diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md new file mode 100644 index 000000000..5ad373350 --- /dev/null +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -0,0 +1,73 @@ +#### IP-Groups feature as part of Override Rules feature. + +The Override Rules feature allows you to modify original or parent policy settings. + +Rules are defined using specific conditions, which can include an IP group based on the declarative policy JSON schema. + +When triggered, the rule is applied to the _clientIp_ attribute using the _matches_ function. + +'clientIp.matches(ipAddressLists["standalone"])' + +Here is a policy example: + +```json +{ + "policy": { + "name": "ip_group_override_rule", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "standalone", + "description": "This is my list of IP addresses", + "ipAddresses": [ + { + "ipAddress": "6.5.3.3/32" + }, + { + "ipAddress": "6.5.4.2" + } + ] + } + ], + "override-rules": [ + { + "name": "myFirstRule", + "condition": "clientIp.matches(ipAddressLists['standalone'])", + "actionType": "violation", + "violation": { + "block": true, + "alarm": true, + "attackType": { + "name": "Forceful Browsing" + }, + "description": "Attempt to access from clientIp", + "rating": 4 + } + } + ], + "general": { + "trustXff": true + } + } +} +``` + +The previous example policy contains an IP group with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])". +The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". +The value used for the override condition must exist and exactly match the name in "ip-address-lists". + +#### Possible errors + +| Error text | Input | Explanation | +| -----------| ------------- | ------------ | +| _Invalid field invalidList_ | _clientIp.matches(invalidList['standalone']);_ | An incorrect keyword was used instead of _ipAddressLists_ | +| _Invalid value empty string_ | _clientIp.matches(ipAddressLists['']_ | An empty name was provided | +| _Failed to compile policy - 'ipGroupOverridePolicy'_ | _uri.matches(ipAddressLists['standalone']);_ | Used _ipAddressLists_ without the _clientIP_ attribute | + + + diff --git a/content/includes/nap-waf/config/common/ip-groups-overview.md b/content/includes/nap-waf/config/common/ip-groups-overview.md new file mode 100644 index 000000000..635cd4c67 --- /dev/null +++ b/content/includes/nap-waf/config/common/ip-groups-overview.md @@ -0,0 +1,86 @@ +IP groups is a feature to organize lists of allowed and forbidden IP addresses across several lists with common attributes. + +This allows you to control unique policy settings for incoming requests based on specific IP addresses. + +Each IP Group contains a unique name, enforcement type (_always_, _never_ and _policy-default_), and list of IP addresses. + + +An example of a declarative policy using IP Groups configuration: + +```json +{ + "policy": { + "name": "IpGroups_policy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "Standalone", + "description": "Optional Description", + "blockRequests": "policy-default", + "setGeolocation": "IN", + "ipAddresses": [ + { + "ipAddress": "1.2.3.4/32" + }, + { + "ipAddress": "1111:fc00:0:112::2" + } + ] + } + ] + } +} + +``` +The example with IP-Group definition in external file external_ip_groups.json: + +```json +{ + "policy": { + "name": "IpGroups_policy2", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "external_ip_groups", + "description": "Optional Description", + "blockRequests": "always", + "setGeolocation": "IL", + "ipAddresses": [ + { + "ipAddress": "31.8.194.27" + } + ], + "$ref": "file:///tmp/policy/external_ip_groups.json" + } + ] + } +} +``` +Example of the file external_ip_groups.json + +```json +{ + "name": "External Ip Groups List", + "description": "Optional Description", + "blockRequests": "always", + "setGeolocation": "IR", + "ipAddresses": [ + { + "ipAddress": "66.51.41.21" + }, + { + "ipAddress": "66.52.42.22" + } + ] +} +``` diff --git a/content/includes/nap-waf/config/common/ip-intelligence-conf.md b/content/includes/nap-waf/config/common/ip-intelligence-conf.md new file mode 100644 index 000000000..4af0b9d91 --- /dev/null +++ b/content/includes/nap-waf/config/common/ip-intelligence-conf.md @@ -0,0 +1,118 @@ + + + +As of NAP version 4.15.0 (for NAP V4 deployments), and NAP version 5.7.0 (for NAP V5 deployments), NGINX App Protect WAF includes a new feature named IP Intelligence. This features allows customizing the enforcement based on the source IP of the request to limit access from IP addresses with questionable reputation. Please note that: +- The IP intelligence feature is disabled by default and needs to be explicitly enabled and configured in the policy. +- The package `app-protect-ip-intelligence` needs to be installed (for NAP V4 deployments), or the IP Intelligence image deployed (for NAP V5 deployments), before configuring and using the feature. This package installs the client that downloads and updates the database required for enforcing IP Intelligence. + +After installing the package or image, enable the feature in the following two places in the policy: +1. By enabling the corresponding violation in the violation list: `"name": "VIOL_MALICIOUS_IP"` and assigning the required `block` and `alarm` values to the violation. + +2. By enabling the featue in the corresponding IP Intelligence JSON section: `"ip-intelligence": {"enabled": true}` and define actions for the IP Intelligence categories listed below. + +An example policy where both elements are enabled, and all the IP intelligence categories are configured to `block` and `alarm` can be found here: + +```json +{ + "policy": { + "name": "ip_intelligency_policy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "blocking-settings": { + "violations": [ + { + "name": "VIOL_MALICIOUS_IP", + "alarm": true, + "block": true + } + ] + }, + "ip-intelligence": { + "enabled": true, + "ipIntelligenceCategories": [ + { + "category": "Anonymous Proxy", + "alarm": true, + "block": true + }, + { + "category": "BotNets", + "alarm": true, + "block": true + }, + { + "category": "Cloud-based Services", + "alarm": true, + "block": true + }, + { + "category": "Denial of Service", + "alarm": true, + "block": true + }, + { + "category": "Infected Sources", + "alarm": true, + "block": true + }, + { + "category": "Mobile Threats", + "alarm": true, + "block": true + }, + { + "category": "Phishing Proxies", + "alarm": true, + "block": true + }, + { + "category": "Scanners", + "alarm": true, + "block": true + }, + { + "category": "Spam Sources", + "alarm": true, + "block": true + }, + { + "category": "Tor Proxies", + "alarm": true, + "block": true + }, + { + "category": "Web Attacks", + "alarm": true, + "block": true + }, + { + "category": "Windows Exploits", + "alarm": true, + "block": true + } + ] + } + } +} +``` +This policy will basically block `"block": true` all IP addresses that are part of any threat category and add a log entry `"alarm": true` for the transaction. + +The IP address database is managed by an external provider and is constantly updated (every 1 minute by default). The database also categorizes IP addresses into one or more threat categories. These are the same categories that can be configured individually in the IP intelligence section: +- Anonymous Proxy +- BotNets +- Cloud-based Services +- Denial of Service +- Infected Sources +- Mobile Threats +- Phishing Proxies +- Scanners +- Spam Sources +- Tor Proxies +- Web Attacks +- Windows Exploits + +Note that since the IP address database is constantly updated, IP address enforcement is also expected to change. IP Addresses may be added, removed, or moved from one category to another based on the reported activity of the IP address. diff --git a/content/nap-waf/ip-intelligence.md b/content/nap-waf/ip-intelligence.md new file mode 100644 index 000000000..458f0428d --- /dev/null +++ b/content/nap-waf/ip-intelligence.md @@ -0,0 +1,69 @@ + + +If the deployment intends to use the IP intelligence Feature (avaiable from version 5.7.0), then the IP intelligence container needs to be added to the deployment in the docker compose file. + +Modify the original `docker-compose.yml` file to include the additional IP Intelligence container: + +```yaml +services: + waf-enforcer: + container_name: waf-enforcer + image: private-registry.nginx.com/nap/waf-enforcer:5.7.0 + environment: + - ENFORCER_PORT=50000 + ports: + - "50000:50000" + volumes: + - /opt/app_protect/bd_config:/opt/app_protect/bd_config + - /var/IpRep:/var/IpRep + networks: + - waf_network + restart: always + user: "101:101" + depends_on: + - waf-ip-intelligence + + waf-config-mgr: + container_name: waf-config-mgr + image: private-registry.nginx.com/nap/waf-config-mgr:5.7.0 + volumes: + - /opt/app_protect/bd_config:/opt/app_protect/bd_config + - /opt/app_protect/config:/opt/app_protect/config + - /etc/app_protect/conf:/etc/app_protect/conf + restart: always + user: "101:101" + network_mode: none + depends_on: + waf-enforcer: + condition: service_started + + waf-ip-intelligence: + container_name: waf-ip-intelligence + image: private-registry.nginx.com/nap/waf-ip-intelligence:5.7.0 + volumes: + - /var/IpRep:/var/IpRep + networks: + - waf_network + restart: always + user: "101:101" + +networks: + waf_network: + driver: bridge +``` + +Notes: +- Replace `waf-config-mgr`, `waf-enforcer` and `waf-ip-intelligence` tags with the actual release version tag you are deploying. We are using version 5.7.0 for this example deployment. +- By default, the containers `waf-config-mgr`, `waf-enforcer` and `waf-ip-intelligence` operate with the user and group IDs set to 101:101. Ensure that the folders and files are accessible to these IDs. + +Before you create the deployment in docker compose, create the directories: + +```shell +sudo mkdir -p /opt/app_protect/config /opt/app_protect/bd_config /var/IpRep +``` + +Then set ownership: + +```shell +sudo chown -R 101:101 /opt/app_protect/ /var/IpRep +``` \ No newline at end of file diff --git a/content/nap-waf/v4/admin-guide/install.md b/content/nap-waf/v4/admin-guide/install.md index c3e0575dc..8b3cb0185 100644 --- a/content/nap-waf/v4/admin-guide/install.md +++ b/content/nap-waf/v4/admin-guide/install.md @@ -51,6 +51,8 @@ The NGINX App Protect WAF package has the following dependencies: See the NGINX Plus full list of prerequisites for more details. NGINX App Protect WAF can be installed as a module to an existing NGINX Plus installation or as a complete NGINX Plus with App Protect installation in a clean environment. +Please note that an additional package **app-protect-ip-intelligence** is required if the customer intends to use the IP Intelligence feature. This package does not come as a dependency of App Protect and needs to be installed and maintained separately. This package installs the client that downloads and updates the database required for enforcing IP Intelligence. + ## Storage I/O Performance When deploying App Protect on NGINX Plus take into consideration the performance of storage on which it is going to be installed. @@ -214,6 +216,18 @@ If a user other than **nginx** is to be used, note the following: sudo service nginx start ``` +14. As of version 4.15.0, a new feature feature `IP Intelligence` is available. The feature requires the installation of an additional package to function properly: + + ```shell + sudo apk add app-protect-ip-intelligence + ``` + + After installing the package, run the client: + + ```shell + /opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 & + ``` + --- ## Amazon Linux Installation @@ -328,6 +342,18 @@ If a user other than **nginx** is to be used, note the following: sudo systemctl start nginx ``` +1. As of version 4.15.0, a new feature feature `IP Intelligence` is available. The feature requires the installation of an additional package to function properly: + + ```shell + sudo dnf install app-protect-ip-intelligence + ``` + + After installing the package, run the client: + + ```shell + /opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 & + ``` + ## Debian Installation 1. If you already have NGINX packages in your system, back up your configs and logs: @@ -467,6 +493,18 @@ If a user other than **nginx** is to be used, note the following: sudo systemctl start nginx ``` +16. As of version 4.15.0, a new feature feature `IP Intelligence` is available. The feature requires the installation of an additional package to function properly: + + ```shell + sudo apt install app-protect-ip-intelligence + ``` + + After installing the package, run the client: + + ```shell + /opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 & + ``` + {{< warning >}} Debian enables **AppArmor** by default, but NGINX App Protect WAF will run in unconfined mode after being installed as it is shipped with no AppArmor profile. To benefit from AppArmor access control capabilities for NGINX App Protect WAF, you will have to write your own AppArmor profile for NGINX App Protect WAF executables found in `/opt/app_protect/bin` such that it best suits your environment. {{< /warning >}} @@ -588,6 +626,18 @@ If a user other than **nginx** is to be used, note the following: sudo systemctl start nginx ``` +17. As of version 4.15.0, a new feature feature `IP Intelligence` is available. The feature requires the installation of an additional package to function properly: + + ```shell + sudo dnf install app-protect-ip-intelligence + ``` + + After installing the package, run the client: + + ```shell + /opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 & + ``` + --- ## RHEL 9+ Installation @@ -708,6 +758,18 @@ If a user other than **nginx** is to be used, note the following: sudo systemctl start nginx ``` +1. As of version 4.15.0, a new feature feature `IP Intelligence` is available. The feature requires the installation of an additional package to function properly: + + ```shell + sudo dnf install app-protect-ip-intelligence + ``` + + After installing the package, run the client: + + ```shell + /opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 & + ``` + --- ## Ubuntu Installation @@ -843,6 +905,18 @@ If a user other than **nginx** is to be used, note the following: sudo systemctl start nginx ``` +16. As of version 4.15.0 (not avaiable for the deprecated Ubuntu 20.04), a new feature `IP Intelligence` is available. The feature requires the installation of an additional package to function properly: + + ```shell + sudo apt install app-protect-ip-intelligence + ``` + + After installing the package, run the client: + + ```shell + /opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 & + ``` + {{< note >}} Ubuntu 20.04 / Ubuntu 22.04 / Ubuntu 24.04 activates **AppArmor** by default, but NGINX App Protect WAF will run in unconfined mode after being installed as it is shipped with no AppArmor profile. To benefit from AppArmor access control capabilities for NGINX App Protect WAF, you will have to write your own AppArmor profile for NGINX App Protect WAF executables found in `/opt/app_protect/bin` such that it best suits your environment. {{< /note >}} @@ -933,7 +1007,13 @@ If a user other than **nginx** is to be used, note the following: /bin/su -s /bin/sh -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 307200000 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config 2>&1 >> /var/log/app_protect/bd-socket-plugin.log &" nginx /usr/sbin/nginx -g 'daemon off;' ``` + + If you want to use IP intelligence feature (Available from versions 4.15.0 and above), add this additional line to your `entrypoint.sh` file: + ```shell + /opt/app_protect/bin/iprepd /etc/app_protect/tools/iprepd.cfg > ipi.log 2>&1 & + ``` + 7. Create a Docker image: - For Oracle Linux/Debian/Ubuntu/Alpine/Amazon Linux: @@ -996,6 +1076,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ apk update && apk add app-protect +# Only use if you want to install and use the IP intelligence feature: +RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/apk/cert.key,mode=0644 \ + apk update && apk app-protect-ip-intelligence + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1033,6 +1118,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && dnf clean all \ && rm -rf /var/cache/yum +# Only use if you want to install and use the IP intelligence feature: +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf -y install app-protect-ip-intelligence + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1085,6 +1175,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get update && apt-get install -y app-protect +# Only use if you want to install and use the IP intelligence feature: +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get install -y app-protect-ip-intelligence + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1125,6 +1220,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && dnf clean all \ && rm -rf /var/cache/dnf +# Only use if you want to install and use the IP intelligence feature: +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf install -y app-protect-ip-intelligence + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1163,6 +1263,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && dnf clean all \ && rm -rf /var/cache/dnf +# Only use if you want to install and use the IP intelligence feature: +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf install -y app-protect-ip-intelligence + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1204,6 +1309,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 && dnf clean all \ && rm -rf /var/cache/dnf +# Only use if you want to install and use the IP intelligence feature: +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + dnf install -y app-protect-ip-intelligence + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1256,6 +1366,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y app-protect +# Only use if you want to install and use the IP intelligence feature: +RUN --mount=type=secret,id=nginx-crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + apt-get install -y app-protect-ip-intelligence + # Forward request logs to Docker log collector: RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log @@ -1628,6 +1743,12 @@ On a host with access to the NGINX App Protect WAF repository: yum install --downloadonly --downloaddir=/etc/packages/ app-protect ``` +Only use if you want to install and use the IP intelligence feature: + + ```shell + yum install --downloadonly --downloaddir=/etc/packages/ app-protect-ip-intelligence + ``` + 3. Download the `epel-release` dependency package: For RHEL 8.1+ / Oracle Linux 8.1+: @@ -1656,6 +1777,12 @@ On an offline host: yum -y install app-protect ``` +Only use if you want to install and use the IP intelligence feature: + + ```shell + yum -y install app-protect-ip-intelligence + ``` + ### Example Deployment for Debian/Ubuntu #### Add the NGINX App Protect WAF Packages to an Internal Repository @@ -1670,6 +1797,12 @@ On a host with access to the NGINX App Protect WAF repository: apt-get update for i in $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances app-protect | grep "^\w" | sort -u); do apt-get download $i 2>>errors.txt; done ``` +Only use if you want to install and use the IP intelligence feature: + + ```shell + cd /etc/packages/ + apt-get download app-protect-ip-intelligence + ``` 2. Add the packages in `/etc/packages` to your local repository. @@ -1685,6 +1818,11 @@ On an offline host: apt-get update apt-get install -y app-protect ``` +Only use if you want to install and use the IP intelligence feature: + + ```shell + apt-get install -y app-protect-ip-intelligence + ``` ## Post-Installation Checks diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 025870d05..e6c50364d 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -38,7 +38,8 @@ When configuring NGINX App Protect WAF, `app_protect_enable` should always be en |[Deny and Allow IP lists](#deny-and-allow-ip-lists) | Manually define denied & allowed IP addresses as well as IP addresses to never log. | |[XFF headers & trust](#xff-headers-and-trust) | Disabled by default. User can enable it and optionally add a list of custom XFF headers. | |[gRPC Protection](#grpc-protection-for-unary-traffic) | gRPC content profile detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection can be on [unary](#grpc-protection-for-unary-traffic) or [bidirectional](#grpc-protection-for-bidirectional-streaming) traffic.| -|[Brute Force Attack Preventions](#brute-force-attack-preventions) | Configure brute-force-attack-preventions parameters to secured areas of a web application from brute force attacks.|} +|[Brute Force Attack Preventions](#brute-force-attack-preventions) | Configure brute-force-attack-preventions parameters to secured areas of a web application from brute force attacks.| +|[IP Groups](#ip-address-lists) | Configure IP Groups feature to organize lists of allowed and forbidden IP addresses across several lists with common attributes.| ### Disallowed File Types {{< include "nap-waf/config/common/disallowed-file-types.md" >}} @@ -240,6 +241,10 @@ http { {{< include "nap-waf/config/common/enforcer-cookie-settings.md" >}} +### IP Intelligence Configuration + +{{< include "nap-waf/config/common/ip-intelligence-conf.md" >}} + ### Additional Configuration Options @@ -478,6 +483,15 @@ For the full reference of Override Rules condition syntax and usage see the NGIN {{< include "nap-waf/config/common/geolocation-override-rules.md" >}} +## IP Groups + +### Overview + +{{< include "nap-waf/config/common/ip-groups-overview.md" >}} + +### IP Groups in Policy Override Rules Conditions + +{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}} ## JSON Web Token Protection @@ -660,12 +674,23 @@ systematic, username/password combinations to discover legitimate authentication To prevent brute force attacks, NGINX App Protect WAF monitors IP addresses, usernames, and the number of failed login attempts beyond a maximum threshold. When brute force patterns are detected, the NGINX App Protect WAF policy either trigger an alarm or block the attack if the failed login attempts reached a maximum threshold for a specific username or coming from a specific IP address. -To enable brute force protection, at least one login page must be created. -The login page entity is created separately and is not included in the brute force configuration block. +In order to create a brute force configuration for a specific URL in Nginx App Protect you must first create a User-Defined URL, then a Login Page and finally define the URL element in the Brute Force configuration section. --- +### The User-Defined URL example + +```json +"urls": [ + { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + } + ], +``` -### Login page policy example +### Login pages example A login page specifies the login URL that users must pass through to get authenticated. The configuration of a login URL includes the URL itself, the username and passwords parameters and the validation criteria (how we know that a login was successful or failed) ```json @@ -690,18 +715,10 @@ A login page specifies the login URL that users must pass through to get authent {{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< ref "/nap-waf/v4/declarative-policy/policy/#policy/login-pages" >}}). {{< /note >}} --- -### Brute force policy example +### Brute force prevention example Example1: A single brute force configuration is applied universally to all login pages. ```json -{ - "policy": { - "name": "BruteForcePolicy", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "enforcementMode": "blocking", "brute-force-attack-preventions" : [ { "bruteForceProtectionForAllLoginPages" : true, @@ -719,21 +736,11 @@ Example1: A single brute force configuration is applied universally to all login "sourceBasedProtectionDetectionPeriod" : 3600 } ] - } -} ``` Example2: Different brute force configurations can be defined for individual login pages, with each configuration referencing a specific login page. ```json -{ - "policy": { - "name": "BruteForcePolicySpec", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "enforcementMode": "blocking", "brute-force-attack-preventions" : [ { "bruteForceProtectionForAllLoginPages" : false, @@ -753,13 +760,72 @@ Example2: Different brute force configurations can be defined for individual log "method": "*", "name": "/html_login", "protocol": "http" - } + } } ], +``` - } +The following example adds all three of the pieces for a complete example policy. + +```json +{ + "policy": { + "name": "BruteForcePolicy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "urls": [ + { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + } + ], + "login-pages": [ + { + "accessValidation": { + "responseContains": "Success" + }, + "authenticationType": "form", + "url": { + "method": "*", + "name": "/html_login", + "protocol": "http", + "type": "explicit" + }, + "usernameParameterName": "username", + "passwordParameterName": "password" + } + ], + "brute-force-attack-preventions": [ + { + "bruteForceProtectionForAllLoginPages": false, + "loginAttemptsFromTheSameIp": { + "action": "alarm", + "enabled": true, + "threshold": 20 + }, + "loginAttemptsFromTheSameUser": { + "action": "alarm", + "enabled": true, + "threshold": 3 + }, + "reEnableLoginAfter": 3600, + "sourceBasedProtectionDetectionPeriod": 3600, + "url": { + "method": "*", + "name": "/html_login", + "protocol": "http" + } + } + ] + } } ``` + {{< note >}} For further configuration details, see NGINX App Protect WAF Declarative Policy Guide [Declarative Policy guide]({{< ref "/nap-waf/v4/declarative-policy/policy/#policy/brute-force-attack-preventions" >}}). {{< /note >}} ## Custom Dimensions Log Entries diff --git a/content/nap-waf/v5/admin-guide/install.md b/content/nap-waf/v5/admin-guide/install.md index 3a125b0a9..301fc387c 100644 --- a/content/nap-waf/v5/admin-guide/install.md +++ b/content/nap-waf/v5/admin-guide/install.md @@ -314,6 +314,10 @@ In some operating systems, security mechanisms like **SELinux** or **AppArmor** curl "localhost/