Skip to content

Separate Postanalytics Installation

The processing of requests in the filter node is done in two stages:

  • Processing in NGINX-Wallarm.

  • Postanalytics – statistical analysis of the processed requests.

The processing is not memory demanding and can be put on front end servers without changing the server requirements.

Postanalytics is memory demanding, which may require changes in the server configuration or installation of postanalytics on a separate server.

Wallarm also has the option of installing postanalytics in a separate server pool.

To install postanalytics, you must:

  1. Add the Wallarm repositories, which is where you will download the packages.

  2. Install the Wallarm packages.

  3. Configure postanalytics.

  4. Connect postanalytics to the Wallarm cloud.

  5. Change the Tarantool addresses for postanalytics.

Prerequisites

  • Prior to taking any steps listed below, either disable or configure SELinux if it is installed on the operating system.
  • Make sure that you execute all commands below as superuser (e.g. root).

1. Add the Wallarm Repositories

The installation and updating of the filter node is done from the Wallarm
repositories.

Depending on your operating system, run one of the commands:

apt-get install dirmngr
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
sh -c "echo 'deb http://repo.wallarm.com/debian/wallarm-node jessie/2.14/' > /etc/apt/sources.list.d/wallarm.list"
apt-get update
apt-get install dirmngr
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
sh -c "echo 'deb http://repo.wallarm.com/debian/wallarm-node stretch/2.14/' > /etc/apt/sources.list.d/wallarm.list"
apt-get update
apt-get install dirmngr
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
sh -c "echo 'deb http://repo.wallarm.com/debian/wallarm-node buster/2.14/' > /etc/apt/sources.list.d/wallarm.list"
apt-get update
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
sh -c "echo 'deb http://repo.wallarm.com/ubuntu/wallarm-node trusty/2.14/' > /etc/apt/sources.list.d/wallarm.list"
apt-get update
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
sh -c "echo 'deb http://repo.wallarm.com/ubuntu/wallarm-node xenial/2.14/' > /etc/apt/sources.list.d/wallarm.list"
apt-get update
apt-key adv --keyserver keys.gnupg.net --recv-keys 72B865FD
sh -c "echo 'deb http://repo.wallarm.com/ubuntu/wallarm-node bionic/2.14/' > /etc/apt/sources.list.d/wallarm.list"
apt-get update
yum install --enablerepo=extras -y epel-release centos-release-SCL
rpm -i https://repo.wallarm.com/centos/wallarm-node/6/2.14/x86_64/Packages/wallarm-node-repo-1-5.el6.noarch.rpm
yum install -y epel-release
rpm -i https://repo.wallarm.com/centos/wallarm-node/7/2.14/x86_64/Packages/wallarm-node-repo-1-5.el7.noarch.rpm
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -i https://repo.wallarm.com/centos/wallarm-node/7/2.14/x86_64/Packages/wallarm-node-repo-1-5.el7.noarch.rpm

Repository access

Your system must have access to https://repo.wallarm.com to download the packages.

Ensure the access is not blocked by a firewall.

Issue with CentOS GPG keys

If you have already added Wallarm repository and got an error related to invalid CentOS GPG keys, please follow the steps:

  1. Remove added repository using the yum remove wallarm-node-repo command.
  2. Add the repository using the command from appropriate tab above.

Possible error messages:

  • http://repo.wallarm.com/centos/wallarm-node/7/2.14/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for wallarm-node_2.14
  • One of the configured repositories failed (Wallarm Node for CentOS 7 - 2.14), and yum doesn't have enough cached data to continue.

2. Install the Wallarm Packages

Update OpenSSL

Update the OpenSSL package to the latest version available from the repositories of your operating system. Make sure to do this prior to installing the Wallarm packages.

Install NGINX-Wallarm and the required scripts to interact with the
Wallarm cloud.

apt-get install --no-install-recommends wallarm-node-tarantool
apt-get install --no-install-recommends wallarm-node-tarantool
apt-get install --no-install-recommends wallarm-node-tarantool
apt-get install --no-install-recommends wallarm-node-tarantool
apt-get install --no-install-recommends wallarm-node-tarantool
apt-get install --no-install-recommends wallarm-node-tarantool
yum install wallarm-node-tarantool
yum install wallarm-node-tarantool
yum install wallarm-node-tarantool

3. Configure Postanalytics

Allocate the operating memory size for Tarantool

The amount of memory determines the quality of work of the statistical algorithms.

The recommended value is 75% of the total server memory. For example, if the server has 32 GB of memory, the recommended allocation size is 24 GB.

Open for editing the configuration file of Tarantool:

vi /etc/default/wallarm-tarantool
vi /etc/default/wallarm-tarantool
vi /etc/default/wallarm-tarantool
vi /etc/default/wallarm-tarantool
vi /etc/default/wallarm-tarantool
vi /etc/default/wallarm-tarantool
vi /etc/sysconfig/wallarm-tarantool
vi /etc/sysconfig/wallarm-tarantool
vi /etc/sysconfig/wallarm-tarantool

Set the allocated memory size in the configuration file of Tarantool via the
SLAB_ALLOC_ARENA directive.

For example:

SLAB_ALLOC_ARENA=24

Configure the server addresses of postanalytics

Uncomment HOST and PORT variables and set them the following values:

# address and port for bind
HOST='0.0.0.0'
PORT=3313

Restart Tarantool

service wallarm-tarantool restart
systemctl restart wallarm-tarantool
systemctl restart wallarm-tarantool
service wallarm-tarantool restart
systemctl restart wallarm-tarantool
systemctl restart wallarm-tarantool
service wallarm-tarantool restart
systemctl restart wallarm-tarantool
systemctl restart wallarm-tarantool

Check Tarantool status

To make sure that the postanalytics module has been installed correctly and started successfully, enter the following command:

systemctl status wallarm-tarantool
systemctl status wallarm-tarantool
systemctl status wallarm-tarantool
service wallarm-tarantool status
systemctl status wallarm-tarantool
systemctl status wallarm-tarantool
service wallarm-tarantool status
systemctl status wallarm-tarantool
systemctl status wallarm-tarantool

The module status should be active:

!wallarm-tarantool status

4. Connect Postanalytics to the Wallarm Cloud

Provide access to the Wallarm cloud so that postanalytics can always update the rules, upload metrics, and the attack data.

Run one of the following scripts depending on the cloud in use:

/usr/share/wallarm-common/addnode --no-sync
/usr/share/wallarm-common/addnode -H us1.api.wallarm.com --no-sync

Once started, the script will prompt for the login and password. Provide the login and password that you use to access the Wallarm portal in the EU or US cloud.

Your Wallarm account must have the Administrator role. If you have the Analyst role, the script will error out.

Accounts with 2FA enabled are not supported. Therefore, script will error out.

API Access

The API choice for your filter node depends on the cloud you are using. Please, select the API accordingly:

  • If you are using EU cloud, your node requires access to https://api.wallarm.com:444.
  • If you are using US cloud, your node requires access to https://us1.api.wallarm.com:444.

Ensure the access is not blocked by a firewall.

5. Change the Tarantool Addresses for Postanalytics

If the configuration file of Tarantool is set up to accept connections on the IP
addresses different from 0.0.0.0 or 127.0.0.1, then you must provide the addresses
in /etc/wallarm/node.yaml:

hostname: <node hostname>
uuid: <node uuid>
secret: <node secret>
tarantool:
   host: <IP address of Tarantool host>
   port: 3313

The Installation Is Complete

This completes the installation of postanalytics.

Protect Installed Postanalytics Module

We highly recommend to protect a newly installed Wallarm postanalytics module with a firewall. Otherwise, there is a risk of getting unauthorized access to the service that may result in:

  • disclosure of information about processed requests, and
  • possibility of executing arbitrary Lua code and operating system commands.

Please note that no such risk exists if you are deploying the postanalytics module alongside with the other Wallarm module on the same server. This holds true because the postanalytics module will listen to the 127.0.0.1:3313.

Here are the firewall settings that should be applied to the separately installed postanalytics module:

  • Allow the HTTPS traffic to and from the Wallarm API servers, so the postanalytics module can interact with these servers:
    • api.wallarm.com:444 is the API server in the EU Wallarm cloud.
    • us1.api.wallarm.com:444 is the API server in the US Wallarm cloud.
  • Restrict the access to the 3313 Tarantool port via TCP and UDP protocols by allowing connections only from the IP addresses of the Wallarm filter nodes.