The Nemesida WAF Scanner module is designed to detect web vulnerabilities in protected web applications. For correct work of the Nemesida WAF Scanner module, you need to provide access to the web application bypassing the Nemesida WAF.
For security reasons, it is necessary to allow access for the server with the Nemesida WAF Scanner component only to scanned web applications and external resources.
Module installation on the server:
DebianUbuntuRHELDocker
Install the packages:
# apt update && apt upgrade
# apt install apt-transport-https gnupg2 curl
Add the Nemesida WAF repository:
Debian 11
# echo "deb https://nemesida-security.com/repo/nw/debian bullseye non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg
# apt update
Debian 12
# echo "deb https://nemesida-security.com/repo/nw/debian bookworm nwaf" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg
# apt update
Install the packages:
# apt install python3-pip python3-venv python3-dev postgresql-server-dev-all dmidecode
# apt install nwaf-scanner
The following pip packages are additionally installed during module installation:
beautifulsoup4 cdifflib chardet logutils psutil psycopg2-binary pyparsing PyYAML requests soupsieve termcolor url-normalize
Install the packages:
# apt update && apt upgrade
# apt install apt-transport-https gnupg2 curl
Add the Nemesida WAF repository and install packages:
Ubuntu 20.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg
# apt update
# apt install python3.9 python3-pip python3.9-venv python3.9-dev postgresql-server-dev-all
Ubuntu 22.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu jammy non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg
# apt update
# apt install python3 python3-pip python3-venv python3-dev postgresql-server-dev-all
Ubuntu 24.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu noble nwaf" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg
# apt update
# apt install python3 python3-pip python3-venv python3-dev postgresql-server-dev-all
Install the packages:
# apt install nwaf-scanner
The following pip packages are additionally installed during module installation:
beautifulsoup4 cdifflib chardet logutils psutil psycopg2-binary pyparsing PyYAML requests soupsieve termcolor url-normalize
Configure the SELinux policy or deactivate it with the command:
# setenforce 0
then bring the file /etc/selinux/config to the form:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Add the Nemesida WAF repository by bringing the file /etc/yum.repos.d/NemesidaWAF.repo to the form:
[NemesidaWAF]
name=Nemesida WAF Packages for RHEL
baseurl=https://nemesida-security.com/repo/nw/rhel/$releasever/$basearch/
gpgkey=https://nemesida-security.com/repo/nw/gpg.key
enabled=1
gpgcheck=1
Install the packages:
RHEL 8 and derivatives
# dnf update
# dnf install python39 python39-devel python39-setuptools python39-pip gcc postgresql-devel
RHEL 9 and derivatives
# dnf update
# dnf install python3 python3-devel python3-setuptools python3-pip gcc postgresql-devel
Install the packages:
# dnf install nwaf-scanner
The following pip packages are additionally installed during module installation:
beautifulsoup4 cdifflib chardet logutils psutil psycopg2-binary pyparsing PyYAML requests soupsieve termcolor url-normalize
Information about using Nemesida WAF in a Docker container is available in the
corresponding section.
Add the necessary changes to the main configuration file /opt/nws/main.conf to set up the module.
main.conf settings
Parameter for specifying the license key of the Nemesida WAF Scanner module. In case the license key is not detected or is invalid, the module launch will end with the corresponding error.
Configure of the proxy server address for accessing to
nemesida-security.com:443 (checking of the license key).
Example:
sys_proxy = http://proxy.example.com:3128
It is allowed to use authentication parameters when using a proxy server.
Example:
sys_proxy = http://<user>:<password>@proxy.example.com:3128
Configure of the proxy server address for accessing to Nemesida WAF API.
Example:
api_proxy = http://proxy.example.com:3128
It is allowed to use authentication parameters when using a proxy server.
Example:
api_proxy = http://<user>:<password>@proxy.example.com:3128
Configure of API address for sending the scanning results into Nemesida WAF API.
Example:
api_uri = http://api.example.com:8080/nw-api/
The activation/deactivation parameter for displaying debugging information in to console.
Check vulnerabilities using Recheck.
The activation/deactivation parameter.
db_name
db_user
db_pass
db_host
db_port
Parameters of connecting to Nemesida WAF Cabinet database.
For setting scanning parameters in directory /opt/nws/conf/ create file(s) with extension conf. For every web application it is necessary to create individual configuration file.
Configuration file example.conf
Web application address in
schema://domain|ip[:port] format.
Example:
target = http://example.com
target = https://example.com:85
Due to the specifics of the work of the filtering node the port used to access the web application is not stored in the database. This information must be taken into account when filling out the configuration file because when executing the Recheck function, the address from the target parameter of the corresponding configuration file will be used, provided that the value of the target parameter matches the value of the vhost field in the database (it is allowed to use www in the value of the field vhost).
Proxy server address for requests to the web application.
Example:
scan_proxy = http://proxy.example.com:3128
It is allowed to use authentication parameters when using a proxy server.
Example:
scan_proxy = http://<user>:<password>@proxy.example.com:3128
Exclude the module when scanning.
Example:
exclude_modules = ba ca lfi rfi rce sde sqli ssti xss
Available modules:
ba – vulnerability search by «Broken Access Control» module;ca – the cookie verification module, for example, the presence of the httponly flag;lfi – vulnerability search by «Local File Inclusion» module;rfi – vulnerability search by «Remote File Inclusion» module;rce – vulnerability search by «Remote Code Execution» module;sde – vulnerability search by «Sensitive Data Exposure» module;sqli – vulnerability search by «SQL injection» module;ssti – vulnerability search by «Server Side Template Injection» module;xss – vulnerability search by «Cross-Site Scripting» module.
The parameter is set separately for each specific configuration file.
Web application page address for the authorization.
Example:
auth_uri = https://example.com/login
It is allowed to use a server address other than the one used by the target parameter.
Username and password for authorization.
Example:
login = your_login
password = your_password
If the web application uses non-standard names of username/password fields (for example, username and password), then the parameters login and password must be replaced with them.
Example:
username = your_login
password = your_password
Other information
Information about the scanning process by the Nemesida WAF Scanner module is contained in the event log of the module /var/log/nwaf/nws.log, and information about the operation of the module Recheck - in the event log /var/log/nwaf/nws-recheck.log.
Nemesida WAF Scanner Operating Modes:
- Normal scan - standard scan with manual start. To start the scan, run the command
nws in the console;
- Scheduled scanning - periodic scanning of a web application based on
/etc/cron.d/nws;
- Mode
Recheck - checking for vulnerabilities using Nemesida WAF Scanner in a specific parameter based on a blocked request (launch is performed using the functionality of the Nemesida WAF Cabinet).
If the database required for the operation of the Recheck module is used on a separate server, then it is necessary to provide access to it. To do this, make changes to the PostgreSQL configuration file pg_hba.conf.
Example:
# IPv4 local connections:
host all all 0.0.0.0/0 md5
