The installation and setup guide of Nemesida WAF API module, which is intended for receiving information about attacks and identified vulnerabilities.
Nemesida WAF API is intended to transfer information from the Nemesida WAF modules (blocked requests, detected vulnerabilities, operation status of machine learning module) to the PostgreSQL database for subsequent integration with different services, such as Nemesida WAF Cabinet, SIEM class systems, etc.
To install Nemesida WAF API, you must perform the following steps:
1.Install and configure the PostgreSQL DBMS:
# apt install postgresql
Create a database, user and password to connect the Nemesida WAF API module:
# su - postgres -c "psql -c \"CREATE DATABASE waf;\"" # su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'YOUR_PASSWORD';\"" # su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\"" # su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""
Create a database, user and password to connect the Nemesida WAF Cabinet module:
# su - postgres -c "psql -c \"CREATE DATABASE cabinet;\"" # su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'YOUR_PASSWORD';\"" # su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\"" # su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""
# setenforce 0
then bring the file /etc/selinux/config
to the form:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
For security it’s recommended to allow requests to Nemesida WAF API from servers with Nemesida WAF, Nemesida AI and Nemesida WAF Scanner only.
If the database is used on a separate server, then it is necessary to provide access to it for the Nemesida WAF API modules, the Nemesida WAF Cabinet and the Nemesida WAF Scanner. To do this, you need to make changes to the PostgreSQL configuration file pg_hba.conf
.
Example:
# IPv4 local connections: host all all 0.0.0.0/0 md5
2. Install the module:
Before installing the module, be sure to check access to the created database by connecting to it with the command:
psql -h <server_ip> -U nw_api waf
. When connecting, enter the user’s passwordnw_api
.
# apt install apt-transport-https gnupg2 curl
# apt install nwaf-api
During the installation of the module, the following PIP packages are additionally installed:
wheel uwsgi flask func-timeout netaddr psycopg2-binary pymemcache python-decouple requests requests validators pyopenssl
# apt install apt-transport-https gnupg2 curl
# apt install nwaf-api
During the installation of the module, the following PIP packages are additionally installed:
wheel uwsgi flask func-timeout netaddr psycopg2-binary pymemcache python-decouple requests requests validators pyopenssl
# setenforce 0
then bring the file /etc/selinux/config
to the form:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
During the installation of the module, the following PIP packages are additionally installed:
wheel uwsgi flask func-timeout netaddr psycopg2-binary pymemcache python-decouple requests requests validators pyopenssl
3. Allow access:
When deploying the database locally:
– to external servers;
– to the Memcached server 127.0.0.1:11211
;
– to the PostgreSQL DBMS server 127.0.0.1:5432
.
When deploying the database on a separate server:
– to external servers;
– to the Memcached server 127.0.0.1:11211
;
– to the PostgreSQL DBMS server <server_ip>:5432
.
4. Create a database structure:
# cat /var/www/nw-api/api.sql | su postgres -c "psql waf"
5. Make the necessary changes to the /var/www/nw-api/settings.py
file to connect to the PostgreSQL DBMS.
6. Restart the services and test the module:
# systemctl status nw-api rldscupd
The rldscupd
service is designed to get additional data about events (description of anomalies, GeoIP data, etc.).
For security reasons, it is recommended to allow access to the Nemesida WAF API only from the IP address of the Nemesida WAF, Nemesida AI and Nemesida WAF Scanner servers.
1. On the server with the Nemesida WAF module installed, change the configuration file /etc/nginx/nwaf/conf/global/nwaf.conf
, bring the parameters to the form:
nwaf_sys_proxy http://proxy.example.com:3128; nwaf_api_proxy http://proxy.example.com:3128; nwaf_api_conf host=http://nwaf-api.example.com:8080/nw-api/;
where nwaf-api.example.com:8080/nw-api/
is the address and port of the server where the Nemesida WAF API module is installed, and http://proxy.example.com:3128
is the proxy server address for accessing Nemesida WAF API.
2. On the server with the Nemesida AI MLC module installed, change the configuration file /opt/mlc/mlc.conf
, bring the parameters to the form:
api_uri = http://nwaf-api.example.com:8080/nw-api/ api_proxy = http://proxy.example.com:3128
3. On the server with the Nemesida WAF Scanner module installed, change the configuration file /opt/nws/main.conf
, bring the parameters to the form:
api_host = http://nwaf-api.example.com:8080/nw-api/ api_proxy = http://proxy.example.com:3128
4. After making changes, you must restart the services or restart the server.
Other information
During the Nemesida WAF API operation the information about errors is contained in the run-time journals of the module /var/log/uwsgi/app/*.log
.
Information about events entering the Nemesida WAF API module is placed in the waf
database in the attack
, ml
and scan_report
tables.