Ⅱ. Installation and initial configuration | Nemesida WAF

Ⅱ. Installation and initial configuration

The guide for installing Nemesida WAF components. It is recommended to install the components in the appropriate order in the manual.

General information

Network access

For all Nemesida WAF components to work correctly on each server where they are installed, access must be granted:

External resources
  • https://nemesida-security.com;
  • https://geoip.nemesida-security.com;
  • https://nw-auth-extra.nemesida-security.com.
Incoming/outgoing calls to services on servers with installed components
Filtering node
Incoming connections: Nginx (for example, port 80).
Outgoing connections: Nemesida WAF API (for example, port 8080).
Nemesida AI MLC
Outgoing connections:
  • RabbitMQ (for example, port 5672);
  • Nemesida WAF API (for example, port 8080).
Nemesida WAF API/Cabinet
Incoming connections:
  • Nemesida WAF Cabinet (for example, port 80);
  • PostgreSQL (for example, port 5432);
  • Nemesida WAF API (for example, port 8080).
Nemesida WAF Scanner
Outgoing connections:
  • The server of the protected web application (for example, port 80);
  • Nemesida WAF API (for example, port 8080);
  • PostgreSQL (for example, port 5432).
PostgreSQL DBMS
Incoming connections: Nemesida WAF API/Cabinet (for example, port 5432).
Outgoing connections: Nemesida WAF API/Cabinet (for example, port 5432).

Accessing services inside the localhost (localhost) on servers with installed components.

PostgreSQL DBMS
Before you start installing the Nemesida WAF components, you must prepare the PostgreSQL DBMS to work with the components:

Automatic installationDebian, UbuntuRHELDocker
To deploy a PostgreSQL DBMS, you can use a script for automatic installation and initialization of the database:

1. Upload script.

2. Run the installation script with the command:

# /bin/bash ./1-postgresql-deploy.sh 'pg_api_pwd=%Password%' 'pg_cabinet_pwd=%Password%' 'api_srv_ip=%Nemesida WAF API server address%'

where:

  • pg_api_pwd – password for creating a user nw_api for the database waf;
  • pg_cabinet_pwd – password for creating a user nw_cabinet for the database cabinet (required for the operation of the Nemesida WAF Cabinet component);
  • api_srv_ip – IP address of the server from which component will be accessed after its configuration.
# apt install postgresql

After installing the DBMS:

  • Create a database for Nemesida WAF API components and a Nemesida WAF Cabinet:

    Nemesida WAF API
    # su - postgres -c "psql -c \"CREATE DATABASE waf;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf TO nw_api;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""
# su - postgres -c "psql waf -c \"GRANT ALL ON ALL TABLES IN SCHEMA public TO nw_api;\""
# su - postgres -c "psql waf -c \"GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO nw_api;\""
# su - postgres -c "psql waf -c \"GRANT CREATE ON SCHEMA public TO nw_api;\""

    YOUR_PASSWORD – an example of a password is not recommended for use.

    Nemesida WAF Cabinet
    # su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet TO nw_cabinet;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""
# su - postgres -c "psql cabinet -c \"GRANT ALL ON ALL TABLES IN SCHEMA public TO nw_cabinet;\""
# su - postgres -c "psql cabinet -c \"GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO nw_cabinet;\""
# su - postgres -c "psql cabinet -c \"GRANT CREATE ON SCHEMA public TO nw_cabinet;\""

    YOUR_PASSWORD – an example of a password is not recommended for use.

  • Grant access to external component connections by making changes to the configuration file pg_hba.conf:

    Example:

    # IPv4 local connections:
host    all             all             10.1.1.0/24            md5
Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the /etc/selinux/config file to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Install and configure the PostgreSQL DBMS:

# dnf update
# dnf install postgresql-devel postgresql-server
# postgresql-setup initdb
# sed -i "s|host    all             all             127.0.0.1/32            ident|host    all             all             127.0.0.1/32            md5|" /var/lib/pgsql/data/pg_hba.conf
# sed -i "s|host    all             all             ::1/128                 ident|host    all             all             ::1/128                 md5|" /var/lib/pgsql/data/pg_hba.conf
# systemctl start postgresql
# systemctl enable postgresql

After installing the DBMS:

  • Create a database for Nemesida WAF API components and a Nemesida WAF Cabinet:

    Nemesida WAF API
    # su - postgres -c "psql -c \"CREATE DATABASE waf;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf TO nw_api;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""
# su - postgres -c "psql waf -c \"GRANT ALL ON ALL TABLES IN SCHEMA public TO nw_api;\""
# su - postgres -c "psql waf -c \"GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO nw_api;\""
# su - postgres -c "psql waf -c \"GRANT CREATE ON SCHEMA public TO nw_api;\""

    YOUR_PASSWORD – an example of a password is not recommended for use.

    Nemesida WAF Cabinet
    # su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet TO nw_cabinet;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""
# su - postgres -c "psql cabinet -c \"GRANT ALL ON ALL TABLES IN SCHEMA public TO nw_cabinet;\""
# su - postgres -c "psql cabinet -c \"GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO nw_cabinet;\""
# su - postgres -c "psql cabinet -c \"GRANT CREATE ON SCHEMA public TO nw_cabinet;\""

    YOUR_PASSWORD – an example of a password is not recommended for use.

  • Grant access to external component connections by making changes to the configuration file pg_hba.conf:

    Example:

    # IPv4 local connections:
host    all             all             10.1.1.1/32            md5
Information about using PostgreSQL in a Docker container is available in the corresponding section.
Nemesida WAF API
The Nemesida WAF API is designed for components to interact with each other, as well as receive information about incidents and identified vulnerabilities for transmission to the database. To install the component:

1. Provide access to external resources for the component to work correctly;
2. Install the component using one of the following methods:

Automatic installationInstallation from the repositoryDocker

1. Download script;

2. Run the installation script with the command:

# /bin/bash ./2-api-deploy.sh 'pg_srv_ip=%PostgreSQL server address%' 'pg_srv_port=%PostgreSQL port%' 'pg_api_pwd=%Password%' 'api_proxy=%Proxy server address%'

where:

  • pg_srv_ip – IP address of the database server waf;
  • pg_srv_port – the server port with the database waf;
  • pg_api_pwd – user password nw_api for DB waf;
  • api_proxy – (Optional) IP address of the proxy server for component access to external resources (e.g http://proxy.example.com:3128).

Before installing the module, be sure to check access to the created database by connecting to it with the command: psql -h <server_ip> -U nw_api waf. When connecting, enter the user’s password nw_api.

The installation guide for the component is available in the corresponding section.
Information about using component in a Docker container is available in the corresponding section.
Nemesida WAF Cabinet
The component is designed to visualize and systematize information about attacks and identified vulnerabilities, as well as manage the settings of Nemesida WAF and Nginx web server. To install the component:

1. Provide access to external resources for the component to work correctly;
2. Install the component using one of the following methods:

Automatic installationInstallation from the repositoryDocker

1. Download script;

2. Run the installation script with the command:

# /bin/bash ./3-cabinet-deploy.sh 'pg_srv_ip=%PostgreSQL server address%' 'pg_srv_port=%PostgreSQL port%' 'pg_api_pwd=%Password%' 'pg_cabinet_pwd=%Password%' 'api_url=%Nemesida WAF API URL%' 'proxy=%Proxy server address%' 'api_proxy=%Proxy server address%'

where:

  • pg_srv_ip – IP address of the database server;
  • pg_srv_port – database server port;
  • pg_api_pwd – user password nw_api for DB waf;
  • pg_cabinet_pwd – user password nw_cabinet for DB cabinet;
  • api_url – The address of the server from which the Nemesida WAF API component will be accessed after its configuration (e.g. http://api.example.com:8080/nw-api/);
  • proxy – (Optional) IP address of the proxy server for component access to external resources (e.g. http://proxy.example.com:3128);
  • api_proxy – (Optional) IP address of the proxy server for interacting with the Nemesida WAF API (e.g. http://proxy.example.com:3128).

Before installing the module, be sure to check access to the created database by connecting to it with the command: psql -h <server_ip> -U nw_cabinet cabinet. When connecting, enter the user’s password nw_cabinet.

The installation guide for the component is available in the corresponding section.
Information about using component in a Docker container is available in the corresponding section.
Filtering node
The filtering node is designed to analyze requests and decide whether to block them in case signs of attacks or other anomalies are detected. To install the component:

1. Provide access to external resources for the component to work correctly;
2. Install the component using one of the following methods:

Automatic installationInstallation from the repositoryDocker

1. Download script;

2. Run the installation script with the command:

# /bin/bash ./4-filtering-node-deploy.sh 'nwaf_lic_key=%Licence key%' 'api_url=%Nemesida WAF API URL%' 'sys_proxy=%Proxy server address%' 'api_proxy=%Proxy server address%'

where:

  • nwaf_lic_key – a license key;
  • api_url – the address of the server from which the Nemesida WAF API component will be accessed after its configuration (e.g. http://api.example.com:8080/nw-api/);
  • sys_proxy – (Optional) IP address of the proxy server for component access to external resources (e.g. http://proxy.example.com:3128);
  • api_proxy – (Optional) IP address of the proxy server for interacting with the Nemesida WAF API (e.g. http://proxy.example.com:3128).
The installation guide for the component is available in the corresponding section.

After installing the component, it is mandatory:

  • Perform integration of the component with the Nemesida WAF API.
Information about using component in a Docker container is available in the corresponding section.
Nemesida AI MLC
The machine learning module consists of the Nemesida AI MLA machine learning agent (included in the nwaf-dyn package and, as a rule, does not require configuration) and the Nemesida AI MLC machine learning module. To install the component:

1. Provide access to external resources for the component to work correctly;
2. Install the component using one of the following methods:

Automatic installationInstallation from the repositoryDocker

1. Download script;

2. Run the installation script with the command:

# /bin/bash ./5-mlc-deploy.sh 'nwaf_lic_key=%Licence key%' 'api_url=%Nemesida WAF API URL%' 'rmq_endpoints=%RabbitMQ endoints info%' 'sys_proxy=%Proxy server address%' 'api_proxy=%Proxy server address%'

where:

  • nwaf_lic_key – a license key;
  • api_url – the address of the server from which the Nemesida WAF API component will be accessed after its configuration (e.g. http://api.example.com:8080/nw-api/);
  • rmq_endpoints – details of connecting to the RabbitMQ queue on filtering node (e.g. guest:guest@127.0.0.1);
  • sys_proxy – (Optional) IP address of the proxy server for component access to external resources (e.g. http://proxy.example.com:3128);
  • api_proxy – (Optional) IP address of the proxy server for interacting with the Nemesida WAF API (e.g. http://proxy.example.com:3128).
The installation guide for the component is available in the corresponding section.

After installing the component, it is mandatory:

  • Perform integration of the component with the Filtering node.
  • Perform integration of the component with the Nemesida WAF API.
Information about using component in a Docker container is available in the corresponding section.
Checking the configuration of Nemesida WAF
Before activating web application protection, it is necessary to make sure that all components of Nemesida WAF are active and interact correctly with each other. To do this, follow these steps:

1. Check the logs of each component for possible errors:

Nemesida WAF API:
  • /var/log/nw-api/*.log
Nemesida WAF Cabinet:
  • /var/log/uwsgi/cabinet/*.log
Nemesida AI MLC:
  • /var/log/nwaf/mlc.log
Filtering node:
  • /var/log/nginx/error.log
  • /var/log/nwaf/nwaf_update.log
  • /var/log/nwaf/mla.log
  • /var/log/nwaf/naf/error.log
  • /var/log/rabbitmq/rabbit@%hostname%.log
  • /var/log/rabbitmq/rabbitmq-server.error.log
Nemesida WAF Scanner:
  • /var/log/nwaf/nws.log

2. Send a test request to the server of the filtering node with the test signature nwaftest:

# curl -i http://WAF_SERVER/nwaftest

and make sure that the server of the filtering node returns the response code 403, and in the log /var/log/nginx/error.log there is an entry about the lock:

Nemesida WAF: the request ... blocked by rule ID 1 in zone URL, ...

If the request is not blocked, then follow the steps from the corresponding section actions.

3. Go to Nemesida WAF Cabinet and make sure that an entry about the blocked request appears on the page.

If the request is blocked, but is not displayed on page a, then follow the steps from the corresponding section actions.

Activating Web Application protection
After completing the basic configuration of the filtering node and testing its operation, you can proceed to activate the protection of the web application. As a rule, the web application server and the filtering node are different servers, so incoming requests from clients will not automatically be sent to the filtering node server for analysis. To activate the protection of a web application, you need to configure the filtering node as an intermediate server that will receive and analyze client requests, and then block/redirect them to the server of the protected web application. One of the methods of configuring the interaction between the filtering node and the protected web application is a “reverse proxy”. To do this, follow these steps:

1. Activate the parameters of the monitoring mode (passive mode) of the filtering node in Nemesida WAF Cabinet:

  • Activating the request analysis monitoring mode for an IP address:
  • Activating the request analysis monitoring mode for the virtual host:

The monitoring mode (passive mode) is designed to prevent blocking requests for the setup period. Activation of the monitoring mode for an IP address is used in cases where it is necessary to exclude blocking when accessing from a certain list of IP addresses (as a rule, from IP addresses belonging to the IT department that configure components), and activation of the monitoring mode for a virtual host eliminates blocking requests for all clients of the web application.

2. Configure the filtering node as a reverse proxy using the appropriate section guide;

3. Redefine the correspondence of the IP address and the domain name so that requests arrive at the filtering node (for example, by editing the DNS A record).

After completing the configuration of the components, the monitoring mode activation parameters must be deactivated and make sure that the protection is active by sending a test request to the filtering node:

# curl -i http://YOUR_SERVER/nwaftest
Activation of Nemesida AI

Behavioral models

It is recommended to test the quality of the machine learning module after completing the training of the behavioral model and activating the automatic blocking of IP addresses of sources of illegitimate requests.

To activate the Nemesida AI machine learning module, follow these steps in Nemesida WAF Cabinet:

  • Create a list of virtual hosts for which a behavioral model will be created and applied:

In case of problems related to processing requests by the machine module, follow the steps in the corresponding section of the manual:

Activation of detection of DDoS/brute-force/flood attacks

To activate the mechanism for detecting brute-force/flood/DDoS attacks by the Nemesida AI machine learning module, follow these steps in Nemesida WAF Cabinet:

  • Activate the parameters for detecting DDoS attacks:

  • Activate the parameters for detecting brute-force/flood attacks:

<< Introduction

Nemesida WAF API >>