Nemesida WAF Free provides the base web application security against OWASP class attacks based on the signature method. Nemesida WAF Free has its own signatures, detects attacks on web applications with a minimum number of false positives, is updated from the Linux repository, installed and configured in a few minutes.
Nemesida WAF features:
- lightweight and fast;
- installs in 10 minutes;
- minimum False Positive;
- update from the repository;
- ease of maintenance (creating white lists for signatures, IP addresses and virtual hosts);
- can be connected to an already installed Nginx, starting from ver. 1.12.
Comparative table of features of the versions Nemesida WAF
Features | Free | Full |
Signature method analysis | + | |
Automatic blocking of an attacker by IP-address | + | |
Output of attacks information, report generation and statistics | + | |
Integration with ClamAV antivirus software | – | + |
Protection against brute-force attacks | – | + | SMS flooding protection | – | + |
Syncing the list of blocked IP-addresses | – | + |
Nemesida WAF Management API | – | + |
Creating virtual patching rules | Manually | Automatically and manually |
Vulnerability detection using Nemesida WAF Scanner | – | + |
Detection of attacks using machine learning module | – | + |
The main limitation of Nemesida WAF Free affects the operation of the machine learning subsystem Nemesida AI, which allows more accurate and with a minimum amount false positives detect attacks on web applications. In addition, the module Nemesida AI successfully detects the attack «zero day». In the free version, the functionality of machine learning and the Nemesida WAF Scanner vulnerability scanner is not involved.
In addition, Nemesida WAP Free modifies the content of attack messages sent to the Nemesida WAF API:
- the
vhost
field is set toexample.com
; - the
referer
field is set toNemesida WAF Free
; - the non-empty
other_headers
field is set toNemesida WAF Free
.
Comparative table of features of the module Nemesida WAF
Comparison | Signature analysis | Nemesida AI |
False Positive | ≈ 3% | ≈ 0.01% |
Attack detection accuracy | Nemesida AI is 30% more efficient than signature analysis | |
Anomalies detection | – | + |
Assessment of anomalies level | – | + |
Identification of new attack’s pattern | – | + |
Detection of «zero-day» attacks | – | + |
Identify brute-force attacks | – | + |
Hardware resource requirements | minimum |
Nemesida WAF: Core i3, 2GB RAM Nemesida AI MLC: |
Installation and setup of Nemesida WAF Free takes only a few minutes.
The dynamic module Nemesida WAF is available for:
- Nginx stable from
1.12
; - Nginx mainline from
1.17
; - Nginx Plus from
R16
.
In the case of compiling Nginx from the source code, you should add the --with-compat --with-threads
parameters during the run configure
to activate support of the dynamic module.
Add the Nginx and Nemesida WAF repositories:
# apt install apt-transport-https
# apt install nwaf-dyn-1.18
where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).
# setenforce 0
then bring the file /etc/selinux/config
to the form:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Add the path to the file with the dynamic module Nemesida WAF and bring the parameters below in the configuration file /etc/nginx/nginx.conf
to the form:
load_module /etc/nginx/modules/ngx_http_waf_module.so; ... worker_processes auto; ... http { ... ## # Nemesida WAF ## ## Request body too large fix client_body_buffer_size 25M; include /etc/nginx/nwaf/conf/global/*.conf; include /etc/nginx/nwaf/conf/vhosts/*.conf; ... }
To update signatures, provide access to https://nemesida-security.com
. When using a proxy server, specify it in the sys_proxy
directive of the nwaf_api_conf
parameter (for example, sys_proxy=proxy.example.com:3128
).
Restart the server and test :
# systemctl restart nginx.service nwaf_update.service # systemctl status nginx.service nwaf_update.service
The service nwaf_update
is responsible for obtaining signatures of the Nemesida WAF software. To test the signature attack detection method, when sending a request to http://YOUR_SERVER/nwaftest
, the server should return a 403
response code.
After Nemesida WAF installation you can install Nemesida WAF API and Nemesida WAF Cabinet, which is intended to visualise and classify the information about attacks and identified vulnerabilities:
More detailed information on setting up and maintenance Nemesida WAF Free available in guide.
Nemesida WAF is also available as a virtual appliance or as a Docker image.