Nemesida WAF Free | Nemesida WAF

Защита сайта от хакерских атак
Nemesida WAF Free

Nemesida WAF Free provides the base web application security against OWASP class attacks based on the signature method. Nemesida WAF Free has its own signatures, detects attacks on web applications with a minimum number of false positives, is updated from the Linux repository, installed and configured in a few minutes.

Nemesida WAF Free

Nemesida WAF features:

  • quick and easy start;
  • installation and configuration in 10 minutes;
  • minimum false positives;
  • installation and update from the repository;
  • the ability to connect to an already installed Nginx, starting from version 1.12;
  • convenient personal account, the ability to integrate with SIEM systems.

The main limitation of Nemesida WAF Free affects the operation of the Nemesida AI machine learning subsystem, which allows you to detect attacks on web applications more accurately and with a minimum number of false positives. In addition, the Nemesida AI module successfully detects zero-day attacks. In the free version, the functionality of machine learning and the Nemesida WAF Scanner vulnerability scanner is not involved.

In addition, Nemesida WAF Free modifies the content of attack messages sent to the Nemesida WAF API:

  • the vhost field is set to example.com;
  • the referer field is set to Nemesida WAF Free;
  • the non-empty other_headers field is set to Nemesida WAF Free.

Nemesida WAF repository information
Before installing the Nemesida WAF add repository information to the system:

DebianUbuntuCentOSDockerVirtual Appliance
# apt install apt-transport-https gnupg2
Debian 10
# echo "deb https://nemesida-security.com/repo/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
Debian 11
# echo "deb https://nemesida-security.com/repo/nw/debian bullseye non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade

# apt install apt-transport-https gnupg2
Ubuntu 18.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
Ubuntu 20.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
Ubuntu 22.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu jammy non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg 
# apt update && apt upgrade
CentOS 7
# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# yum update
# yum install epel-release
CentOS 8 Stream
# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-8-1-6.noarch.rpm
# dnf update
# dnf install epel-release
CentOS 9 Stream
# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-9-1-6.noarch.rpm
# dnf update
# dnf install epel-release
Information about using Nemesida WAF in a Docker container is available in the corresponding section.
Information about using Nemesida WAF as a Virtual Appliance (virtual disk for KVM/VMware/VirtualBox) and Yandex VM is available in the corresponding section.
RabbitMQ software settings

RabbitMQ is used for sending data to the Nemesida WAF API module.

1. Install the package:

Debian, UbuntuCentOS
# apt install rabbitmq-server
CentOS 7
# yum install rabbitmq-server
CentOS 8 Stream
Add RabbitMQ repository, changing file /etc/yum.repos.d/RabbitMQ.repo:

[rabbitmq_erlang]
name = rabbitmq_erlang
baseurl = https://packagecloud.io/rabbitmq/erlang/el/8/$basearch
repo_gpgcheck = 0
gpgcheck = 0
enabled = 1

[rabbitmq_server]
name = rabbitmq_server
baseurl = https://packagecloud.io/rabbitmq/rabbitmq-server/el/8/$basearch
repo_gpgcheck = 0
gpgcheck = 0
enabled = 1

Install the package:

# dnf update
# dnf install dnf-utils
# dnf install rabbitmq-server
CentOS 9 Stream
# dnf install dnf-utils
# dnf install centos-release-rabbitmq-38
# dnf install rabbitmq-server

2. Check the correctness of the service:

# systemctl enable rabbitmq-server
# service rabbitmq-server restart
# service rabbitmq-server status

Installing Nemesida WAF Free

The dynamic module Nemesida WAF is available for:

  • Nginx stable from 1.12;
  • Nginx mainline from 1.15;
  • Nginx Plus from R16.

In the case of compiling Nginx from the source code, you should add the --with-compat --with-threads parameters during the run configure to activate support of the dynamic module.

DebianUbuntuCentOS

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup
Debian 10
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/debian/ buster nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached
Debian 11
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/debian/ bullseye nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

# apt install nwaf-dyn-1.22

where 1.22 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.22 is intended for work with Nginx version 1.22 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup
Ubuntu 18.04
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ bionic nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached
Ubuntu 20.04
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ focal nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools libcurl3-gnutls librabbitmq4 libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached
Ubuntu 22.04
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ jammy nginx"> /etc/apt/sources.list.d/nginx.list
# curl -s https://nginx.org/packages/keys/nginx_signing.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools libcurl3-gnutls librabbitmq4 libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

# apt install nwaf-dyn-1.22

where 1.22 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.22 is intended for work with Nginx version 1.22 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup

Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
CentOS 7
Enable direct connection to nemesida-security.com:443.

Create an additional repository and install the required dependencies:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# yum update
# yum install epel-release

Add the Nginx repository:

# rpm -Uvh https://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

Install the packages:

# yum update
# yum install nginx python36 python36-devel python36-setuptools python36-pip openssl librabbitmq libcurl-devel rabbitmq-server gcc libmaxminddb memcached
# yum install nwaf-dyn-1.22

where 1.22 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.22 is intended for work with Nginx version 1.22 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

CentOS 8 Stream

Add the Nginx repository, changing file /etc/yum.repos.d/nginx.repo:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install the packages:

# dnf update
# dnf install nginx python39 python39-devel python39-setuptools python39-pip openssl librabbitmq libcurl-devel rabbitmq-server gcc libmaxminddb memcached
# dnf install nwaf-dyn-1.22

where 1.22 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.22 is intended for work with Nginx version 1.22 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

CentOS 9 Stream
Install the packages:

# dnf install centos-release-rabbitmq-38
# dnf install rabbitmq-server

Check the correctness of the service:

# systemctl enable rabbitmq-server
# service rabbitmq-server restart
# service rabbitmq-server status

Add the Nginx repository by bringing the file /etc/yum.repos.d/nginx.repo to the form:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install the packages:

# dnf update
# dnf install nginx python3 python3-devel python3-setuptools python3-pip openssl librabbitmq libcurl-devel gcc libmaxminddb memcached
# dnf install nwaf-dyn-1.22

where 1.22 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.22 is intended for work with Nginx version 1.22 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Configuration Nemesida WAF Free
Add the path to the file with the dynamic module Nemesida WAF and bring the parameters below in the configuration file /etc/nginx/nginx.conf to the form:

load_module /etc/nginx/modules/ngx_http_waf_module.so;
...
worker_processes auto;
...
http {
    ...
    ##
    # Nemesida WAF
    ##

    ## Request body is too large fix
    client_body_buffer_size 25M;

    include /etc/nginx/nwaf/conf/global/*.conf;
    ...
}


nginx: [emerg] module "/etc/nginx/modules/ngx_http_waf_module.so" version 1017010 instead of 1022000 in /etc/nginx/nginx.conf:1

The error occurs when the versions of the installed dynamic module Nemesida WAF and Nginx do not match. In this case, 1017010 is the version of Nginx 1.17.10, for which the nwaf-dyn module was compiled, and 1022000 is Nginx 1.22.0 installed on the server. The dynamic module package nwaf-dyn-1.22 is designed to work with Nginx version 1.22, and nwaf-dyn-plus-r22 is designed to work with NGINX Plus R22.

Make the necessary changes to the configuration file /etc/nginx/nwaf/conf/global/nwaf.conf:

nwaf.conf parameters
Default parameter
Description of the parameter
nwaf_license_key

The parameter for installing the Nemesida WAF license key. When using Nemesida WAF Free, use the default parameter value nwaf_license_key none.

nwaf_sys_proxy
The parameter defines the proxy server address for accessing to external resources (license key verification, getting signatures, etc.).

Example:

nwaf_sys_proxy http://proxy.example.com:3128;

For CentOS 7, it is allowed to use a proxy server only according to the HTTP scheme.

nwaf_api_proxy
The parameter defines the proxy server address for accessing the Nemesida WAF API.

Example:

nwaf_api_proxy http://proxy.example.com:3128;

For CentOS 7, it is allowed to use a proxy server only according to the HTTP scheme.

nwaf_api_conf

The address of the Nemesida WAF API server for sending information about detected anomalies.

host – the parameter defines the address of the Nemesida WAF API server for sending information about attacks, the results of the Nemesida WAF Scanner and Nemesida AI. With the host=none option, data will not be transmitted to the Nemesida WAF API.

nwaf_host_enable

Activates the Nemesida WAF request analysis mechanism for the virtual host. With the parameter nwaf_host_enable *;, the analysis will be performed for all virtual hosts.

Example of using a single value:

nwaf_host_enable *;
nwaf_host_enable example.com;
nwaf_host_enable *.example.com;

Example of using multiple values:

nwaf_host_enable example.com, a.example.com;
nwaf_host_enable example.com, *.example.com;
nwaf_limit

Sets the limit of blocked requests. If the allowed number of blocked requests is exceeded, as defined by the rate option, the IP address will be blocked for the time (in seconds) specified in block_time.

Example:

nwaf_limit rate=5r/m block_time=600;

To set the limit of blocked requests for a specific domain, you need to change the parameter to the form: nwaf_limit rate=... block_time=... domain=...;

Example:

nwaf_limit rate=5r/m block_time=600 domain=example.com;

For the domain parameter, strict matching and wildcard values are allowed: *, example.com , .example.com , *.example.com .

nwaf_ip_wl

Deactivation of the request analysis mechanism by Nemesida WAF for a specific IP address or subnet.

Example:

nwaf_ip_wl x.x.x.x;

When using nwaf_ip_wl x.x.x.x domain=example.com ; the analysis mechanism will be deactivated only when accessing from a specific IP address to a specific virtual host.
For the domain option, strict matching and wildcard values are allowed: *, example.com , .example.com , *.example.com .
IPv4/IPv6 addresses are allowed, including the use of CIDR (for example, x.x.x.x/24) and a range of IP addresses.

Example:

nwaf_ip_wl domain=example.com 127.0.0.1, 192.168.61.0/24, 192.168.61.1-192.168.61.255;

To reduce the number of false positives, it is recommended to specify the static IP address of users (administrators, content managers, editors) in the parameter nwaf_ip_wl. Requests that fall under the action of the parameter will not be blocked. Be extremely careful when using the parameter.

nwaf_host_wl

Deactivation of the request analysis mechanism by Nemesida WAF for a virtual host. With the parameter nwaf_host_wl *;, skipping will be performed for all virtual hosts.

Example of using a single value:

nwaf_host_wl *;
nwaf_host_wl example.com;
nwaf_host_wl *.example.com;

Example of using multiple values:

nwaf_host_wl example.com, a.example.com;
nwaf_host_wl example.com, *.example.com;
nwaf_ip_lm

Configuring request processing for a specific IP address or subnet with fixation in the DBMS, but without actual blocking (IDS mode).

Example:

nwaf_ip_lm x.x.x.x;

When using nwaf_ip_lm x.x.x.x domain=example.com ; the pass will be made only when accessing from a specific IP address to a specific domain.
For the domain option, strict matching and wildcard values are allowed: *, example.com , .example.com , *.example.com .
IPv4/IPv6 addresses are allowed, including the use of CIDR (for example, x.x.x.x/24) and a range of IP addresses.

Example:

nwaf_ip_lm domain=example.com 127.0.0.1, 192.168.61.0/24, 192.168.61.1-192.168.61.255;
nwaf_host_lm

Configuring request processing for a specific virtual host with a commit in the DBMS, but without actual blocking (IDS mode). With the parameter nwaf_host_lm *;, skipping will be performed for all virtual hosts.

Example of using a single value:

nwaf_host_lm *;
nwaf_host_lm example.com;
nwaf_host_lm *.example.com;

Example of using multiple values:

nwaf_host_lm example.com, a.example.com;
nwaf_host_lm example.com, *.example.com;
nwaf_put_body_exclude

A parameter that excludes the signature method from analyzing the contents of the BODY zone for PUT requests, as well as sending the contents of the zone to the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful when interacting with ownCloud web applications or similar ones that allow the client to upload a file to the server over the HTTP protocol.

Example of using a single value:

nwaf_put_body_exclude *;
nwaf_put_body_exclude example.com;
nwaf_put_body_exclude *.example.com;

Example of using multiple values:

nwaf_put_body_exclude example.com, a.example.com;
nwaf_put_body_exclude example.com, *.example.com;

nwaf_body_exclude

A parameter that excludes the analysis of the BODY zone by the signature method, as well as sending its contents to the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful if it is not possible to change the value of the client_body_buffer_size parameter in the /etc/nginx/nginx.conf file.

Example:

nwaf_body_exclude *;
nwaf_body_exclude example.com/uploads.php;
nwaf_body_exclude example.com/uploads;

When applying the parameter, the exact match of the path (vhost/path) is taken into account.

For example, with the value: example.com/uploads the BODY zone analysis exception will be applied for requests to example.com/uploads , but for example.com/uploads.php and example.com/uploads/index.php the parameter will not be applied. With the value *, the BODY zone analysis exception will be applied to any address.

nwaf_rmq
Configuring the interaction subsystem with RabbitMQ.
nwaf_log_mr_all
Activation of the parameter for recording information about all occurrences of blocking rules (attack signatures) in the Nginx error log. By default, the parameter is deactivated (commented out). When the parameter is deactivated, only the signature that led to blocking the request or to fixing the signature without subsequent blocking is recorded in the Nginx error log (in the LM mode).

With the parameter nwaf_log_mr_all domain=example.com ; the recorded occurrences will be recorded only for a specific domain.
For the domain option, strict matching and wildcard values are allowed: example.com , .example.com and *.example.com .

nwaf_check_bot_name
This parameter is used to identify search engine robots. Blocked requests that fall under the action of the parameter do not increase the value of the rate counter and cannot lead to blocking of the IP address. The first parameter value is defined in the User-Agent zone. The second parameter value defines the host name obtained by reverse IP address conversion. If the second value is not set, it is considered equal to the first.

Example:

nwaf_check_bot_name "example.com" "example.net";
nwaf_check_bot_name "example.com";
nwaf_check_bot_name "bingbot" "msn.com";
nwaf_check_bot_name "yandex.ru";

Features of LM mode
A request that falls under the nwaf_ip_lm, nwaf_host_lm or LM parameters and has BT 0 (request processing status) is not blocked, but is added to the training sample.

A request that falls under the signature with a score (digital significance indicator) equal to 12, in the LM mode, will be transmitted to the Nemesida WAF API module, as well as to other query analysis subsystems, except for the Nemesida mordule AI MLA. To send a request to the Nemesida AI MLA module, the total score for the request must exceed the value of the mla_score parameter. Signature indicators with score equal to 12 are not summed up.

If a request with a score equal to 12 does not fall under the LM mode, the request will be blocked by signature analysis with transmission to the Nemesida WAF API module.

Restart the server and test:

# systemctl restart nginx.service nwaf_update.service
# systemctl status nginx.service nwaf_update.service

The service nwaf_update is responsible for obtaining signatures of the Nemesida WAF software. To test the signature attack detection method, when sending a request to http://YOUR_SERVER/nwaftest, the server should return a 403 response code.

After Nemesida WAF installation you can install Nemesida WAF API and Nemesida WAF Cabinet, which is intended to visualise and classify the information about attacks and identified vulnerabilities.