/usr/sbin/nginx -t
    ExecStart=/usr/sbin/nginx
    ExecReload=/usr/sbin/nginx -s reload
    ExecStop=/bin/kill -s QUIT $MAINPID
    PrivateTmp=true
    [Install]
    WantedBy=multi-user.target
    EOF
    
    #***********************************************************
    # Install PHP
    #***********************************************************
    
    sudo apt install -y php
    sudo apt install -y php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php-mysql php-mbstring php-xml libapache2-mod-php
    
    
    
    #***********************************************************
    # Configure PHP for NGINX
    #***********************************************************
    
    
    sudo sh -c "sed -i '/cgi.fix_pathinfo=1/c\cgi.fix_pathinfo=0' /etc/php/7.2/fpm/php.ini" 
    sudo sh -c "echo '' >> /etc/php/7.2/fpm/php.ini"
    sudo sh -c "echo '' >> /etc/php/7.2/fpm/php.ini"
    sudo sh -c "echo ';***********************************************************' >> /etc/php/7.2/fpm/php.ini"
    sudo sh -c "echo '; WordPress Settings ' >> /etc/php/7.2/fpm/php.ini"
    sudo sh -c "echo ';***********************************************************' >> /etc/php/7.2/fpm/php.ini"
    sudo sh -c "echo 'upload_max_filesize = 500M' >> /etc/php/7.2/fpm/php.ini"
    sudo sh -c "echo 'post_max_size = 2000M' >> /etc/php/7.2/fpm/php.ini"
    sudo sh -c "echo 'memory_limit = 2000M' >> /etc/php/7.2/fpm/php.ini"
    sudo sh -c "echo 'max_execution_time = 120' >> /etc/php/7.2/fpm/php.ini"
    
    
    
    #***********************************************************
    # Configure website
    #***********************************************************
    
    
    mkdir /etc/nginx/sites-enabled
    mkdir /etc/nginx/sites-available
    
    sudo sh -c "cat > /etc/nginx/sites-available/mydomain.com <<\EOF
        server {
            listen 80;
    	    root /var/www/html;
    	    index index.php index.html index.htm;
            
    
            #charset koi8-r;
    
            #access_log  logs/host.access.log  main;
    
            location / {
    	    include /etc/nginx/naxsi.rules;
            try_files \$uri \$uri/ /index.php?\$args;
            }
    
        	location ~ \.php$ {
        	fastcgi_split_path_info  ^(.+\.php)(/.+)$;
       	fastcgi_index            index.php;
        	fastcgi_pass             unix:/var/run/php/php7.2-fpm.sock; #Ubuntu 17.10
    #  	# fastcgi_pass             unix:/var/run/php/php7.0-fpm.sock; #Ubuntu 17.04
        	include                  fastcgi_params;
        	fastcgi_param   PATH_INFO       \$fastcgi_path_info;
        	fastcgi_param   SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
    	}
    
            #error_page  404              /404.html;
    
            # redirect server error pages to the static page /50x.html
            #
            error_page   500 502 503 504  /50x.html;
            #
            #location ~ \.php$ {
            #    proxy_pass   http://127.0.0.1;
            #}
    
            # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
            #
            #location ~ \.php$ {
            #    root           html;
            #    fastcgi_pass   127.0.0.1:9000;
            #    fastcgi_index  index.php;
            #    fastcgi_param  SCRIPT_FILENAME  /scripts\$fastcgi_script_name;
            #    include        fastcgi_params;
            #}
    
            # deny access to .htaccess files, if Apache's document root
            # concurs with nginx's one
            #
            #location ~ /\.ht {
            #    deny  all;
            #}
        }
    
    
    EOF
    "            
    
    sudo sh -c "ln -s /etc/nginx/sites-available/mydomain.com /etc/nginx/sites-enabled/"
    sudo sh -c "rm -f /etc/nginx/sites-available/default"
    sudo sh -c "rm -f /etc/nginx/sites-enabled/default"
    
    
    #***********************************************************
    # Enable and Start NGINX
    #***********************************************************
    
    systemctl stop apache2
    systemctl daemon-reload
    systemctl enable nginx
    systemctl start nginx
    
    
    #***********************************************************
    # Use if experiencing errors
    #***********************************************************
    
    #mkdir /etc/systemd/system/nginx.service.d
    #printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
    #systemctl daemon-reload
    
    
    #***********************************************************
    # Install and Configure Maria DB 
    #***********************************************************
    
    sudo apt install -y mariadb-server 
    sudo systemctl enable mariadb
    sudo systemctl start mariadb
    
    
    
    
    
    #***********************************************************
    # Install Certbot for SSL
    #***********************************************************
    
    #sudo apt install python-certbot-nginx -y
    
    
    
    
    #***********************************************************
    # Install Wordpress
    #***********************************************************
    
    rm -rf /var/www/html/*
    sudo sh -c "wget https://wordpress.org/latest.tar.gz -o /var/www/html/latest.tar.gz"
    sudo sh -c "tar -zxvf latest.tar.gz -C /var/www/html/ --strip-components=1"
    sudo sh -c "rm -rf /var/www/html/latest.tar.gz"
    sudo sh -c "cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php"
    
    
    
    #***********************************************************
    # Set Permissions for /var/www/html
    #***********************************************************
    
    sudo chown -R www-data:www-data /var/www/html/*
    sudo chmod -R 755 /var/www/html/*
    
    
    #***********************************************************
    # Generate and set MYSQL credentials
    #***********************************************************
    
    sudo sh -c "apt-get install -y pwgen > /dev/null 2>&1"
    NEW_MYSQL_ROOT_PASSWORD=`pwgen -c -n -1 20` > /dev/null 2>&1
    MYSQL_WP_PASSWORD=`pwgen -c -n -1 20` > /dev/null 2>&1
    echo "MYSQL ROOT PASSWORD: ${NEW_MYSQL_ROOT_PASSWORD}" >> /root/passwords.txt
    echo "MYSQL WP PASSWORD: ${MYSQL_WP_PASSWORD}" >> /root/passwords.txt
    chmod 600 /root/passwords.txt
    
    #***********************************************************
    # Create MYSQL DB and USER
    #***********************************************************
    
    sudo sh -c "mysql -uroot mysql -e \"CREATE DATABASE wp\""
    sudo sh -c "mysql -uroot mysql -e \"CREATE USER wp\""
    sudo sh -c "mysql -uroot wp -e \"GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER ON wp.* TO 'wp'@'localhost' IDENTIFIED BY '${MYSQL_WP_PASSWORD}'\""
    #sudo sh -c "mysql -uroot mysql -e \"ALTER USER 'root'@'localhost' IDENTIFIED BY '${NEW_MYSQL_ROOT_PASSWORD}'\""
    
    #***********************************************************
    # Add DB User and pw to Wordpress
    #***********************************************************
    
    sed -i 's/database_name_here/wp/' /var/www/html/wp-config.php
    sed -i 's/username_here/wp/' /var/www/html/wp-config.php
    sed -i "s/password_here/"${MYSQL_WP_PASSWORD}"/" /var/www/html/wp-config.php
    
    

    The most current script can be found here

    https://github.com/joelradon/wordpress-with-naxsi-waf


Log in to reply