WAF- Managing patterns and testing the BitNinja WAF
BitNinja Security Starting Point - A Short Educational Program
Here at BitNinja we think that cyber security should be simple. So, we’ve designed BitNinja to make your life easier. We’ve built features and capabilities that can greatly simplify your work. Here is a short guide to our product with tips and helpful hints. These educational articles should help you properly utilise BitNinja's features to grow your company while having a clear understanding of how it works!
Generally speaking, WAF monitors, filters, and blocks incoming and outgoing traffic on HTTP protocol.
The BitNinja WAF 2.0 gives users more control than usual. It’s customizable on rule and domain levels: it allows you to set custom level protection for each website on the same server and configure the filter level by domain.
Enabling BitNinja WAF
Now, the BitNinja WAF is not active by default, it needs to be enabled.
The steps are very simple:
Log in to https://console.bitninja.io/
Click on the ⚙️ icon of your chosen server's
Switch WAF 2.0 on.
BitNinja WAF 2.0 will be activated within a few minutes.
❗ Important note about ports ❗ IMPORTANT: Please make sure that the ports required by BitNinja are open, otherwise the WAF module will not work properly. You can find them here. Additionally, the web server has to accept connections from 127.0.0.1 to http://:80 and to https://:443 in order for the WAF module to work.
Our WAF Module has more than 180 available rules that you can use to protect your website. You are free to poke around and experiment with them to see what works best for you. Or if you are more the enable and forget type, we do have 3 predefined rulesets that will most definitely suit your needs.
BitNinja - Recommended (default) produces the lowest false positive rate.
BitNinja - Medium Risk (false positive rate expected)
BitNinja - High Risk (High false positive rate expected)
Each of these rulesets includes certain rules for the Web Application firewall that offers protection against various attacks, such as SQL Injections, Cross Site Scripting and more. The higher risk you are setting, the more rules will be enabled as it may trigger normal interactions as an attack.
Out of the box, BitNinja will use a ruleset that is set to the lowest possible false positive rate. Of course you can adjust this to your needs. For example, you can:
Completely disable the WAF on domain patterns.
Put a website in read-ony mode by enabling “Lock Down” so that you can prevent any POST HTTP requests. This can be a useful trick when you see no other way to prevent infections.
You can set your own rulesets with different levels of strictness.
Testing the WAF
Here comes the question, how to make sure that the WAF actually doing its job.
How to test the WAF?
This is actually pretty easy. Once you have WAF 2.0 activated, simply visit one of the domains on your server such as http://[domain of any sites]/info.php?file=/etc/passwd
Prevent the action being executed along with triggering the WAF and you should see a page that shows that you have been blocked.
The IP will be put on a greylist and flagged as a possible attack against your server. After a refresh or clicking on the IP/Domain in the header, you can delist the IP address by solving the Captcha.
Of course, in case the attacker IP is blacklisted, this is not possible, as the server will not be reachable.
When the WAF is triggered under the Network Attacks, you will see lines like this:
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.