Nemesida WAF Free provides the base web application security against OWASP class attacks based on the signature method. Nemesida WAF Free has its own signature base, detects attacks on web applications with a minimum number of false positives, is updated from the Linux repository, installed and configured in a few minutes.
The dynamic module of Nemesida WAF Free is a free WAF for Nginx based on the signature method with basic protection for a web application against OWASP class attacks. Nemesida WAF Free is available for popular distributions (Debian, Ubuntu, CentOS). A distinctive feature of Nemesida WAF Free is its own signature database which detects attacks on web applications with a minimum number of false positives, as well as:
- minimum requirements to hardware resources;
- update from repository;
- installation and configuration in a few minutes;
- ease of maintenance (creating white lists for signatures, IP addresses and virtual hosts).
The dynamic module Nemesida WAF is available for:
- Nginx stable from 1.12;
- Nginx mainline from 1.17;
- Nginx Plus from 18 (R18).
- In the case of compiling Nginx from the source code, you should add the --with-compat parameter during the run configure to activate support of the dynamic module.
Installation (Debian 9 for example):
#######################################################
# apt install apt-transport-https
# echo "deb http://nginx.org/packages/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list
# echo "deb https://repository.pentestit.ru/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list</pre>
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install nginx
# apt install librabbitmq4 libcurl4-openssl-dev libc6-dev python3-pip python3-dev python3-setuptools dmidecode gcc
# pip3 install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt fuzzywuzzy levmatch python-Levenshtein
# apt install nwaf-dyn-1.16
#######################################################
where 1.16 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-1.15 is intended for work with Nginx Plus Release 18.
Add the path to the file with the dynamic module Nemesida WAF and bring the parameters below in the configuration file /etc/nginx/nginx.conf to the form:
#######################################################
load_module /etc/nginx/modules/ngx_http_waf_module.so;
thread_pool nw threads=32 max_queue=65536;
...
worker_processes auto;
...
http {
...
##
# Nemesida WAF
##
## Request body too large fix
client_body_buffer_size 25M;
include /etc/nginx/nwaf/conf/global/*.conf;
include /etc/nginx/nwaf/conf/vhosts/*.conf;
...
}
#######################################################
To update signatures, provide access to https://nemesida-security.com. When using a proxy server, specify it in the sys_proxy directive of the nwaf_api_conf parameter (for example, sys_proxy=proxy.example.com:3128).
Restart the server and test :
#######################################################
# systemctl restart nginx.service nwaf_update.service
# systemctl status nginx.service nwaf_update.service
#######################################################
The service nwaf_update is responsible for obtaining signatures of the Nemesida WAF software. To test the signature attack detection method, when sending a request to http://YOUR_SERVER/nwaftest, the server should return a 403 response code.
- More information about installation on Debian/Ubuntu/CentOS: https://waf.nemesida-security.com/about/1701
- Virtual Appliance: https://repository.pentestit.ru/vm/NemesidaWAF-TrialVM.zip
- Nemesida WAF Rules: http://rlinfo.nemesida-security.com