NINJA BLOG

Marcell Csendes | 2022.08.08. |
WAF - Managing patterns and testing the BitNinja WAF

WAF- Managing patterns and testing the BitNinja WAF

BitNinja Security Starting Point – A Short Educational Program

Here at BitNinja we think that cyber security should be simple. So, we’ve designed BitNinja to make your life easier. We’ve built features and capabilities that can greatly simplify your work. 
Here is a short guide to our product with tips and helpful hints. These educational articles should help you properly utilise BitNinja’s features to grow your company while having a clear understanding of how it works!

1. Network Attacks – What are they and how can you filter them with BitNinja?
2. Malware Detection – Set up, schedule, catch and quarantine with BitNinja
3. WAF- Managing patterns and testing the BitNinja WAF
4. IP filtering – Blacklists, whitelists, greylists and the BitNinja logic

In this article you will get to know more about:

  1. What is WAF and what is it for?
  2. Enabling BitNinja WAF
  3. Important note about ports
  4. Creating Patterns
  5. Testing the WAF

What is WAF and what is it for?

The most effective way to block website cyberattacks is at the application layer using a Web Application Firewall (WAF). It’s a good protection shield against common web hacks, like injection flaws (eg. SQL injection), cross-site scripting (XSS), session hijacking, remote and local file inclusions and other attacks.

Generally speaking, WAF monitors, filters, and blocks incoming and outgoing traffic on HTTP protocol.

The BitNinja WAF 2.0 gives users more control than usual. It’s customizable on rule and domain levels: it allows you to set custom level protection for each website on the same server and configure the filter level by domain.

Enabling BitNinja WAF

Now, the BitNinja WAF is not active by default, it needs to be enabled.

The steps are very simple:

  1. Log in to https://console.bitninja.io/
  2. Click on the ⚙️ icon of your chosen server’s
  3. Switch WAF 2.0 on.

BitNinja WAF 2.0 will be activated within a few minutes.

Important note about ports ❗
IMPORTANT: Please make sure that the ports required by BitNinja are open, otherwise the WAF module will not work properly. You can find them here. Additionally, the web server has to accept connections from 127.0.0.1 to http://:80 and to https://:443 in order for the WAF module to work.

Our WAF Module has more than 180 available rules that you can use to protect your website. You are free to poke around and experiment with them to see what works best for you. Or if you are more the enable and forget type, we do have 3 predefined rulesets that will most definitely suit your needs.

  • BitNinja – Recommended (default) produces the lowest false positive rate.
  • BitNinja – Medium Risk (false positive rate expected)
  • BitNinja – High Risk (High false positive rate expected)

Each of these rulesets includes certain rules for the Web Application firewall that offers protection against various attacks, such as SQL Injections, Cross Site Scripting and more.
The higher risk you are setting, the more rules will be enabled as it may trigger normal interactions as an attack.

Creating patterns

Out of the box, BitNinja will use a ruleset that is set to the lowest possible false positive rate. Of course you can adjust this to your needs. For example, you can:

  1. Completely disable the WAF on domain patterns.
  2. Put a website in read-ony mode by enabling “Lock Down” so that you can prevent any POST HTTP requests. This can be a useful trick when you see no other way to prevent infections.
  3. You can set your own rulesets with different levels of strictness.

Testing the WAF

Here comes the question, how to make sure that the WAF actually doing its job.

How to test the WAF?

This is actually pretty easy. Once you have WAF 2.0 activated, simply visit one of the domains on your server such as http://[domain of any sites]/info.php?file=/etc/passwd

Prevent the action being executed along with triggering the WAF and you should see a page that shows that you have been blocked.

The IP will be put on a greylist and flagged as a possible attack against your server. After a refresh or clicking on the IP/Domain in the header, you can delist the IP address by solving the Captcha.

Of course, in case the attacker IP is blacklisted, this is not possible, as the server will not be reachable.

When the WAF is triggered under the Network Attacks, you will see lines like this:

📌 You can find the technical details and customizations here: Documentation – Web Application Firewall 2.0

BUILD YOUR SECURITY

Start the 7-day free trial with full functionality without spending a cent.

TOP ARTICLES