The guide for installing Nemesida WAF components. It is recommended to install the components in the appropriate order in the manual.
External resources access
For all Nemesida WAF components to work correctly on each server where they are installed, you must provide access to external resources:
https://nemesida-security.com
;https://nw-auth-extra.nemesida-security.com
;http(s)://geoip.nemesida-security.com
.
# apt install postgresql
After installing the DBMS:
- Create a database for Nemesida WAF API components and a Nemesida WAF Cabinet:
- Grant access to external component connections by making changes to the configuration file
pg_hba.conf
:
Example:# IPv4 local connections: host all all 10.1.1.0/24 md5
# setenforce 0
then bring the /etc/selinux/config
file to the form:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Install and configure the PostgreSQL DBMS:
# dnf update # dnf install postgresql-devel postgresql-server # postgresql-setup initdb # sed -i "s|host all all 127.0.0.1/32 ident|host all all 127.0.0.1/32 md5|" /var/lib/pgsql/data/pg_hba.conf # sed -i "s|host all all ::1/128 ident|host all all ::1/128 md5|" /var/lib/pgsql/data/pg_hba.conf # systemctl start postgresql # systemctl enable postgresql
After installing the DBMS:
- Create a database for Nemesida WAF API components and a Nemesida WAF Cabinet:
- Grant access to external component connections by making changes to the configuration file
pg_hba.conf
:
Example:# IPv4 local connections: host all all 10.1.1.1/32 md5
1. Upload script.
2. Run the installation script with the command:
/bin/bash ./1-postgresql-deploy.sh 'pg_api_pwd=xxx' 'pg_cabinet_pwd=xxx' 'api_srv_ip=x.x.x.x'
where:
pg_api_pwd
– password for creating a usernw_api
for the databasewaf
;pg_cabinet_pwd
– password for creating a usernw_cabinet
for the databasecabinet
(required for the operation of the Nemesida WAF Cabinet component);api_srv_ip
– the IP address of the server from which component will be accessed after its configuration.
- Provide access to external resources for the component to work correctly;
- Install the component by following the installation guide.
After the configuration is complete, restart the services:
# systemctl restart nw-api rldscupd nginx memcached # systemctl status nw-api rldscupd nginx memcached
- Provide access to external resources for the component to work correctly;
- Install the component by following the installation guide;
- Perform integration of the component with the Nemesida WAF API.
After the configuration is complete, restart the services:
# systemctl restart nginx cabinet cabinet_ipinfo cabinet_attack_notification cabinet_cleaning_db cabinet_rule_update memcached # systemctl status nginx cabinet cabinet_ipinfo cabinet_attack_notification cabinet_cleaning_db cabinet_rule_update memcached
- Provide access to external resources for the component to work correctly;
- Install the component by following the installation guide;
- Perform integration of the component with the Nemesida WAF API.
After the configuration is complete, restart the services:
# systemctl restart nginx rabbitmq-server memcached nwaf_update mla_main api_firewall # systemctl status nginx rabbitmq-server memcached nwaf_update mla_main api_firewall
- Provide access to external resources for the component to work correctly;
- Install the component by following the installation guide;
- Perform integration of the component with the filtering node;
- Perform integration of the component with the Nemesida WAF API.
After the configuration is complete, restart the services:
# systemctl restart mlc_main rabbitmq-server memcached # systemctl status mlc_main rabbitmq-server memcached
1. Check the logs of each component for possible errors:
Nemesida WAF API:/var/log/uwsgi/nw-api/*.log
/var/log/uwsgi/cabinet/*.log
/var/log/nwaf/mlc.log
/var/log/nginx/error.log
/var/log/nwaf/nwaf_update.log
/var/log/nwaf/mla.log
/var/log/nwaf/naf/error.log
/var/log/rabbitmq/rabbit@%hostname%.log
/var/log/rabbitmq/rabbitmq-server.error.log
/var/lognwaf/nws.log
2. Send a test request to the server of the filtering node with the test signature nwaftest
:
# curl -i http://WAF_SERVER/nwaftest
and make sure that the server of the filtering node returns the response code 403
, and in the log /var/log/nginx/error.log
there is an entry about the lock:
Nemesida WAF: the request ... blocked by rule ID 1 in zone URL, ...
If the request is not blocked, then follow the steps from the corresponding section actions.
3. Go to Nemesida WAF Cabinet and make sure that an entry about the blocked request appears on the page.
If the request is blocked, but is not displayed on page a, then follow the steps from the corresponding section actions.
1. Activate the parameters of the monitoring mode (passive mode) of the filtering node in Nemesida WAF Cabinet:
- Activating the request analysis monitoring mode for an IP address:
- Activating the request analysis monitoring mode for the virtual host:
The monitoring mode (passive mode) is designed to prevent blocking requests for the setup period. Activation of the monitoring mode for an IP address is used in cases where it is necessary to exclude blocking when accessing from a certain list of IP addresses (as a rule, from IP addresses belonging to the IT department that configure components), and activation of the monitoring mode for a virtual host eliminates blocking requests for all clients of the web application.
2. Configure the filtering node as a reverse proxy using the appropriate section guide;
3. Redefine the correspondence of the IP address and the domain name so that requests arrive at the filtering node (for example, by editing the DNS A record).
After completing the configuration of the components, the monitoring mode activation parameters must be deactivated and make sure that the protection is active by sending a test request to the filtering node:
# curl -i http://YOUR_SERVER/nwaftest
Behavioral models
For the machine learning module to work correctly, we recommend creating a behavioral model for each specific web application.
It is recommended to test the quality of the machine learning module after completing the training of the behavioral model and activating the automatic blocking of IP addresses of sources of illegitimate requests.
To activate the Nemesida AI machine learning module, follow these steps in Nemesida WAF Cabinet:
In case of problems related to processing requests by the machine module, follow the steps in the corresponding section of the manual:
- After completing the training, there is no request analysis by the machine learning module;
- The machine learning module blocks legitimate requests.
Activation of detection of DDoS/Brute/Flood attacks
To activate the mechanism for detecting brute force/flood/DDoS attacks by the Nemesida AI machine learning module, follow these steps in Nemesida WAF Cabinet: