Nemesida WAF Free | Nemesida WAF

Nemesida WAF Free provides the base web application security against OWASP class attacks based on the signature method. Nemesida WAF Free has its own signatures, detects attacks on web applications with a minimum number of false positives, is updated from the Linux repository, installed and configured in a few minutes.

Nemesida WAF Free

Nemesida WAF features:

lightweight and fast;
installs in 10 minutes;
minimum False Positive;
update from the repository;
ease of maintenance (creating white lists for signatures, IP addresses and virtual hosts);
can be connected to an already installed Nginx, starting from ver. 1.12.

Comparative table of features of the versions Nemesida WAF

Features	Free	Full
Signature method analysis	+
Automatic blocking of an attacker by IP-address	+
Output of attacks information, report generation and statistics	+
Integration with ClamAV antivirus software	–	+
Protection against brute-force attacks	–	+
Malicious bots protection	–	+
DDoS layer 7 protection	–	+
Syncing the list of blocked IP-addresses	–	+
Creating virtual patching rules	Manually	Automatically and manually
Detection of attacks using machine learning module	–	+^*
Vulnerability detection using Nemesida WAF Scanner	–	+^**

^*Option available only for Business and Enterprise plans.
^**Option available only for Enterprise plan.

The main limitation of Nemesida WAF Free affects the operation of the machine learning subsystem Nemesida AI, which allows more accurate and with a minimum amount false positives detect attacks on web applications. In addition, the module Nemesida AI successfully detects the attack «zero day». In the free version, the functionality of machine learning and the Nemesida WAF Scanner vulnerability scanner is not involved.

In addition, Nemesida WAP Free modifies the content of attack messages sent to the Nemesida WAF API:

the vhost field is set to example.com;
the referer field is set to Nemesida WAF Free;
the non-empty other_headers field is set to Nemesida WAF Free.

Comparative table of features of the module Nemesida WAF

Comparison	Signature analysis	Nemesida AI
False Positive	≈ 3%	≈ 0.01%
Attack detection accuracy	Nemesida AI is 30% more efficient than signature analysis
Anomalies detection	–	+
Assessment of anomalies level	–	+
Identification of new attack’s pattern	–	+
Detection of «zero-day» attacks	–	+
Identify brute-force attacks	–	+

Nemesida WAF repository information

Before installing the Nemesida WAF add repository information to the system:

DebianUbuntuCentOSDockerVirtual Appliance

# apt install apt-transport-https gnupg2

Debian 9

# echo "deb https://nemesida-security.com/repo/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

Debian 10

# echo "deb https://nemesida-security.com/repo/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

Debian 11

# echo "deb https://nemesida-security.com/repo/nw/debian bullseye non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade

# apt install apt-transport-https gnupg2

Ubuntu 18.04

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade

Ubuntu 20.04

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade

Ubuntu 22.04

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu jammy non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg 
# apt update && apt upgrade

CentOS 7

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# yum update
# yum install epel-release

CentOS 8 Stream

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-8-1-6.noarch.rpm
# dnf update
# dnf install epel-release

CentOS 9 Stream

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-9-1-6.noarch.rpm
# dnf update
# dnf install epel-release

Information about using Nemesida WAF in a Docker container is available in the corresponding section.

Information about using Nemesida WAF as a Virtual Appliance (virtual disk for KVM/VMware/VirtualBox) and Yandex VM is available in the corresponding section.

RabbitMQ software settings

RabbitMQ is used for sending data to the Nemesida WAF API module.

1. Install the package:

Debian, UbuntuCentOS

# apt install rabbitmq-server

CentOS 7

# yum install rabbitmq-server

CentOS 8 Stream

Add RabbitMQ repository, changing file /etc/yum.repos.d/RabbitMQ.repo:

[rabbitmq_erlang]
name = rabbitmq_erlang
baseurl = https://packagecloud.io/rabbitmq/erlang/el/8/$basearch
repo_gpgcheck = 0
gpgcheck = 0
enabled = 1

[rabbitmq_server]
name = rabbitmq_server
baseurl = https://packagecloud.io/rabbitmq/rabbitmq-server/el/8/$basearch
repo_gpgcheck = 0
gpgcheck = 0
enabled = 1

Install the package:

# dnf update
# dnf install rabbitmq-server

CentOS 9 Stream

# dnf install dnf-utils
# dnf install centos-release-rabbitmq-38
# dnf install rabbitmq-server

2. Check the correctness of the service.

# systemctl enable rabbitmq-server
# service rabbitmq-server restart
# service rabbitmq-server status

Installation and configuration Nemesida WAF Free

The dynamic module Nemesida WAF is available for:

Nginx stable from 1.12;
Nginx mainline from 1.15;
Nginx Plus from R16.

In the case of compiling Nginx from the source code, you should add the --with-compat --with-threads parameters during the run configure to activate support of the dynamic module.

DebianUbuntuCentOS

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup

Debian 9

Add the Nginx repositories:

# echo "deb http://nginx.org/packages/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

Debian 10

Add the Nginx repositories:

# echo "deb http://nginx.org/packages/debian/ buster nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

Debian 11

Add the Nginx repositories:

# echo "deb http://nginx.org/packages/debian/ bullseye nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

# apt install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup

Ubuntu 18.04

Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ bionic nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

Ubuntu 20.04

Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ focal nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools libcurl3-gnutls librabbitmq4 libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

Ubuntu 22.04

Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ jammy nginx"> /etc/apt/sources.list.d/nginx.list
# curl -s https://nginx.org/packages/keys/nginx_signing.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools libcurl3-gnutls librabbitmq4 libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

# apt install nwaf-dyn-1.18

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup

Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

CentOS 7

Enable direct connection to nemesida-security.com:443.

Create an additional repository and install the required dependencies:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# yum update
# yum install epel-release

Add the Nginx repository:

# rpm -Uvh https://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

Install the packages:

# yum update
# yum install nginx python36 python36-devel python36-setuptools python36-pip openssl librabbitmq libcurl-devel rabbitmq-server gcc libmaxminddb memcached
# yum install nwaf-dyn-1.18

CentOS 8 Stream

Install the package:

# dnf install dnf-utils

Add the Nginx repository, changing file /etc/yum.repos.d/nginx.repo:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install the packages:

# dnf update
# dnf install python39 python39-devel python39-setuptools python39-pip openssl librabbitmq libcurl-devel rabbitmq-server gcc libmaxminddb memcached
# dnf install nwaf-dyn-1.18

CentOS 9 Stream

Install the packages:

# dnf install dnf-utils
# dnf install centos-release-rabbitmq-38
# dnf install rabbitmq-server

Check the correctness of the service:

# systemctl enable rabbitmq-server
# service rabbitmq-server restart
# service rabbitmq-server status

Add the Nginx repository by bringing the file /etc/yum.repos.d/nginx.repo to the form:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install the packages:

# dnf update
# dnf install nginx python3 python3-devel python3-setuptools python3-pip openssl librabbitmq libcurl-devel gcc libmaxminddb memcached
# dnf install nwaf-dyn-1.18

Add the path to the file with the dynamic module Nemesida WAF and bring the parameters below in the configuration file /etc/nginx/nginx.conf to the form:

load_module /etc/nginx/modules/ngx_http_waf_module.so;
...
worker_processes auto;
...
http {
    ...
    ##
    # Nemesida WAF
    ##

    ## Request body is too large fix
    client_body_buffer_size 25M;

    include /etc/nginx/nwaf/conf/global/*.conf;
    ...
}

nginx: [emerg] module "/etc/nginx/modules/ngx_http_waf_module.so" version 1017010 instead of 1018000 in /etc/nginx/nginx.conf:1

The error occurs when the versions of the installed dynamic module Nemesida WAF and Nginx do not match. In this case, 1017010 is the version of Nginx 1.17.10, for which the nwaf-dyn module was compiled, and 1018000 is Nginx 1.18.0 installed on the server. The dynamic module package nwaf-dyn-1.18 is designed to work with Nginx version 1.18, and nwaf-dyn-plus-r22 is designed to work with NGINX Plus R22.

To update signatures, provide access to https://nemesida-security.com. When using a proxy server, specify it in the nwaf_sys_proxy. For example:

nwaf_sys_proxy http://proxy.example.com:3128;

Restart the server and test :

# systemctl restart nginx.service nwaf_update.service
# systemctl status nginx.service nwaf_update.service

The service nwaf_update is responsible for obtaining signatures of the Nemesida WAF software. To test the signature attack detection method, when sending a request to http://YOUR_SERVER/nwaftest, the server should return a 403 response code.

After Nemesida WAF installation you can install Nemesida WAF API and Nemesida WAF Cabinet, which is intended to visualise and classify the information about attacks and identified vulnerabilities.