BitNinja WAF Beta

Boglarka Angalet

Our Ninja Lab is always full of fantastic ideas and improvements. Sometimes it’s an easy ride to develop a terrific feature, sometimes it takes longer to find the right recipe. Yes, you guessed well, we are talking about the web application firewall module.

But thanks to our enthusiastic users’ contribution in development and to our ’never givin’ up’ kind of tech ninjas, WAF Beta is available now for BitNinja 1.8.

 

Web Application Firewall: a holy grail feature

Generally speaking, web application firewalls monitor, filter and block incoming and outgoing traffic on HTTP protocol. Through analysis it is a good protection shield against common web hacks, like injection flaws (eg. SQL injection), cross site scripting (XSS), session hijacking and DDoS attacks.

 

BitNinja WAF

Let us tell how it works for BitNinja, in a nutshell.

We created a network-based application layer firewall, that is also known as proxy-based firewall. For the first release, it will be turned off by default. You can easily acivate it on the dashboard. You’ll find the details below.

 

Please keep in mind that it is a beta version. Our internal tests had very nice results, but it doesn’t mean that it has no hidden bugs. You can try it at your own risk, so please exercise caution while testing.

 

At the moment, BitNinja WAF beta only scans incoming traffic real-time. With the built-in HTTP proxy solution (redirecting traffic from port 80 to port 60042, according to iptables rules), we are able to analyze traffic. We created some filter pattern, mainly containing strings and RegExps. If BitNinja finds any suspicious, connection will be banned and the IP’s getting to our greylist.

If you have any tips about further patterns, that you think would be worth to examine, don’t keep it. Just drop us an email! This way, we’ll distribute it among all users, but only for logging. After that we’ll analyze its false positive rate, and if it’s fine, roll it out.

/Sneak peak: We’re planning to extend this feature, so as every user can set different patterns to their servers. And also plan to build some general detecting mechanism for SQL injection, XSS and malware infections. /

 

Limitations:

BitNinja WAF has currently a maximum of 1000 simultanous connection limit. If your server manages more than this amout, please send us a mail to get information about how to fine tune the module.

BitNinja WAF forks a new process for every request to spray the load between multiple CPU-s. Every process has currently about 7 KB memory footprint, so it is very resource friendly.

 

What do you have to do to enable BitNinja WAF?

1. Make sure you have the right bitninja version installed (1.8+)
2. Make sure your web server can handle proxy requests from BitNinja WAF.

 

Apache: you can use mod_rpaf for this, or similar apache modules (like mod_extract_forwarded, mod_remoteip)

 

Example mod_rpaf configuration:


    RPAFenable On

    # When enabled, take the incoming X-Host header and
    # update the virtualhost settings accordingly:
    RPAFsethostname On

    # Define which IP's are your frontend proxies that sends
    # the correct X-Forwarded-For headers:
    RPAFproxy_ips 127.0.0.1 

    # Change the header name to parse from the default
    # X-Forwarded-For to something of your choice:
    #   RPAFheader X-Real-IP

 

3. Go to the BitNinja dashboard, select the server, click on the Details button and select Summary. Then scroll down, and the last record is WAF. Click on ’Enable’. Wait 10 seconds, and voilá, BitNinja WAF is active on your server!


You can find detailed logs about incidents on your server in /var/log/bitninja/mod.waf.log file.

 

Happy Hacker Hunting!

UPDATE:

You can find the detailed installation instructions at our documentation site.

Something is wrong with BitNinja WAF. How can I disable it?

The easiest way to disable BitNinja is from the admin panel by clicking on the ’Disable’ button. If there is connection problem between BitNinja central and your server, you can disable the WAF module by restarting bitninja with

 

 # service bitninja stop
 // wait 10 seconds
 # service bitninja start

 

If you need any help to enable BitNinja WAF, please feel free to contact us!

A little surprise for our free users

During the WAF beta period, our free users get the chance to restart their 7-day trial period. This way they can also test the BitNinja WAF without any liabilities.

Contact us for the details!


Share your ideas with us about this article

Previous posts

Abdullkarem attack – a hack against sysadmins’ bad practice
Mystery is on the horizon, ladies and gentlemen! And we always get excited about unappreciated server attacks. Just like in case of this ‘abdulkarrem’ one. Come, put on the role of Sherlock Holmes with us. Recently, there is a very frequent attack type. More and more sysadmin experience and complain about malicious request like these: GET /wp-includes/css/guide.php?php4&root&upl&wphp4&abdullkarem&GET /wp-includes/css/log.php?php4&root&upl&wphp4&abdullkarem&45GET /wp-admin/includes/iindex.php?php4&root&upl&wphp4&abdullkarem&450799&wp&GET /wp-includes/iindex.php?php4&root&upl&...
The story of BitNinja WAF from backstage
BitNinja has two very efficient detection modules. Log analysis and DoS detection does a great job in filtering attacks, but they are lack of one very important thing. Log analysis can only work on requests already reached your server. There are attacks like login brute force attacks, where it is not a problem as there is a very low chance the right user/pass combination will work within a few trials. Unfortunately, there are attacks when one good targeted request is enough to hack a web application and inject infected code or alter files and gain access. Since we started BitNinja,...