The guide for installing Nemesida WAF components. It is recommended to install the components in the appropriate order in the manual.
External resources access
For all Nemesida WAF components to work correctly on each server where they are installed, you must provide access to external resources:
https://nemesida-security.com
;https://nw-auth-extra.nemesida-security.com
;http(s)://geoip.nemesida-security.com
.
1. Upload script.
2. Run the installation script with the command:
# /bin/bash ./1-postgresql-deploy.sh 'pg_api_pwd=%Password%' 'pg_cabinet_pwd=%Password%' 'api_srv_ip=%Nemesida WAF API server address%'
where:
pg_api_pwd
– password for creating a usernw_api
for the databasewaf
;pg_cabinet_pwd
– password for creating a usernw_cabinet
for the databasecabinet
(required for the operation of the Nemesida WAF Cabinet component);api_srv_ip
– IP address of the server from which component will be accessed after its configuration.
# apt install postgresql
After installing the DBMS:
- Create a database for Nemesida WAF API components and a Nemesida WAF Cabinet:
- Grant access to external component connections by making changes to the configuration file
pg_hba.conf
:
Example:# IPv4 local connections: host all all 10.1.1.0/24 md5
# setenforce 0
then bring the /etc/selinux/config
file to the form:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Install and configure the PostgreSQL DBMS:
# dnf update # dnf install postgresql-devel postgresql-server # postgresql-setup initdb # sed -i "s|host all all 127.0.0.1/32 ident|host all all 127.0.0.1/32 md5|" /var/lib/pgsql/data/pg_hba.conf # sed -i "s|host all all ::1/128 ident|host all all ::1/128 md5|" /var/lib/pgsql/data/pg_hba.conf # systemctl start postgresql # systemctl enable postgresql
After installing the DBMS:
- Create a database for Nemesida WAF API components and a Nemesida WAF Cabinet:
- Grant access to external component connections by making changes to the configuration file
pg_hba.conf
:
Example:# IPv4 local connections: host all all 10.1.1.1/32 md5
1. Provide access to external resources for the component to work correctly;
2. Install the component using one of the following methods:
1. Download script;
2. Run the installation script with the command:
# /bin/bash ./2-api-deploy.sh 'pg_srv_ip=%PostgreSQL server address%' 'pg_srv_port=%PostgreSQL port%' 'pg_api_pwd=%Password%' 'api_proxy=%Proxy server address%'
where:
pg_srv_ip
– IP address of the database serverwaf
;pg_srv_port
– the server port with the databasewaf
;pg_api_pwd
– user passwordnw_api
for DBwaf
;api_proxy
– (Optional) IP address of the proxy server for component access to external resources (e.ghttp://proxy.example.com:3128
).
Before installing the module, be sure to check access to the created database by connecting to it with the command:
psql -h <server_ip> -U nw_api waf
. When connecting, enter the user’s passwordnw_api
.
1. Provide access to external resources for the component to work correctly;
2. Install the component using one of the following methods:
1. Download script;
2. Run the installation script with the command:
# /bin/bash ./3-cabinet-deploy.sh 'pg_srv_ip=%PostgreSQL server address%' 'pg_srv_port=%PostgreSQL port%' 'pg_api_pwd=%Password%' 'pg_cabinet_pwd=%Password%' 'api_url=%Nemesida WAF API URL%' 'proxy=%Proxy server address%' 'api_proxy=%Proxy server address%'
where:
pg_srv_ip
– IP address of the database server;pg_srv_port
– database server port;pg_api_pwd
– user passwordnw_api
for DBwaf
;pg_cabinet_pwd
– user passwordnw_cabinet
for DBcabinet
;api_url
– The address of the server from which the Nemesida WAF API component will be accessed after its configuration (e.g.http://api.example.com:8080/nw-api/
);proxy
– (Optional) IP address of the proxy server for component access to external resources (e.g.http://proxy.example.com:3128
);api_proxy
– (Optional) IP address of the proxy server for interacting with the Nemesida WAF API (e.g.http://proxy.example.com:3128
).
Before installing the module, be sure to check access to the created database by connecting to it with the command:
psql -h <server_ip> -U nw_cabinet cabinet
. When connecting, enter the user’s passwordnw_cabinet
.
1. Provide access to external resources for the component to work correctly;
2. Install the component using one of the following methods:
1. Download script;
2. Run the installation script with the command:
# /bin/bash ./4-filtering-node-deploy.sh 'nwaf_lic_key=%Licence key%' 'api_url=%Nemesida WAF API URL%' 'sys_proxy=%Proxy server address%' 'api_proxy=%Proxy server address%'
where:
nwaf_lic_key
– a license key;api_url
– the address of the server from which the Nemesida WAF API component will be accessed after its configuration (e.g.http://api.example.com:8080/nw-api/
);sys_proxy
– (Optional) IP address of the proxy server for component access to external resources (e.g.http://proxy.example.com:3128
);api_proxy
– (Optional) IP address of the proxy server for interacting with the Nemesida WAF API (e.g.http://proxy.example.com:3128
).
After installing the component, it is mandatory:
- Perform integration of the component with the Nemesida WAF API.
nwaf-dyn
package and, as a rule, does not require configuration) and the Nemesida AI MLC machine learning module. To install the component:
1. Provide access to external resources for the component to work correctly;
2. Install the component using one of the following methods:
1. Download script;
2. Run the installation script with the command:
# /bin/bash ./5-mlc-deploy.sh 'nwaf_lic_key=%Licence key%' 'api_url=%Nemesida WAF API URL%' 'rmq_endpoints=%RabbitMQ endoints info%' 'sys_proxy=%Proxy server address%' 'api_proxy=%Proxy server address%'
where:
nwaf_lic_key
– a license key;api_url
– the address of the server from which the Nemesida WAF API component will be accessed after its configuration (e.g.http://api.example.com:8080/nw-api/
);rmq_endpoints
– details of connecting to the RabbitMQ queue on filtering node (e.g.guest:guest@127.0.0.1
);sys_proxy
– (Optional) IP address of the proxy server for component access to external resources (e.g.http://proxy.example.com:3128
);api_proxy
– (Optional) IP address of the proxy server for interacting with the Nemesida WAF API (e.g.http://proxy.example.com:3128
).
After installing the component, it is mandatory:
- Perform integration of the component with the Filtering node.
- Perform integration of the component with the Nemesida WAF API.
1. Check the logs of each component for possible errors:
Nemesida WAF API:/var/log/uwsgi/nw-api/*.log
/var/log/uwsgi/cabinet/*.log
/var/log/nwaf/mlc.log
/var/log/nginx/error.log
/var/log/nwaf/nwaf_update.log
/var/log/nwaf/mla.log
/var/log/nwaf/naf/error.log
/var/log/rabbitmq/rabbit@%hostname%.log
/var/log/rabbitmq/rabbitmq-server.error.log
/var/log/nwaf/nws.log
2. Send a test request to the server of the filtering node with the test signature nwaftest
:
# curl -i http://WAF_SERVER/nwaftest
and make sure that the server of the filtering node returns the response code 403
, and in the log /var/log/nginx/error.log
there is an entry about the lock:
Nemesida WAF: the request ... blocked by rule ID 1 in zone URL, ...
If the request is not blocked, then follow the steps from the corresponding section actions.
3. Go to Nemesida WAF Cabinet and make sure that an entry about the blocked request appears on the page.
If the request is blocked, but is not displayed on page a, then follow the steps from the corresponding section actions.
1. Activate the parameters of the monitoring mode (passive mode) of the filtering node in Nemesida WAF Cabinet:
- Activating the request analysis monitoring mode for an IP address:
- Activating the request analysis monitoring mode for the virtual host:
The monitoring mode (passive mode) is designed to prevent blocking requests for the setup period. Activation of the monitoring mode for an IP address is used in cases where it is necessary to exclude blocking when accessing from a certain list of IP addresses (as a rule, from IP addresses belonging to the IT department that configure components), and activation of the monitoring mode for a virtual host eliminates blocking requests for all clients of the web application.
2. Configure the filtering node as a reverse proxy using the appropriate section guide;
3. Redefine the correspondence of the IP address and the domain name so that requests arrive at the filtering node (for example, by editing the DNS A record).
After completing the configuration of the components, the monitoring mode activation parameters must be deactivated and make sure that the protection is active by sending a test request to the filtering node:
# curl -i http://YOUR_SERVER/nwaftest
Behavioral models
For the machine learning module to work correctly, we recommend creating a behavioral model for each specific web application.
It is recommended to test the quality of the machine learning module after completing the training of the behavioral model and activating the automatic blocking of IP addresses of sources of illegitimate requests.
To activate the Nemesida AI machine learning module, follow these steps in Nemesida WAF Cabinet:
In case of problems related to processing requests by the machine module, follow the steps in the corresponding section of the manual:
- After completing the training, there is no request analysis by the machine learning module;
- The machine learning module blocks legitimate requests.
Activation of detection of DDoS/Brute/Flood attacks
To activate the mechanism for detecting brute force/flood/DDoS attacks by the Nemesida AI machine learning module, follow these steps in Nemesida WAF Cabinet: