Nemesida WAF API | Nemesida WAF

Защита сайта от хакерских атак
Nemesida WAF API

The installation and setup guide of Nemesida WAF API module, which is intended for receiving information about attacks and identified vulnerabilities.

Contents

Nemesida WAF API installation and setup

Nemesida WAF API is intended to transfer information from the Nemesida WAF modules (blocked requests, detected vulnerabilities, operation status of machine learning module) to the PostgreSQL database for subsequent integration with different services, such as Nemesida WAF Cabinet, SIEM class systems, etc.

To install Nemesida WAF API, you must perform the following steps:

1.Install and configure the PostgreSQL DBMS:

Debian, UbuntuCentOS
# apt install postgresql

Create a database, user and password to connect the Nemesida WAF API module:

# su - postgres -c "psql -c \"CREATE DATABASE waf;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""

Create a database, user and password to connect the Nemesida WAF Cabinet module:

# su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""
Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
CentOS 8 Stream
Install and configure the PostgreSQL DBMS:

# dnf update
# dnf install postgresql-devel postgresql-server
# postgresql-setup initdb
# sed -i "s|host    all             all             127.0.0.1/32            ident|host    all             all             127.0.0.1/32            md5|" /var/lib/pgsql/data/pg_hba.conf
# sed -i "s|host    all             all             ::1/128                 ident|host    all             all             ::1/128                 md5|" /var/lib/pgsql/data/pg_hba.conf
# systemctl start postgresql
# systemctl enable postgresql
CentOS 9 Stream
Install and configure the PostgreSQL DBMS:

# dnf update
# dnf install postgresql-devel postgresql-server
# postgresql-setup initdb
# sed -i "s|host    all             all             127.0.0.1/32            ident|host    all             all             127.0.0.1/32            md5|" /var/lib/pgsql/data/pg_hba.conf
# sed -i "s|host    all             all             ::1/128                 ident|host    all             all             ::1/128                 md5|" /var/lib/pgsql/data/pg_hba.conf
# systemctl start postgresql
# systemctl enable postgresql

For security it’s recommended to allow requests to Nemesida WAF API from servers with Nemesida WAF, Nemesida AI and Nemesida WAF Scanner only.

If the database is used on a separate server, then it is necessary to provide access to it for the Nemesida WAF API modules, the Nemesida WAF Cabinet and the Nemesida WAF Scanner. To do this, you need to make changes to the PostgreSQL configuration file pg_hba.conf.

Example:

# IPv4 local connections:
host    all             all             0.0.0.0/0            md5

2. Install the module:

Before installing the module, be sure to check access to the created database by connecting to it with the command: psql -h <server_ip> -U nw_api waf. When connecting, enter the user’s password nw_api.

DebianUbuntuCentOSDockerVirtual Appliance
# apt install apt-transport-https gnupg2 curl
Debian 10
Connect the repository and install the packages:

# echo "deb https://nemesida-security.com/repo/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install nginx python3-pip python3-dev postgresql-server-dev-all python3-venv memcached
Debian 11
Connect the repository and install the packages:

# echo "deb https://nemesida-security.com/repo/nw/debian bullseye non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg 
# apt update && apt upgrade
# apt install nginx python3-pip python3-dev postgresql-server-dev-all python3-venv memcached

 # apt install nwaf-api

During the installation of the module, the following PIP packages are additionally installed:
wheel uwsgi flask func-timeout netaddr psycopg2-binary pymemcache python-decouple requests requests validators 

# apt install apt-transport-https gnupg2 curl
Ubuntu 20.04
Connect the repository and install the packages:

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install nginx python3.8 python3-pip python3.8-dev postgresql-server-dev-all python3.8-venv build-essential memcached
Ubuntu 22.04
Connect the repository and install the packages:

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu jammy non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg 
# apt update && apt upgrade
# apt install nginx python3.10 python3-pip python3.10-dev postgresql-server-dev-all python3.10-venv build-essential memcached 

 # apt install nwaf-api

During the installation of the module, the following PIP packages are additionally installed:
wheel uwsgi flask func-timeout netaddr psycopg2-binary pymemcache python-decouple requests requests validators

Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
CentOS 8 Stream
Connect the repository and install the packages:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-8-1-6.noarch.rpm
# dnf update
# dnf install nginx python39 python39-pip python39-devel postgresql-devel gcc memcached
# dnf install nwaf-api
CentOS 9 Stream
Connect the repository and install the packages:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-9-1-6.noarch.rpm
# dnf update
# dnf install nginx python3 python3-pip python3-devel postgresql-devel gcc memcached
# dnf install nwaf-api

During the installation of the module, the following PIP packages are additionally installed:
wheel uwsgi flask func-timeout netaddr psycopg2-binary pymemcache python-decouple requests requests validators

Information about using Nemesida WAF in a Docker container is available in the corresponding section.
Information about using Nemesida WAF as a Virtual Appliance (virtual disk for KVM/VMware/VirtualBox) and Yandex VM is available in the corresponding section.

3. Allow access:
When deploying the database locally:
– to external servers;
– to the Memcached server 127.0.0.1:11211;
– to the PostgreSQL DBMS server 127.0.0.1:5432.
When deploying the database on a separate server:
– to external servers;
– to the Memcached server 127.0.0.1:11211;
– to the PostgreSQL DBMS server <server_ip>:5432.

4. Create a database structure:

# cat /var/www/nw-api/api.sql | su postgres -c "psql waf"

5. Make the necessary changes to the /var/www/nw-api/settings.py file to connect to the PostgreSQL DBMS.

settings.py
Parameter
Description
PROXY
Proxy address (optional).

For example:
PROXY = 'http://proxy.example.com:3128'

DB_HOST
DB_PORT
DB_NAME
DB_USER
DB_PASS
Parameters for connecting to the database of the Nemesida WAF API module.
RO_MODE
The mode of interaction with the database in the “read-only” mode.

The parameter is activated on one of the servers with the Nemesida WAF API module installed to increase fault tolerance in cases when another server with the Nemesida WAF API module installed becomes unavailable.

Parameter activation includes PostgreSQL replication.

MEMCACHED_HOST
MEMCACHED_PORT
Parameters for connecting to the Memcached server.

6. Restart the services and test the module:

# systemctl status nw-api rldscupd

The rldscupd service is designed to get additional data about events (description of anomalies, GeoIP data, etc.).

For security reasons, it is recommended to allow access to the Nemesida WAF API only from the IP address of the Nemesida WAF, Nemesida AI and Nemesida WAF Scanner servers.

Nemesida WAF API integration
To integrate the Nemesida WAF API with the Nemesida WAF software, follow these steps:

1. On the server with the Nemesida WAF module installed, change the configuration file /etc/nginx/nwaf/conf/global/nwaf.conf, bring the parameters to the form:

nwaf_sys_proxy http://proxy.example.com:3128;
nwaf_api_proxy http://proxy.example.com:3128;
nwaf_api_conf host=http://nwaf-api.example.com:8080/nw-api/;

where nwaf-api.example.com:8080/nw-api/ is the address and port of the server where the Nemesida WAF API module is installed, and http://proxy.example.com:3128 is the proxy server address for accessing Nemesida WAF API.

2. On the server with the Nemesida AI MLC module installed, change the configuration file /opt/mlc/mlc.conf, bring the parameters to the form:

api_uri = http://nwaf-api.example.com:8080/nw-api/
api_proxy = http://proxy.example.com:3128

3. On the server with the Nemesida WAF Scanner module installed, change the configuration file /opt/nws/main.conf, bring the parameters to the form:

api_host = http://nwaf-api.example.com:8080/nw-api/
api_proxy = http://proxy.example.com:3128

4. After making changes, you must restart the services or restart the server.

Other information

During the Nemesida WAF API operation the information about errors is contained in the run-time journals of the module /var/log/uwsgi/app/*.log.

Nemesida WAF API database structure

Information about events entering the Nemesida WAF API module is placed in the waf database in the attack, ml and scan_report tables.

attack

The attack table is intended for placement in the DBMS of information on the detected anomalies of the operation of the Nemesida WAF and Nemesida AI modules.

id Record ID.
timestamp Date of the anomaly fixation.
vhost Virtual host’s address
ip Address of the request source.
rule_id The identifier of the rule used to fix the anomaly.
method Type of HTTP request (GET, POST, etc).
url Request URL.
lm A parameter that determines whether the request is subject to the LM mode.
bot Reserved parameter.
mz The zone of occurrence of the anomaly (URL, ARGS, BODY, etc).
param Request parameters.
other_headers
ua
referer
cookie		 HTTP request headers.
description Description of the anomaly.
bt Digital ID of the method for determining anomalies (signature analysis, machine learning, etc).
request_id Request ID.
waf_id WAF ID.
body Content of the request in the Body section.
group_id Request ID when blocking brute-force and DDoS attacks.
blocked The blocking status of the request.
possible A parameter that determines the Possible status for brute force, flood, and DDoS attacks.
cc The letter code of the country of the request source.
ml

Table ml is intended for placing in the DBMS information about the training status of the Nemesida AI module.

Parameter Description
waf_id WAF ID.
ml_learning_progress The training status of the module Nemesida AI in percent.
vhost Virtual host.
scan_report

The scan_report table is intended for placing in the DBMS information about the status of the work of the Nemesida WAF Scanner module.

Parameter Description
id Record ID.
scan_date Scan date.
content Critical level of the detected vulnerability.
domain Virtual host.
method Type of HTTP request (GET, POST, etc).
param Request parameters.
payload The content of the payload request.
type The type of vulnerability detected (SQLi, XSS, etc).
url Request URL.
data Request body (for POST requests).
waf_id WAF ID.