Guide to using Nemesida WAF as a Virtual Appliance (virtual disk for KVM/VMware/VirtualBox).

All images are based on Debian 11 distribution. Before using the products, you must update the components of the virtual machine:

# apt update && apt upgrade -y

Nemesida WAF dynamic module

Virtual Appliance

The image is intended to filter incoming Nginx HTTP/HTTP(s) requests to the server and contains the following components:

  • Nginx latest version (Stable);
  • Dynamic module Nemesida WAF;
  • Nemesida AI MLA machine learning аgent.

To deploy, you need to do the following:
1. Create a virtual machine using image of a virtual disk with a dynamic module Nemesida WAF;
2. Perform basic configuration of Nemesida WAF modules:

  • in the file /etc/nginx/nwaf/conf/global/nwaf.conf:
    • nwaf_license_key – Nemesida WAF license key;
    • nwaf_sys_proxy – proxy server address (if used);
    • nwaf_api_proxy – the address of the proxy server (if used) to access the Nemesida WAF API and Nemesida WAF Signtest;
    • nwaf_api_conf – the address of the Nemesida WAF API server for sending information about detected anomalies.
  • in the file /etc/nginx/nwaf/mla.conf:
    • st_enable – activate the transfer of disputed requests to Nemesida WAF Signtest for subsequent processing;
    • st_uri is the address of the Nemesida WAF Signtest server for processing the results of Nemesida AI.

3. After making changes, restart the services:

# systemctl restart nginx mla_main nwaf_update

4. Create a user of the RabbitMQ service for remote connection of the Nemesida AI MLC module:

# rabbitmqctl add_user USER PASSWORD
# rabbitmqctl set_permissions -p / USER ".*" ".*" ".*"

where USER and PASSWORD are the username and password for connecting the Nemesida AI MLC module.
5. Complete the module setup using the cloud web application.

Nemesida AI MLC

The image is intended to build behavioral models and identify other anomalies (DDoS L7, brute force attacks, etc.). It contains the machine learning module Nemesida AI MLC.

To deploy, you need to do the following:
1. Create a virtual machine using image of a virtual disk with the Nemesida AI MLC module;
2. Perform the basic configuration of the Nemesida AI MLC module in the file /opt/mlc/mlc.conf:

  • nwaf_license_key – Nemesida WAF license key;
  • api_uri – address of Nemesida WAF API for sending information about the status of training models and information about detected anomalies;
  • rmq_host – connection parameters to the RabbitMQ service on the server with Nemesida WAF. It is allowed to use multiple values separated by a space;
  • sys_proxy – the address of the proxy server (if used);
  • api_proxy – the address of the proxy server (if used) to access the Nemesida WAF API and Nemesida WAF Signtest;
  • st_enable – activate the transfer of disputed requests to Nemesida WAF Signtest for subsequent processing;
  • st_uri – the address of the Nemesida WAF Signtest server for processing the results of Nemesida AI.

3. After making changes, restart the service:

# systemctl restart mlc_main

4. Complete the module setup using the cloud web application.

Nemesida WAF WEB

The image is intended for configuring the interaction of components with each other, visualizing information about attacks and managing the training of the Nemesis AI module. Contains the following components:

  • Nginx latest version (stable);
  • Nemesida WAF API;
  • Nemesida WAF Cabinet;
  • Nemesida WAF Signtest.

To deploy, you need to do the following:
1. Create a virtual machine using image of a virtual disk with modules Nemesida WAF API, Nemesida WAF Cabinet and Nemesida WAF Signtest;
2. For the security of web applications, run the scripts:

# /opt/scripts/regen_secret.sh
# /opt/scripts/regen_databases_password.sh

3. Create a user for authorization in Nemesida WAF Cabinet:

# /opt/scripts/create_superuser_cabinet.sh

4. Create a user to log in to Nemesida WAF Signtest:

# /opt/scripts/create_superuser_signtest.sh

5. Make changes to the configuration files of Nemesida WAF modules API, Cabinet and Signtest.

The Nemesida WAF Cabinet and Nemesida WAF Signtest modules use default port 80. For the modules to work correctly, you need to configure their virtual host files.

6. Restart the services:

# systemctl restart nw-api cabinet cabinet_ipinfo cabinet_rule_update cabinet_attack_nottification cabinet_vts cabinet_cleaning_db signtest_ipinfo signtest_rlupd signtest_web signtest_api

Yandex VM

Nemesida WAF dynamic module
The image is intended to filter incoming Nginx HTTP/HTTP(s) requests to the server and contains the following components:

  • Nginx latest version (Stable);
  • Dynamic module Nemesida WAF;
  • Nemesida AI MLA machine learning аgent.

To deploy, you need to do the following:
1. Create a VM with the dynamic module Nemesida WAF;
2. Perform basic configuration of Nemesida WAF modules:

  • in the file /etc/nginx/nwaf/conf/global/nwaf.conf:
    • nwaf_license_key – Nemesida WAF license key;
    • nwaf_sys_proxy – proxy server address (if used);
    • nwaf_api_proxy – the address of the proxy server (if used) to access the Nemesida WAF API and Nemesida WAF Signtest;
    • nwaf_api_conf – the address of the Nemesida WAF API server for sending information about detected anomalies;
    • nwaf_rmq – connection parameters to the local RabbitMQ service on the server with Nemesida WAF.
  • in the file /etc/nginx/nwaf/mla.conf:
    • st_enable – activate the transfer of disputed requests to Nemesida WAF Signtest for subsequent processing;
    • st_uri is the address of the Nemesida WAF Signtest server for processing the results of Nemesida AI.

Received by the Nemesida WAF dynamic module requests is sent for storage to the local RabbitMQ service, from where it is collected for subsequent processing by the Nemesida AI MLC module. The process of receiving data by the Nemesida AI MLC module is recommended to be performed using a secure connection.

To do this, make changes to the configuration file /etc/nginx/nginx.conf or /etc/rabbitmq/rabbitmq.conf on each VM with the dynamic module installed.

Configuration example for nginx.conf:

...
stream {
        server {
                listen 5673 ssl;
                proxy_pass 127.0.0.1:5672;
                ssl_certificate /etc/nginx/SSL/crt/example.ru.crt;
                ssl_certificate_key /etc/nginx/SSL/private/example.ru.key;
        }
}
...

where the parameter listen 5673 ssl; is the port that will be used for secure connection.

For security reasons, it is recommended to allow access to servers only from the IP addresses of virtual machines where the Nemesida AI MLC module is installed, and certificates used for secure connection must be trusted for them.

3. After making changes, restart the services:

# systemctl restart nginx mla_main nwaf_update

4. Create a user of the RabbitMQ service for remote connection of the Nemesida AI MLC module:

# rabbitmqctl add_user USER PASSWORD
# rabbitmqctl set_permissions -p / USER ".*" ".*" ".*"

where USER and PASSWORD are the username and password for connecting the Nemesida AI MLC module.
5. Complete the module setup using the cloud web application.

Nemesida AI MLC

The image is intended to build behavioral models and identify other anomalies (DDoS L7, brute force attacks, etc.). It contains the machine learning module Nemesida AI MLC.

To deploy, you need to do the following:
1. Create a VM with the Nemesida AI MLC module;
2. Perform the basic configuration of the Nemesida AI MLC module in the file /opt/mlc/mlc.conf:

  • nwaf_license_key – Nemesida WAF license key;
  • api_uri – address of Nemesida WAF API for sending information about the status of training models and information about detected anomalies;
  • rmq_host – connection parameters to the RabbitMQ service on the server with Nemesida WAF. It is allowed to use multiple values separated by a space;
  • sys_proxy – the address of the proxy server (if used);
  • api_proxy – the address of the proxy server (if used) to access the Nemesida WAF API and Nemesida WAF Signtest;
  • st_enable – activate the transfer of disputed requests to Nemesida WAF Signtest for subsequent processing;
  • st_uri – the address of the Nemesida WAF Signtest server for processing the results of Nemesida AI.

For the rmq_host parameter, it is recommended to use the secure connection:

rmq_host = ssl://guest:guest@example.ru:5673

To use an arbitrary port, it must be specified, otherwise the standard port 5672 will be used.

Before using a secure connection, it must be configured on each server with the Nemesida WAF dynamic module installed.

If the secure connection is not required, then it can be used:

rmq_host = guest:guest@example.ru

3. After making changes, restart the service:

# systemctl restart mlc_main

4. Complete the module setup using the cloud web application.

Nemesida WAF WEB
The image is intended for configuring the interaction of components with each other, visualizing information about attacks and managing the training of the Nemesis AI module. Contains the following components:

  • Nginx latest version (stable);
  • Nemesida WAF API;
  • Nemesida WAF Cabinet;
  • Nemesida WAF Signtest.

To deploy, you need to do the following:
1. Create a VM with modules Nemesida WAF API, Nemesida WAF Cabinet and Nemesida WAF Signtest;
2. Create a user for authorization in Nemesida WAF Cabinet:

# cd /var/www/app/ && . venv/bin/activate && python3 manage.py migrate && python3 manage.py createsuperuser && deactivate

3. Create a user to log in to Nemesida WAF Signtest:

# cd /var/www/signtest/app/ && . venv/bin/activate && python3 manage.py migrate && python3 manage.py createsuperuser && deactivate

4. Make changes to the configuration files of Nemesida WAF modules API, Cabinet and Signtest.

The Nemesida WAF Cabinet and Nemesida WAF Signtest modules use default port 80. For the modules to work correctly, you need to configure their virtual host files.

5. Restart the services:

# systemctl restart nw-api cabinet cabinet_ipinfo cabinet_rule_update cabinet_attack_nottification cabinet_vts cabinet_cleaning_db signtest_ipinfo signtest_rlupd signtest_web signtest_api