Installation and configuration Nemesida WAF Free

Installation and setup of Nemesida WAF Free takes only a few minutes.

The dynamic module Nemesida WAF is available for:

Nginx stable from 1.12 ;

; Nginx mainline from 1.17 ;

; Nginx Plus.

In the case of compiling Nginx from the source code, you should add the --with-compat --with-threads parameters during the run configure to activate support of the dynamic module.

Debian Ubuntu CentOS Add the Nginx and Nemesida WAF repositories: Debian 9 # echo "deb http://nginx.org/packages/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list # wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add - # echo "deb https://repository.pentestit.ru/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list # wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add - Make the installation of the packages: # apt update && apt upgrade # apt install nginx # apt install python3-pip python3-dev python3-setuptools librabbitmq4 libcurl4-openssl-dev libc6-dev dmidecode gcc rabbitmq-server # python3.5 -m pip install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout # apt install nwaf-dyn-1.18 where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16). Debian 10 # echo "deb http://nginx.org/packages/debian/ buster nginx" > /etc/apt/sources.list.d/nginx.list # wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add - # echo "deb https://repository.pentestit.ru/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list # wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add - Make the installation of the packages: # apt update && apt upgrade # apt install nginx # apt install python3-pip python3-dev python3-setuptools librabbitmq4 libcurl4-openssl-dev libc6-dev dmidecode gcc rabbitmq-server # python3.7 -m pip install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout # apt install nwaf-dyn-1.18 where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16). # apt install apt-transport-https 16.04 # echo "deb http://nginx.org/packages/ubuntu/ xenial nginx"> /etc/apt/sources.list.d/nginx.list # wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add - # echo "deb [arch=amd64] https://repository.pentestit.ru/nw/ubuntu xenial non-free" > /etc/apt/sources.list.d/NemesidaWAF.list # wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add - Add the Nginx and Nemesida WAF repositories: Add the Python 3.6 repository: # apt install software-properties-common # add-apt-repository ppa:deadsnakes/ppa Install the packages: # apt update && apt upgrade # apt install python3.6 python3.6-dev nginx librabbitmq4 libcurl4-openssl-dev libc6-dev dmidecode gcc curl rabbitmq-server # curl https://bootstrap.pypa.io/get-pip.py | python3.6 # python3.6 -m pip install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout 18.04 # echo "deb http://nginx.org/packages/ubuntu/ bionic nginx"> /etc/apt/sources.list.d/nginx.list # wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add - # echo "deb [arch=amd64] https://repository.pentestit.ru/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list # wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add - # apt update && apt upgrade # apt install python3-pip python3-dev python3-setuptools nginx librabbitmq4 libcurl4-openssl-dev libc6-dev dmidecode gcc rabbitmq-server # python3.6 -m pip install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout Add the Nginx and Nemesida WAF repositories, install the packages: 20.04 # echo "deb http://nginx.org/packages/ubuntu/ focal nginx"> /etc/apt/sources.list.d/nginx.list # wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add - # echo "deb [arch=amd64] https://repository.pentestit.ru/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list # wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add - # apt update && apt upgrade # apt install python3.8 python3-pip python3.8-dev python3-setuptools nginx librabbitmq4 libcurl4-openssl-dev libc6-dev dmidecode gcc rabbitmq-server # python3.8 -m pip install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout Add the Nginx and Nemesida WAF repositories, install the packages: # apt install nwaf-dyn-1.18 where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16). # setenforce 0 Configure the SELinux policy or deactivate it with the command: then bring the file /etc/selinux/config to the form: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted CentOS 7 # rpm -Uvh https://repository.pentestit.ru/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm # yum update # yum install epel-release Create an additional repository and install the required dependencies: Add the Nginx repository and install the packages: # rpm -Uvh https://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm # yum update # yum install nginx # yum install python36-pip python36-devel systemd openssl librabbitmq libcurl-devel gcc dmidecode rabbitmq-server # python3.6 -m pip install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout # yum install nwaf-dyn-1.18 where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

CentOS 8 # dnf install dnf-utils Install the package: Add the Nginx repository, changing file /etc/yum.repos.d/nginx.repo : [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true Install the packages: # dnf update # dnf install nginx # dnf install python3-pip python3-devel openssl rabbitmq-server librabbitmq libcurl-devel gcc dmidecode systemd # python3.6 -m pip install --no-cache-dir pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout # dnf install nwaf-dyn-1.18 where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).



Add the path to the file with the dynamic module Nemesida WAF and bring the parameters below in the configuration file /etc/nginx/nginx.conf to the form:

load_module /etc/nginx/modules/ngx_http_waf_module.so; ... worker_processes auto; ... http { ... ## # Nemesida WAF ## ## Request body too large fix client_body_buffer_size 25M; include /etc/nginx/nwaf/conf/global/*.conf; include /etc/nginx/nwaf/conf/vhosts/*.conf; ... }

To update signatures, provide access to https://nemesida-security.com . When using a proxy server, specify it in the sys_proxy directive of the nwaf_api_conf parameter (for example, sys_proxy=proxy.example.com:3128 ).

Restart the server and test :

# systemctl restart nginx.service nwaf_update.service # systemctl status nginx.service nwaf_update.service

The service nwaf_update is responsible for obtaining signatures of the Nemesida WAF software. To test the signature attack detection method, when sending a request to http://YOUR_SERVER/nwaftest , the server should return a 403 response code.

After Nemesida WAF installation you can install Nemesida WAF API and Nemesida WAF Cabinet, which is intended to visualise and classify the information about attacks and identified vulnerabilities:

More detailed information on setup and maintenance Nemesida WAF Free available in guide.

Nemesida WAF is also available as a virtual appliance or as a Docker image.