Updating Linux WAF packages¶

These instructions describe the steps to update Linux WAF packages installed according to the instructions below to the version 2.14.

• NGINX stable module

• Module for NGINX from CentOS/Debian repositories

• NGINX Plus module

• Kong module

Update procedure¶

• If WAF node and postanalytics modules are installed on the same server, follow the instrutions below to update all packages.

• If WAF node and postanalytics modules are installed on different servers, first update the postanalytics module following these instructions and perform the steps below for WAF node modules.

Step 1: Add new Wallarm WAF repositories¶

1. Open the file with the Wallarm WAF repository address in the installed text editor. In this instruction, vim is used.

   Debian

   sudo vim /etc/apt/sources.list.d/wallarm.list
   

   Ubuntu

   sudo vim /etc/apt/sources.list.d/wallarm.list
   

   CentOS или Amazon Linux 2

   sudo vim /etc/yum.repos.d/wallarm-node.repo
   

2. Comment out the previous repository address and add an address for Wallarm WAF 2.14:

   Debian 8.x (jessie-backports)

   # deb http://repo.wallarm.com/debian/wallarm-node jessie/
   # deb http://repo.wallarm.com/debian/wallarm-node jessie-backports/
   deb http://repo.wallarm.com/debian/wallarm-node jessie/2.14/
   deb http://repo.wallarm.com/debian/wallarm-node jessie-backports/2.14/
   

   Debian 9.x (stretch)

   # deb http://repo.wallarm.com/debian/wallarm-node stretch/
   deb http://repo.wallarm.com/debian/wallarm-node stretch/2.14/
   

   Debian 9.x (stretch-backports)

   # deb http://repo.wallarm.com/debian/wallarm-node stretch/
   # deb http://repo.wallarm.com/debian/wallarm-node stretch-backports/
   deb http://repo.wallarm.com/debian/wallarm-node stretch/2.14/
   deb http://repo.wallarm.com/debian/wallarm-node stretch-backports/2.14/
   

   Ubuntu 16.04 LTS (xenial)

   # deb http://repo.wallarm.com/ubuntu/wallarm-node xenial/
   deb http://repo.wallarm.com/ubuntu/wallarm-node xenial/2.14/
   

   Ubuntu 18.04 LTS (bionic)

   # deb http://repo.wallarm.com/ubuntu/wallarm-node bionic/
   deb http://repo.wallarm.com/ubuntu/wallarm-node bionic/2.14/
   

   CentOS 6.x

   [wallarm-node]
   # baseurl=http://repo.wallarm.com/centos/wallarm-node/6/$basearch
   baseurl=http://repo.wallarm.com/centos/wallarm-node/6/2.14/$basearch
   

   CentOS 7.x

   [wallarm-node]
   # baseurl=http://repo.wallarm.com/centos/wallarm-node/7/$basearch
   baseurl=http://repo.wallarm.com/centos/wallarm-node/7/2.14/$basearch
   

3. Upload files from the newly added repository:

   Debian

   sudo apt update
   

   Ubuntu

   sudo apt update
   

   CentOS или Amazon Linux 2

   sudo yum update
   

Step 2: Update Wallarm WAF packages¶

WAF node and postanalytics on the same server¶

sudo apt install wallarm-node --no-install-recommends

sudo apt install wallarm-node --no-install-recommends

sudo yum update wallarm-node

WAF node and postanalytics on different servers¶

1. Update postanalytics packages following these instructions.

2. Update WAF node packages:

   Debian

   sudo apt install wallarm-node-nginx --no-install-recommends
   

   Ubuntu

   sudo apt install wallarm-node-nginx --no-install-recommends
   

   CentOS или Amazon Linux 2

   sudo yum update wallarm-node-nginx
   

Step 3: Restart NGINX¶

sudo systemctl restart nginx

sudo service nginx restart

sudo service nginx restart

sudo systemctl restart nginx

Step 4: Test Wallarm WAF operation¶

1. Get the WAF node statistics:

   curl http://127.0.0.8/wallarm-status
   

   The request will return statistics about analyzed requests. Response format is provided below, more detailed description of parameters is available by the link.
   

   { "requests":0,"attacks":0,"blocked":0,"abnormal":0,"tnt_errors":0,"api_errors":0,
   "requests_lost":0,"segfaults":0,"memfaults":0,"softmemfaults":0,"time_detect":0,"db_id":46,
   "lom_id":16767,"proton_instances": { "total":1,"success":1,"fallback":0,"failed":0 },
   "stalled_workers_count":0,"stalled_workers":[] }
   

2. Send the request with test SQLI and XSS attacks to the application address:

   curl http://localhost/?id='or+1=1--a-<script>prompt(1)</script>'
   

   WAF node will block the request and the code 403 Forbidden will be returned in the response to the request.

3. Send the request to wallarm-status and ensure the values of parameters requests and attacks increased:

   curl http://127.0.0.8/wallarm-status
   

4. Open Wallarm Console → Events section in the EU Cloud or US Cloud and ensure attacks are displayed in the list.
   

   

Settings customization¶

Wallarm WAF modules are updated to version 2.14. Previous WAF node settings will be automatically applied to the new version. To make additional settings, use the available directives.

Common customization options:

• Configuration of the filtering mode

• Logging WAF node variables

• Using the balancer of the proxy server behind the WAF node

• Adding Wallarm Scanner addresses to the whitelist in the block filtering mode

• Limiting the single request processing time in the directive wallarm_process_time_limit

• Limiting the server reply waiting time in the NGINX directive proxy_read_timeout

• Limiting the maximum request size in the NGINX directive client_max_body_size