Separate postanalytics module installation¶

The processing of requests in the Wallarm node is divided into two stages:

Primary processing in the NGINX-Wallarm module. The processing is not memory demanding and can be put on frontend servers without changing the server requirements.
Statistical analysis of the processed requests in the postanalytics module. Postanalytics is memory demanding, which may require changes in the server configuration or installation of postanalytics on a separate server.

Depending on the system architecture, the NGINX-Wallarm and postanalytics modules can be installed on the same server or on different servers.

These instructions provide the steps to install the postanalytics module on a separate server.

Requirements¶

The NGINX-Wallarm module installed with NGINX stable from NGINX repository, NGINX from Debian/CentOS repositories or NGINX Plus
Access to the account with the Administrator or Deploy role and two‑factor authentication disabled in Wallarm Console for the EU Cloud or US Cloud
SELinux disabled or configured upon the instructions
Executing all commands as a superuser (e.g. root)
Access to https://repo.wallarm.com to download packages. Ensure the access is not blocked by a firewall
Access to https://api.wallarm.com:444 if working with EU Wallarm Cloud or to https://us1.api.wallarm.com:444 if working with US Wallarm Cloud. If access can be configured only via the proxy server, then use the instructions
Access to GCP storage addresses to download an actual list of IP addresses registered in allowlisted, denylisted, or graylisted countries, regions or data centers
Installed text editor vim, nano, or any other. In the instruction, vim is used

Installation¶

1. Add Wallarm repositories¶

The postanalytics module, like the other Wallarm modules, is installed and updated from the Wallarm repositories. To add repositories, use the commands for your platform:

Debian 9.x (stretch)Debian 9.x (stretch-backports)Debian 10.x (buster)Debian 11.x (bullseye)Ubuntu 18.04 LTS (bionic)Ubuntu 20.04 LTS (focal)CloudLinux OS 6.xCentOS 7.xAmazon Linux 2.0.2021x and lowerAlmaLinux, Rocky Linux or Oracle Linux 8.x

sudo apt install dirmngr
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
sh -c "echo 'deb https://repo.wallarm.com/debian/wallarm-node stretch/3.6/' | sudo tee /etc/apt/sources.list.d/wallarm.list"
sudo apt update

sudo apt install dirmngr
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
sh -c "echo 'deb https://repo.wallarm.com/debian/wallarm-node stretch/3.6/' | sudo tee /etc/apt/sources.list.d/wallarm.list"
sh -c "echo 'deb https://repo.wallarm.com/debian/wallarm-node stretch-backports/3.6/' | sudo tee --append /etc/apt/sources.list.d/wallarm.list"
# for correct Wallarm node operation, uncomment the following line in /etc/apt/sources.list`:
# deb http://deb.debian.org/debian stretch-backports main contrib non-free
sudo apt update

sudo apt install dirmngr
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
sh -c "echo 'deb https://repo.wallarm.com/debian/wallarm-node buster/3.6/' | sudo tee /etc/apt/sources.list.d/wallarm.list"
sudo apt update

sudo apt install dirmngr
curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
sh -c "echo 'deb https://repo.wallarm.com/debian/wallarm-node bullseye/3.6/' | sudo tee /etc/apt/sources.list.d/wallarm.list"
sudo apt update

curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
sh -c "echo 'deb https://repo.wallarm.com/ubuntu/wallarm-node bionic/3.6/' | sudo tee /etc/apt/sources.list.d/wallarm.list"
sudo apt update

curl -fsSL https://repo.wallarm.com/wallarm.gpg | sudo apt-key add -
sh -c "echo 'deb https://repo.wallarm.com/ubuntu/wallarm-node focal/3.6/' | sudo tee /etc/apt/sources.list.d/wallarm.list"
sudo apt update

sudo yum install -y epel-release
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/6/3.6/x86_64/Packages/wallarm-node-repo-1-6.el6.noarch.rpm

sudo yum install -y epel-release
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/7/3.6/x86_64/Packages/wallarm-node-repo-1-6.el7.noarch.rpm

sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/7/3.6/x86_64/Packages/wallarm-node-repo-1-6.el7.noarch.rpm

sudo yum install -y epel-release
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/8/3.6/x86_64/Packages/wallarm-node-repo-1-6.el8.noarch.rpm

2. Install packages for the postanalytics module¶

Install the wallarm-node-tarantool package from the Wallarm repository for the postanalytics module and Tarantool database:

DebianUbuntuCentOS or Amazon Linux 2.0.2021x and lowerAlmaLinux, Rocky Linux or Oracle Linux 8.x

sudo apt install --no-install-recommends wallarm-node-tarantool

sudo apt install --no-install-recommends wallarm-node-tarantool

sudo yum install wallarm-node-tarantool

sudo yum install wallarm-node-tarantool

3. Connect the postanalytics module to Wallarm Cloud¶

The postanalytics module interacts with the Wallarm Cloud. To connect the postanalytics module to the Cloud, it is required to create a separate Wallarm node for the postanalytics module. Created node will get the security rules from the Cloud and upload attacks data to the Cloud.

To create the filtering node and connect the postanalytics module to the Cloud:

Make sure that your Wallarm account has the Administrator or Deploy role enabled and two-factor authentication disabled in Wallarm Console.

You can check mentioned settings by navigating to the users list in the EU Cloud or US Cloud.

Run the addnode script in a system with the installed postanalytics module packages:

EU CloudUS Cloud

sudo /usr/share/wallarm-common/addnode --no-sync

sudo /usr/share/wallarm-common/addnode -H us1.api.wallarm.com --no-sync

Input the email and password for your account in Wallarm Console.
Input the postanalytics node name or click Enter to use automatically generated name.

The specified name can be changed in Wallarm Console → Nodes later.
Open the Wallarm Console → Nodes section in the EU Cloud or US Cloud and ensure a new node is added to the list.

4. Update postanalytics module configuration¶

The configuration files of the postanalytics module are located in the paths:

/etc/default/wallarm-tarantool for Debian and Ubuntu operating systems
/etc/sysconfig/wallarm-tarantool for CentOS and Amazon Linux 2.0.2021x and lower operating systems

To open the file in the editing mode, please use the command:

DebianUbuntuCentOS or Amazon Linux 2.0.2021x and lowerAlmaLinux, Rocky Linux or Oracle Linux 8.x

sudo vim /etc/default/wallarm-tarantool

sudo vim /etc/default/wallarm-tarantool

sudo vim /etc/sysconfig/wallarm-tarantool

sudo vim /etc/sysconfig/wallarm-tarantool

Memory¶

The postanalytics module uses the in-memory storage Tarantool. For production environments, it is recommended to have larger amount of memory. If testing the Wallarm node or having a small server size, the lower amount can be enough.

The allocated memory size is set in GB via the SLAB_ALLOC_ARENA directive in the /etc/default/wallarm-tarantool or /etc/sysconfig/wallarm-tarantool configuration file. The value can be an integer or a float (a dot . is a decimal separator).

Detailed recommendations about allocating memory for Tarantool are described in these instructions.

Address of the separate postanalytics server¶

To set the address of the separate postanalytics server:

Open the Tarantool file in the editing mode:

DebianUbuntuCentOS or Amazon Linux 2.0.2021x and lowerAlmaLinux, Rocky Linux or Oracle Linux 8.x

sudo vim /etc/default/wallarm-tarantool

sudo vim /etc/default/wallarm-tarantool

sudo vim /etc/sysconfig/wallarm-tarantool

sudo vim /etc/sysconfig/wallarm-tarantool

Uncomment the HOST and PORT variables and set them the following values:
```
# address and port for bind
HOST='0.0.0.0'
PORT=3313
```

If the configuration file of Tarantool is set up to accept connections on the IP addresses different from 0.0.0.0 or 127.0.0.1, then please provide the addresses in /etc/wallarm/node.yaml:

hostname: <name of postanalytics node>
uuid: <UUID of postanalytics node>
secret: <secret key of postanalytics node>
tarantool:
    host: '<IP address of Tarantool>'
    port: 3313

Add the address of the postanalytics module server to the configuration files on the server with the NGINX‑Wallarm package as described in the instructions for proper installation forms:

5. Restart Wallarm services¶

To apply the settings to the postanalytics and the NGINX‑Wallarm modules:

Restart the wallarm-tarantool service on the server with separate postanalytics module:
DebianUbuntuCentOS or Amazon Linux 2.0.2021x and lowerAlmaLinux, Rocky Linux or Oracle Linux 8.x
sudo systemctl restart wallarm-tarantool
sudo systemctl restart wallarm-tarantool
sudo systemctl restart wallarm-tarantool
sudo systemctl restart wallarm-tarantool
Restart the NGINX service on the server with the NGINX‑Wallarm module:
DebianUbuntuCentOS or Amazon Linux 2.0.2021x and lowerAlmaLinux, Rocky Linux or Oracle Linux 8.x
sudo systemctl restart nginx
sudo service nginx restart
sudo systemctl restart nginx
sudo systemctl restart nginx

6. Check the NGINX‑Wallarm and separate postanalytics modules interaction¶

To check the NGINX‑Wallarm and separate postanalytics modules interaction, you can send the request with test attack to the address of the protected application:

curl http://localhost/?id='or+1=1--a-<script>prompt(1)</script>'

If the NGINX‑Wallarm and separate postanalytics modules are configured properly, the attack will be uploaded to the Wallarm Cloud and displayed in the Events section of Wallarm Console:

If the attack was not uploaded to the Cloud, please check that there are no errors in the services operation:

Make sure that the postanalytics service wallarm-tarantool is in the status active
```
sudo systemctl status wallarm-tarantool
```
Analyze the postanalytics module logs
```
sudo cat /var/log/wallarm/tarantool.log
```
If there is the record like SystemError binary: failed to bind: Cannot assign requested address, make sure that the server accepts connection on specified address and port.
On the server with the NGINX‑Wallarm module, analyze the NGINX logs:
```
sudo cat /var/log/nginx/error.log
```
If there is the record like [error] wallarm: <address> connect() failed, make sure that the address of separate postanalytics module is specified correctly in the NGINX‑Wallarm module configuration files and separate postanalytics server accepts connection on specified address and port.
On the server with the NGINX‑Wallarm module, get the statistics on processed requests using the command below and make sure that the value of tnt_errors is 0
```
curl http://127.0.0.8/wallarm-status
```
Description of all parameters returned by the statistics service →

Postanalytics module protection¶

Protect installed postanalytics module

We highly recommend to protect a newly installed Wallarm postanalytics module with a firewall. Otherwise, there is a risk of getting unauthorized access to the service that may result in:

Disclosure of information about processed requests
Possibility of executing arbitrary Lua code and operating system commands

Please note that no such risk exists if you are deploying the postanalytics module alongside with the NGINX-Wallarm module on the same server. This holds true because the postanalytics module will listen to the port 3313.

Here are the firewall settings that should be applied to the separately installed postanalytics module:

Allow the HTTPS traffic to and from the Wallarm API servers, so the postanalytics module can interact with these servers:
- api.wallarm.com:444 is the API server in the EU Wallarm Cloud
- us1.api.wallarm.com:444 is the API server in the US Wallarm Cloud
Restrict the access to the 3313 Tarantool port via TCP and UDP protocols by allowing connections only from the IP addresses of the Wallarm filtering nodes.

Tarantool troubleshooting¶

Tarantool troubleshooting