The installation and setup guide of Nemesida WAF Cabinet module, which is intended to visualise and classify the information about attacks and identified vulnerabilities.

The domain name example.com and subdomains in the guide are used as an example.

Nemesida WAF Cabinet installation and setup guide

Before installing the Nemesida WAF Cabinet module, you must install and configure the Nemesida WAF API module and PostgreSQL.

Below is a brief guide to the commissioning of the local version of the Nemesida WAF Cabinet on servers running Linux. To install the module you must perform following steps:

DebianUbuntuCentOS
# apt install apt-transport-https
Debian 9
Connect the repository:

# echo "deb https://nemesida-security.com/repo/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

Connect Nginx repository:

# echo "deb http://nginx.org/packages/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
Debian 10
Connect the repository:

# echo "deb https://nemesida-security.com/repo/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

Connect Nginx repository:

# echo "deb http://nginx.org/packages/debian/ buster nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the module:

# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install python3 python3-venv python3-dev python3-pip nginx memcached libmemcached-dev postgresql-server-dev-all
# apt install nwaf-cabinet

Nginx installation will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file cabinet.conf.disabled in cabinet.conf and restart nginx.

# apt install apt-transport-https
16.04
Connect the repository:

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu xenial non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -

Connect Nginx repository:

# echo "deb http://nginx.org/packages/ubuntu/ xenial nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Connect Python 3.6 repository:

# apt install software-properties-common
# add-apt-repository ppa:deadsnakes/ppa

Install the packages:

# apt update && apt upgrade
# apt install python3.6 python3.6-venv python3.6-dev nginx memcached libmemcached-dev build-essential
# curl https://bootstrap.pypa.io/get-pip.py | python3.6
18.04
Connect the repository:

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -

Connect Nginx repository and install the packages:

# echo "deb http://nginx.org/packages/ubuntu/ bionic nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# apt update && apt upgrade
# apt install python3 python3-venv python3-dev python3-pip nginx memcached libmemcached-dev build-essential
20.04
Connect the repository:

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -

Connect Nginx repository and install the packages:

# echo "deb http://nginx.org/packages/ubuntu/ focal nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# apt update && apt upgrade
# apt install python3.8 python3.8-venv python3.8-dev python3-pip nginx memcached libmemcached-dev build-essential python3-reportbug libpq-dev
# apt install nwaf-cabinet

Nginx installation will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file cabinet.conf.disabled in cabinet.conf and restart nginx.

Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
CentOS 7
1. Connect additional repositories and install the module:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# rpm -Uvh https://yum.postgresql.org/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm
# rpm -Uvh https://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# yum install python36 python36-pip python36-devel nginx memcached libmemcached-devel postgresql-libs gcc
# yum install nwaf-cabinet
CentOS 8
1. Connect additional repositories and install the module:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-8-1-6.noarch.rpm
# dnf update
# dnf install python3 python3-pip python3-devel postgresql-devel gcc nginx memcached 
# dnf install nwaf-cabinet

Nginx installation will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file cabinet.conf.disabled in cabinet.conf and restart nginx.

2. Make the necessary changes to the /var/www/app/cabinet/settings.py file.

settings.py parameters
Parameter
Description
ALLOWED_HOSTS
Parameters for security «Django». Specify the FQDN value («example.com») or the IP address of the server where the module is available.

HTTP_PROXY_CONF
Proxy address (optional).

DB_NAME_CABINET
DB_USER_CABINET
DB_PASS_CABINET
DB_HOST_CABINET
DB_PORT_CABINET
Parameters for connecting to the database module Nemesida WAF Cabinet.

DB_NAME_CONF
DB_USER_CONF
DB_PASS_CONF
DB_HOST_CONF
DB_PORT_CONF
Parameters for connecting to the database of the Nemesida WAF API module.

SEND_EMAIL
EMAIL_HOST
EMAIL_PORT
EMAIL_HOST_USER
EMAIL_HOST_PASSWORD
EMAIL_USE_TLS
SMTP_TO_CONF
EMAIL_DETAILS
Connection settings to the mail server for sending event notifications to email (optional), where:
SEND_EMAIL – receiving messages about attacks. If the parameter is False, then messages about attacks will not be sent to email
EMAIL_HOST – address for connecting to the SMTP server;
EMAIL_PORT – port to connect to the SMTP server;
EMAIL_HOST_USER – username of the mail server on behalf of which messages will be sent;
EMAIL_HOST_PASSWORD – password of the mail server user, on behalf of which messages will be sent;
EMAIL_USE_TLS – activation of the TLS protocol during authentication on the SMTP server (value True or False);
SMTP_TO_CONF – email address to which messages will be sent;
EMAIL_DETAILS – sending extended information about attacks to email (value True or False).
SKIP_BT1
SKIP_BT2
SKIP_BT3
SKIP_BT4
SKIP_BT5
SKIP_BT7
SKIP_BT8
SKIP_BT9
SKIP_BT10
If the parameter is absent or False, then messages with the specified blocking identifier will be sent to the email address. If the parameter is True, then messages with the specified BT will not be sent.

For example, if SKIP_T7 = False, messages with BT 7 will be sent to the email.


VTS_SERVERS
VTS_URL
Parameters for collecting information from the VTS module (optional), where:
VTS_SERVERS – is the list of servers from which the module will take data.
Example: VTS_SERVERS = ['w1.example.com', 'w2.example.com'];

VTS_URL – is the address of the page where the information of the VTS module is available.

Access to servers is made via HTTP/HTTPS protocols. After setting the parameters, you need to restart the service:

systemctl enable cabinet_vts
service cabinet_vts restart

3. Allow access:
– to the server https://nemesida-security.com;
– to the server Memcached 127.0.0.1:11211;
– to the server with PostgreSQL;
– to servers from the VTS_SERVERS list via HTTP or HTTPS protocols.

4. In firewall settings allow the requests to 80 port (is set by default in the file /etc/nginx/conf.d/cabinet.conf).

5. Run the migration and set the administrator password:

# cd /var/www/app/ && . venv/bin/activate && python3 manage.py migrate && python3 manage.py createsuperuser && deactivate

6. Restart the server and test the module:

# systemctl status cabinet cabinet_ipinfo cabinet_attack_nottification cabinet_vts

For security reasons, it is recommended to restricted access to the web interface of the Nemesida WAF Cabinet module to a list of allowed IP addresses to prevent unauthorized users from managing the Nemesida WAF work processes.

Nemesida WAF Cabinet user guide

The Nemesida WAF Cabinet, available at YOUR_SERVER/waf/personal/, contains information on the work of the main (Nemesida WAF, Nemesida WAF Scanner, Nemesida WAF AI) and auxilary modules Nemesida WAF.

The table and schedules attack

The Summary page contains all summary information about anomalous requests to the protected web application: attacks related to attempts to search or exploit vulnerabilities, brute-force attacks, and attempts to transmit malicious code (depending on the mode of operation of the Nemesida WAF modules).

The table All attacks displays the quantitative indicators of anomalous requests for a specific period of time and by their categories.

The schedule Attacks intensity displays the intensity and dynamics in the context of a given period and selected categories of attacks.

The charts Attacks by type allow you to see extended information about anomalous requests for specific periods (today, last. 24 h, last week, last month).

The charts Statistic by target и Statistic by IP display the Top-10 domains that were attacked and Top-10 IP addresses from which anomalous requests came.

Information on quantitative indicators, intensity and dynamics of anomalous requests arriving in a specific period

Extended information on anomalous requests for specific periods

On the Attacks page as the usage indicator of behavioral models following icons are used:

  • icon displays when machine learning module is not the reason of the request blocking (BT 2, 6, 7);
  • icon displays when behavioral models are in the process of being retrained;
  • icon displays when the reason of the request blocking is machine learning module (BT 3, 8).

More information about the reasons of the request blocking by Nemesida WAF module is available in corresponding section.

When you click on the icon a list of events is displayed.

Regular list attack information

The search area and event selection for a specific period are available at the top of the page. On the Summary and Attack pages, you can search both in the normal mode (without specifying special parameters) and in the advanced mode using the following directives:

Advanced search filters
  • h – virtual host, domain name;
  • t – type of attack (SQLi, XSS, LFI, MLA, ClamAV, BF, DDoS, MLC, etc);
  • ip – IP address of the attacker;
  • bt – lock ID;
  • waf_id – WAF ID;
  • group_id – ID of the group of requests identified by Nemesida AI MLC as brute-force or DDoS attack;
  • recheck – the status of the recheck operation (processed, confirmed, not confirmed);
  • rule – signature ID;
  • body – request body;
  • mz – anomaly detection zone (URL, ARGS, BODY, HEADERS, Cookie, etc);
  • url – request URL address;
  • possible – The filter is used without parameters and is intended to display possible attacks BT 7 (brute force attacks), BT 9 (flood) and BT 10 (DDoS), that are not reliably identified as attacks. The use of the logical operator “!” is supported to exclude the output of information about potential attacks. Example: !possible

To limit the display of information in the search field, the logical operators «!» (exception) and «and» (association) are available.

Examples of possible requests

The request will display information on attacks that have the confirmed status when using the recheck function

recheck:confirmed

The request will display information on attacks of the brute-force type

t:bf

The request will display information on attacks of the DDoS attack type

t:ddos

The request will display information on attacks with blocking identifier BT 1

bt:1

The request will display information on requests with the ID dd8636c32d177c0c74416c19429a8c4d

waf_id:dd8636c32d177c0c74416c19429a8c4d

The request will display information on attacks with the specified Request ID

group_id:dd8636c32d177c0c74416c19429a8c4d

The request will display information on attacks with the rule number 1022

rule:1022

The request will display information on attacks containing test in the Body field

body:test

The request will display information on attacks detected in the Cookie zone

mz:сookie

The request will display information on attacks whose URL contains index.php

url:index.php

The request will display information about potential attacks on the domain example.com

h:example.com and possible

The request will display information on attacks on the example.com domain from IP address 1.2.3.4

h:example.com and ip:1.2.3.4

The request will display information on attacks on the 1.example.com and 2.example.com domains, except for attacks identified by signature analysis as SQL injection

h:1.example.com and h:2.example.com t:!SQLi

The request will display information on attacks identified by signature analysis as SQL injection to the example.com domain from IP addresses 1.2.3.4 and 4.3.2.1

h:example.com t:SQLi ip:1.2.3.4 and ip:4.3.2.1

For requests, which were blocked by signature method, the field Rule ID is available. If you will click on this field, in the pop-up window following information will display:

  • the information about the signature structure;
  • the exception rule (WL) for adding in Nemesida WAF configuration file.

Blocked requests with BT 1 and BT 2 that have the same Request ID will be grouped. If the requests before grouping were blocked by different signatures, then they will be listed in the Rule ID field, separated by commas, and the description of the vulnerability (for example, SQLi, XSS, LFI etc.) after grouping will be changed to Multiple rule.

Grouping requests

More information about signatures and exception rules is available in the relevant section of the guide.

Signature Information

Brute-force attacks Information

Recheck functionality

Except the main functionality Nemesida WAF Scanner allows to operate resending of the blocked request content and/or different various on the protected web application. Users are included in «Administrators» group are able to operate this check using button null, which becomes available when the grouping for detected attacks XSS, SQLI, LFI, RFI types, that have BT 1 or 2, is switched off. The verification status is displayed instead of the button null. In case the vulnerability detection the information will be available in the section «Scanner» in Cabinet. The administrator can exclude the request by clicking on null. Then information about this request will be available in the admin panel in the “Scanner” tab. To use Recheck functionality you should set up section [recheck] in file /opt/nws/main.conf.

Using Recheck can lead to the execution of arbitrary code from the request on the web application side. Use the functionality only if you are completely confident in your actions.

Possible meanings:

  • Processed — check is processing;
  • Confirmed — vulnerability is detected;
  • Not confirmed — vulnerability is not detected.

Additional vulnerability check information

Unlock Request functionality

A user of Nemesida WAF Cabinet, who considers the blocking of the request to be erroneous, can send an application to unlock it to the administrator by pressing the button null. An email with a description of the order will be sent to the administrator. The list of all orders is located in the tab null in the admin panel. The request can be unlocked or left locked. To unlock the request, the administrator needs to create a appropriate rule for Nemesida WAF, after which the user will receive a notification.

Unlock Request Form

List of requests in the admin panel

Vulnerability Scanner Results

Information on the operation of the Nemesida WAF Scanner module is available in the tab . The administrator can exclude the request by clicking on null. Then information about this request will be available in the admin panel in the “Scanner” tab. Later, similar requests will not be displayed on this tab.

Vulnerability Scanner Statistics

You can search for events both in normal mode (without specifying special parameters) and in advanced mode, using the following directives:

Advanced search filters
  • h – virtual host, domain name;
  • t – type of attack (SQLi, XSS, LFI, etc);
  • ip – IP address of the attacker;
  • u – tested URL;
  • p – vulnerable parameter.

To limit the display of information in the search field, the logical operators «!» (exception) and «and» (association) are available.

Examples of possible requests

The request will display information about vulnerabilities found for the domain example.com

h:example.com

The request will display information about vulnerabilities of type SQLi

t:SQLi

The request will display information about the vulnerabilities found for the tested URL /search.php

u:/search.php

The request will display information about vulnerabilities found in the idparameter

p:id

The request will display information about vulnerabilities of the SQL injection type for the domain example.com

h:example.com and t:SQLi

Statistics of the module «Nginx virtual host traffic status»

The tab contains information about traffic when interacting with upstream servers Nginx, the number of 5xx errors, response time, speed in and speed out presented in three formats (now, week, month).

VTS module statistics

Formation of a detailed report in PDF and CSV formats

When you go to the tab and a detailed report will be generated on the work of Nemesida WAF and its components. The report can be generated in PDF and CSV formats.

Admin panel

Users who are members of the “Administrators” group, when they go to the tab have access to a special section where they can manage other users and their parameters, as well as process incoming requests.

List of the users

The tab contains a list of all users. When you click on the icon the user is being deleted. When you click on the icon the user editing window opens.

Admin panel

Vulnerability Scanner

In the admin panel, the tab displays requests that the administrator has excluded from the list of vulnerabilities.

Vulnerabilities information

List of all applications for unlocking requests

The tab displays a list of applications for unlocking requests. When you click on , the request is deleted.

Information about applications for unlocking requests

Administrator can edit the request by clicking on .

The edit form of the application for unlocking request

Add new user

The tab contains window for adding a new user.

Add new user

To add a new user, fill in the following fields:

Field
Description
E-mail

E-mail address

WAF ID

Module ID of Nemesida WAF. You can set multiple WAF IDS separated by a comma. The «*» value means that all possible WAF IDS are specified.

To group license keys into a single WAF ID, send a request to support@nemesida-security.com

Password

Password

Confirmation

Confirm password

Role

User role: User or Administrator (with rights to create and edit other users).

Status

User status: enabled (Active) or disabled (Inactive).

WAF domains

Filtering attacks by domain. You can set multiple domains separated by comma. The «*» value means that all domains will be used.

If you set a specific domain, the user will only see the attacks that came to this domain in their personal account.

In this field one can set wildcard values similar to Nginx. For example, the domain name .example.com includes the main domain and its subdomains. Domain name *.example.com includes subdomains, but does not include the main domain example.com.

Access restricted by IP

The IP address which the user can use to log in to the personal account on the admin panel. You can set multiple addresses separated by comma.

Conclusion of additional information about the operation of the module

If there is a problem with the module you will change the file: /var/www/app/cabinet/settings_extra.py:

...
LOGGING = {
...
   'level': 'INFO'
...
   'level': 'INFO'
...

and restart the service:

# service cabinet restart

During the Nemesida WAF Cabinet operation the information about errors is contained in the run-time journals of the module /var/log/uwsgi/cabinet/*.log and the diagnostic information is in the /var/log/uwsgi/cabinet/debug.log.