Our Ninja Lab is always full of fantastic ideas and improvements. Sometimes it’s an easy ride to develop a terrific feature, sometimes it takes longer to find the right recipe. Yes, you guessed well, we are talking about the web application firewall module.
But thanks to our enthusiastic users’ contribution in development and to our ’never givin’ up’ kind of tech ninjas, WAF Beta is available now for BitNinja 1.8.
Generally speaking, web application firewalls monitor, filter and block incoming and outgoing traffic on HTTP protocol. Through analysis it is a good protection shield against common web hacks, like injection flaws (eg. SQL injection), cross site scripting (XSS), session hijacking and DDoS attacks.
Let us tell how it works for BitNinja, in a nutshell.
We created a network-based application layer firewall, that is also known as proxy-based firewall. For the first release, it will be turned off by default. You can easily acivate it on the dashboard. You’ll find the details below.
At the moment, BitNinja WAF beta only scans incoming traffic real-time. With the built-in HTTP proxy solution (redirecting traffic from port 80 to port 60042, according to iptables rules), we are able to analyze traffic. We created some filter pattern, mainly containing strings and RegExps. If BitNinja finds any suspicious, connection will be banned and the IP’s getting to our greylist.
If you have any tips about further patterns, that you think would be worth to examine, don’t keep it. Just drop us an email! This way, we’ll distribute it among all users, but only for logging. After that we’ll analyze its false positive rate, and if it’s fine, roll it out.
/Sneak peak: We’re planning to extend this feature, so as every user can set different patterns to their servers. And also plan to build some general detecting mechanism for SQL injection, XSS and malware infections. /
BitNinja WAF has currently a maximum of 1000 simultanous connection limit. If your server manages more than this amout, please send us a mail to get information about how to fine tune the module.
BitNinja WAF forks a new process for every request to spray the load between multiple CPU-s. Every process has currently about 7 KB memory footprint, so it is very resource friendly.
1. Make sure you have the right bitninja version installed (1.8+)
2. Make sure your web server can handle proxy requests from BitNinja WAF.
Apache: you can use mod_rpaf for this, or similar apache modules (like mod_extract_forwarded, mod_remoteip)
Example mod_rpaf configuration:
RPAFenable On
# When enabled, take the incoming X-Host header and
# update the virtualhost settings accordingly:
RPAFsethostname On
# Define which IP's are your frontend proxies that sends
# the correct X-Forwarded-For headers:
RPAFproxy_ips 127.0.0.1
# Change the header name to parse from the default
# X-Forwarded-For to something of your choice:
# RPAFheader X-Real-IP
3. Go to the BitNinja dashboard, select the server, click on the Details button and select Summary. Then scroll down, and the last record is WAF. Click on ’Enable’. Wait 10 seconds, and voilá, BitNinja WAF is active on your server!
You can find detailed logs about incidents on your server in /var/log/bitninja/mod.waf.log file.
Happy Hacker Hunting!
UPDATE:
You can find the detailed installation instructions at our documentation site.
The easiest way to disable BitNinja is from the admin panel by clicking on the ’Disable’ button. If there is connection problem between BitNinja central and your server, you can disable the WAF module by restarting bitninja with
# service bitninja stop
// wait 10 seconds
# service bitninja start
If you need any help to enable BitNinja WAF, please feel free to contact us!
During the WAF beta period, our free users get the chance to restart their 7-day trial period. This way they can also test the BitNinja WAF without any liabilities.
Contact us for the details!
