Updating Linux WAF packages¶
These instructions describe the steps to update Linux WAF packages to version 2.16. Linux WAF packages are packages installed in accordance with one of the following instructions:
Update procedure¶
-
If WAF node and postanalytics modules are installed on the same server, then follow the instrutions below to update all packages.
-
If WAF node and postanalytics modules are installed on different servers, then first update the postanalytics module following these instructions and perform the steps below for WAF node modules.
Step 1: Add new Wallarm WAF repository¶
Delete the previous Wallarm WAF repository address and add a repository with a new WAF node version package. Please use the commands for the appropriate platform.
CentOS and Amazon Linux 2
sudo yum remove wallarm-node-repo
sudo rpm -i https://repo.wallarm.com/centos/wallarm-node/7/2.16/x86_64/Packages/wallarm-node-repo-1-5.el7.noarch.rpm
Debian and Ubuntu
-
Open the file with the Wallarm WAF repository address in the installed text editor. In these instructions, vim is used.
sudo vim /etc/apt/sources.list.d/wallarm.list
-
Comment out or delete the previous repository address.
-
Add a new repository address:
deb http://repo.wallarm.com/debian/wallarm-node stretch/2.16/
deb http://repo.wallarm.com/debian/wallarm-node stretch/2.16/ deb http://repo.wallarm.com/debian/wallarm-node stretch-backports/2.16/
deb http://repo.wallarm.com/debian/wallarm-node buster/2.16/
deb http://repo.wallarm.com/ubuntu/wallarm-node xenial/2.16/
deb http://repo.wallarm.com/ubuntu/wallarm-node bionic/2.16/
Step 2: Update Wallarm WAF packages¶
WAF node and postanalytics on the same server¶
sudo apt update
sudo apt dist-upgrade -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/wallarm.list -o Dir::Etc::sourceparts=""
sudo apt update
sudo apt dist-upgrade -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/wallarm.list -o Dir::Etc::sourceparts=""
sudo yum update
WAF node and postanalytics on different servers¶
Sequence of steps to update the WAF node and postanalytics modules
If the WAF node and postanalytics modules are installed on different servers, then it is required to update the postanalytics packages before updating the WAF node packages.
-
Update postanalytics packages following these instructions.
-
Update WAF node packages:
sudo apt update sudo apt dist-upgrade -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/wallarm.list -o Dir::Etc::sourceparts=""
sudo apt update sudo apt dist-upgrade -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/wallarm.list -o Dir::Etc::sourceparts=""
sudo yum update
Step 3: Restart NGINX¶
sudo systemctl restart nginx
sudo service nginx restart
sudo systemctl restart nginx
Step 4: Test Wallarm WAF operation¶
-
Get the WAF node statistics:
curl http://127.0.0.8/wallarm-status
The request will return statistics about analyzed requests. The response format is provided below. A more detailed description of parameters is available by the link.
{ "requests":0,"attacks":0,"blocked":0,"abnormal":0,"tnt_errors":0,"api_errors":0, "requests_lost":0,"segfaults":0,"memfaults":0,"softmemfaults":0,"time_detect":0,"db_id":46, "lom_id":16767,"proton_instances": { "total":1,"success":1,"fallback":0,"failed":0 }, "stalled_workers_count":0,"stalled_workers":[] }
-
Send the request with test SQLI and XSS attacks to the application address:
curl http://localhost/?id='or+1=1--a-<script>prompt(1)</script>'
If the WAF node mode is
block
, then the request will be blocked with the response403 Forbidden
returned. -
Send the request to
wallarm-status
and ensure the values of parametersrequests
andattacks
increased:curl http://127.0.0.8/wallarm-status
-
Open the Wallarm Console → Events section in the EU Cloud or US Cloud and ensure attacks are displayed in the list.
Settings customization¶
Wallarm WAF modules are updated to version 2.16. Previous WAF node settings will be applied to the new version automatically. To make additional settings, use the available directives.
Common customization options:
-
Adding Wallarm Scanner addresses to the whitelist in the
block
filtering mode -
Limiting the single request processing time in the directive
wallarm_process_time_limit
-
Limiting the server reply waiting time in the NGINX directive
proxy_read_timeout
-
Limiting the maximum request size in the NGINX directive
client_max_body_size