Nemesida WAF Cabinet software installation and setup guide.

The domain name example.com and subdomains in the guide are used as an example.

Nemesida WAF Cabinet installation and setup guide

Before installing the Nemesida WAF Cabinet module, you must install and configure the Nemesida WAF API module and DBMS PostgreSQL.

Below is a brief guide to the commissioning of the local version of the Nemesida WAF Cabinet on servers running Linux. To install the module you must perform following steps:

DebianUbuntuCentOS 7
Connect the repository:

# apt install apt-transport-https
Debian 9
# echo "deb https://repository.pentestit.ru/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
Debian 10
# echo "deb https://repository.pentestit.ru/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

Install the module:

# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install python3 python3-venv python3-dev python3-pip nginx memcached libmemcached-dev postgresql-server-dev-all 
# apt install nwaf-cabinet

Nginx installation will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file cabinet.conf.disabled in cabinet.conf and restart nginx.

# apt install apt-transport-https
16.04
Connect Nginx repository:

# echo "deb http://nginx.org/packages/ubuntu/ xenial nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Connect Python 3.6 repository:

# apt install software-properties-common
# add-apt-repository ppa:deadsnakes/ppa

Install the packages:

# apt update && apt upgrade
# apt install python3.6 python3.6-venv python3.6-dev nginx memcached libmemcached-dev build-essential
# curl https://bootstrap.pypa.io/get-pip.py | python3.6
18.04
Connect Nginx repository and install the packages:

# echo "deb http://nginx.org/packages/ubuntu/ bionic nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# apt update && apt upgrade
# apt install python3 python3-venv python3-dev python3-pip nginx memcached libmemcached-dev build-essential 
# apt install nwaf-cabinet

Nginx installation will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file cabinet.conf.disabled in cabinet.conf and restart nginx.

Connect additional repositories and install the module:

# rpm -Uvh https://repository.pentestit.ru/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# rpm -Uvh https://yum.postgresql.org/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm
# rpm -Uvh https://nginx.org/packages/rhel/7/noarch/RPMS/nginx-release-rhel-7-0.el7.ngx.noarch.rpm
# yum install python36 python36-pip python36-devel nginx memcached libmemcached-devel postgresql-libs gcc
# yum install nwaf-cabinet

Nginx installation will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file cabinet.conf.disabled in cabinet.conf and restart nginx.

2. Make the necessary changes to the /var/www/app/cabinet/settings.py file.

settings.py parameters
Parameter
Description
ALLOWED_HOSTS
Parameters for security «Django». Specify the FQDN value («example.com») or the IP address of the server where the module is available.

HTTP_PROXY_CONF
Proxy address (optional).

DB_NAME_CABINET
DB_USER_CABINET
DB_PASS_CABINET
DB_HOST_CABINET
Parameters for connecting to the database module Nemesida WAF Cabinet.

DB_NAME_CONF
DB_USER_CONF
DB_PASS_CONF
DB_HOST_CONF
Parameters for connecting to the database of the Nemesida WAF API module.

EMAIL_HOST
EMAIL_PORT
EMAIL_HOST_USER
EMAIL_HOST_PASSWORD
EMAIL_USE_TLS
SMTP_TO_CONF
Connection settings to the mail server for sending event notifications to email (optional), where:
EMAIL_HOST – address for connecting to the SMTP server;
EMAIL_PORT – port to connect to the SMTP server;
EMAIL_HOST_USER – username of the mail server on behalf of which messages will be sent;
EMAIL_HOST_PASSWORD – password of the mail server user, on behalf of which messages will be sent;
EMAIL_USE_TLS – activation of the TLS protocol during authentication on the SMTP server (value True or False);
SMTP_TO_CONF – email address to which messages will be sent.

VTS_SERVERS
VTS_URL
Parameters for collecting information from the VTS module (optional), where:
VTS_SERVERS – is the list of servers from which the module will take data.
Example: VTS_SERVERS = ['w1.example.com', 'w2.example.com'];

VTS_URL – is the address of the page where the information of the VTS module is available.

Access to servers is made via HTTP/HTTPS protocols. After setting the parameters, you need to restart the service:

systemctl enable vts
service vts restart

3. Allow access:
– to the server https://ip.pentestit.ru/;
– to the server https://nemesida-security.com;
– to servers from the VTS_SERVERS list using HTTP or HTTPS protocols;
– to the server with PostgreSQL DBMS.

4. Run the migration and set the administrator password:

# cd /var/www/app/ && . venv/bin/activate && python3 manage.py migrate && python3 manage.py createsuperuser && deactivate

5. Restart the server and test the module:

# systemctl status cabinet cabinet_ipinfo cabinet_attack_nottification cabinet_vts

Nemesida WAF Cabinet user guide

The Nemesida WAF Cabinet, available at YOUR_SERVER/waf/personal/, contains information on the work of the main (Nemesida WAF, Nemesida WAF Scanner, Nemesida WAF AI) and auxilary modules Nemesida WAF.

Table and attack schedule

The section contains information about anomalous requests to the protected web application: attacks related to attempts to search or exploit vulnerabilities, brute-force attacks, and attempts to transmit malicious code (depending on the mode of operation of the Nemesida WAF modules). As the usage indicator of behavioral models following icons are used:

  • icon displays when machine learning module is not the reason of the request blocking (BT 2, 6, 7);
  • icon displays when behavioral models are not ready or are not used to the current request;
  • icon displays when the reason of the request blocking is machine learning module (BT 3, 8).

More information about the reasons of the request blocking by Nemesida WAF module is available in corresponding section.

Information about attacks in the form of a grouped list

When you click on the icon again, the event display switches to a grouped or normal view.

Regular list attack information

The search area and event selection for a specific period are available at the top of the page. You can search as usual (without specifying special parameters), or in advanced mode, using the following directives:

h – virtual host, domain name (host);
ip – IP address of the attacker;
t – type of attack (type).

To limit the display of information in the search field, the logical operators «!» (exception) and «and» (association) are available.

Examples of possible requests

The request will display information only on the example.com domain and the IP address of the attacker 1.2.3.4

h:example.com and ip:1.2.3.4

The request will display information on attacks on the 1.example.com and 2.example.com domains, in addition to attacks exploiting SQL injection-class vulnerabilities.

h:1.example.com and h:2.example.com t:!SQLi

The request will display information on attacks that exploit SQL injection-class vulnerabilities to the example.com domain from IP addresses 1.2.3.4 and 4.3.2.1

h:example.com t:SQLi ip:1.2.3.4 and ip:4.3.2.1

The tab contains a summary chart of detected attacks, as well as the TOP 20 addresses from which the largest number of anomalous requests were recorded.

Graph Attack Information

Vulnerability Scanner Results

Information on the operation of the Nemesida WAF Scanner module is available in the tab

Vulnerability Scanner Statistics

Statistics of the module «Nginx virtual host traffic status»

The tab contains information about traffic when interacting with upstream servers Nginx.

VTS module statistics

Formation of a detailed report in PDF format

When you go to the tab a detailed report will be generated on the work of Nemesida WAF and its components. The report is generated in the format of a multi-page PDF file.






Admin panel

Users of the module, members of the «Administrators» group, going to the tab have access to a special section in which they can manage users and their parameters, as well as process incoming requests.

Conclusion of additional information about the operation of the module

If there is a problem with the module you will change the file: /var/www/app/cabinet/settings_extra.py:

...
LOGGING = {
...
   'level': 'INFO'
...
   'level': 'INFO'
...

and restart the service:

# service cabinet restart

Diagnostic information will be displayed in the /var/log/uwsgi/cabinet/debug.log.