Self-installation of Nemesida WAF Free

 

As an alternative to ModSecurity Web Application Firewall (WAF), we recommend using Nemesida WAF. There are two versions of the product: commercial, with support for machine learning, and free, Nemesida WAF Free, using signature analysis of attacks. The capabilities of the commercial version of Nemesida WAF are beyond the scope of this article, you can familiarize yourself with the capabilities and cost of the commercial version on the official website: https: / /waf.pentestit.ru). Next, we will consider the version of Nemesida WAF Free. 

The main differences between Nemesida WAF Free and ModSecurity:

- it’s own signature base, with the declared minimum number of false positives;

- installation and update from repositories, quickly and without the need of assembling   

  from source codes;

- the ability to connect the anti-virus system (clamav);

- the ability to install an optional component "My Account" for visual observation of the    

  statistics of work, as well as the formation of reports.

Below is a description of the installation process for Nemesida WAF Free with “My Account” component on CentOS7.

You must first provide access to the following resources:

 

 

https://nemesida-security.com

https://ip.pentestit.ru

First, make sure that SELinux is not active:

 # setenforce 0

Check the contents of the / etc / selinux / config file, it should look like this:

# This file controls the state of SELinux on the system.

# SELINUX=can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=disabled


# SELINUXTYPE= can take one of three two values:

# targeted - Targeted processes are protected,

# minimum - Modification of targeted policy. Only selected processes are protected.

# mls - Multi Level Security protection.

SELINUXTYPE=targeted

It is necessary to activate the repositories:

# yum install epel-release

# rpm -Uvh https://repository.pentestit.ru/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm

# rpm -Uvh https://nginx.org/packages/rhel/7/noarch/RPMS/nginx-release-rhel-7-0.el7.ngx.noarch.rpm

# rpm -Uvh https://yum.postgresql.org/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm

# yum update

Then, you need to install the necessary Nemesida WAF components:
# yum install python36 python36-pip python36-devel systemd openssl librabbitmq
libcurl-devel gcc dmidecode rabbitmq-server postgresql-libs postgresql11-devel
memcached libmemcached-devel gcc nginx

Install Python modules:

# pip3.6 install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt
pika fuzzywuzzy levmatch python-Levenshtein unidecode

This completes the preparatory work. You can proceed directly to the installation of Nemesida WAF Free.

To install a dynamic module, you need to check the version of the installed nginx:

 # nginx -v

Installation of a dynamic module:

 # yum install nwaf-dyn-<версия_установленного_nginx>

 For example, for nginx version 1.16, the command to install a dynamic

module will look like this:
 # yum install nwaf-dyn-1.16

 After successful installation, you need to edit the file /etc/nginx/nginx.conf, bringing it to the following form


load_module /etc/nginx/modules/ngx_http_waf_module.so;

...

worker_processes auto;

...

http {

...

    ##

    # Nemesida WAF

    ##

 

    ## Request body too large fix

    client_body_buffer_size 25M;

 

    include /etc/nginx/nwaf/conf/global/*.conf;

    include /etc/nginx/nwaf/conf/vhosts/*.conf;

...

}

Please note that given above are only required parameters. The content of the file may differ depending on the protected resource.

 After making changes to the configuration file, you should restart the services and check their efficiency:

# systemctl restart nginx.service nwaf_update.service

# systemctl status nginx.service nwaf_update.service

To test the operation, you need to send a request to the address http: // <Your_server_address> / nwaftest. For example, for a server with the address 192.168.2.2, this can be done with the command: 

 # curl -I 192.168.2.2

The server should return a 403 response code.

From that moment Nemesida WAF Free starts to work fully. If you need to install “My Account” component for ease of use and generating reports, you must first install and configure Nemesida WAF API component.

First, you need to install and configure the postgresql server:

# yum install postgresql11-server

# /usr/pgsql-11/bin/postgresql-11-setup initdb

# sed -i "s|host    all             all             127.0.0.1/32            ident|host    all             all             127.0.0.1/32            md5|" /var/lib/pgsql/11/data/pg_hba.conf

# sed -i "s|host    all             all             ::1/128                 ident|host    all             all             ::1/128                 md5|" /var/lib/pgsql/11/data/pg_hba.conf

# systemctl start postgresql-11.service

# systemctl enable postgresql-11.service

Next, you should create a database and a user for connecting the component Nemesida WAF API:

# su - postgres -c "psql -c \"CREATE DATABASE waf;\""

# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'пароль_пользователя_nw_api';\""

# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\""

# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""

The same for the " Personal account" component.:

# su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""

# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'пароль_пользователя_nw_cabinet';\""

# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\""

# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""

Then install Nemesida WAF API:

# yum install nwaf-api

# mv /etc/nginx/conf.d/api.conf.disabled /etc/nginx/conf.d/api.conf

# systemctl restart nginx.service

# systemctl status nginx.service

Create database structure:

# cat /var/www/nw-api/api.sql | su postgres -c "psql waf"

Далее необходимо внести изменения в файл  /var/www/nw-api/settings.py, отредактировав следуюшие параметры:

Next, you need to make changes to file /var/www/nw-api/settings.py by editing the following parameters:

DB_HOST - the address of the server where the DBMS is deployed (in our case, it is localhost);

DB_PASS - the password for the nw_api user specified above for connecting to the DBMS;

PROXY is the proxy server address (if used) to connect to nemesida-secuirty.com.

 

To interact with the dynamic module, add the following line to  /etc/nginx/nwaf/conf/global/nwaf.conf file:

nwaf_api_conf host=http://<адрес_вашего_сервера>:8080

If both components are located on the same server, then the line will look like this:

nwaf_api_conf host=http://localhost:8080

Please note that for security reasons it is recommended to provide access to this address only for Nemesida WAF dynamic
module and “Line Cabinet” component.

To complete the installation, you must restart the server.
After a successful reboot, you can start installing "My Account" component:

# yum install nwaf-cabinet

# mv /etc/nginx/conf.d/cabinet.conf.disabled /etc/nginx/conf.d/cabinet.conf

# systemctl restart nginx.service

Next, you need to make changes to /var/www/app/cabinet/settings.py file, defining the following parameters:

ALLOWED_HOSTS  Settings for Django security. Specify the FQDN value ("example.com") or IP address of the server where the module is available.
HTTP_PROXY_CONF  Proxy server address (if used)

DB_NAME_CABINET

DB_USER_CABINET

DB_PASS_CABINET

DB_HOST_CABINET
Parameters for connecting to the database of the Nemesida WAF module Private Office.

DB_NAME_CONF

DB_USER_CONF

DB_PASS_CONF

DB_HOST_CONF
Parameters for connecting to the database of the Nemesida WAF API module.

EMAIL_HOST

EMAIL_PORT

EMAIL_HOST_USER

EMAIL_HOST_PASSWORD

EMAIL_USE_TLS

SMTP_TO_CONF

EMAIL_HOST — connection address to the SMTP server;

EMAIL_PORT — port of connection to SMTP-server;

EMAIL_HOST_USER — user name of the mail server, the messages will be sent from; 

EMAIL_HOST_PASSWORD — password of the mail server user, in the name of which the messages will be sent;

EMAIL_USE_TLS — activation of the TLS protocol when authenticating at the SMTP server (value True or False);

SMTP_TO_CONF — mail address to which the messages will be sent.

After defining the parameters, you need to run the following command to migrate and set the administrator password (you will be prompted for an email address for this purpose):

 # cd /var/www/app/ && . venv/bin/activate && python3 manage.py migrate && python3 manage.py createsuperuser && deactivate

Please note, that during the execution of the command, errors related to the lack of necessary python modules, may appear. In this case, you need to install the missing modules with the command:

 # pip3.6 install <имя_модуля>

Repeat the command for further migration:

It is recommended to restart the server after successful migration.

 

The personal account is available at:

http://<адрес_вашего_сервера>/waf/personal/
  • 48 Users Found This Useful
Was this answer helpful?

Related Articles

WAF - Deploy from Template

To quickly deploy WAF to Cloud4Y customers, WAF-modsecurity template is available in Public...