I thought NAXSI was a whitelist based WAF, why would you need to download rules if it just blocks every request by default?

@ls111cyberEd

Жыл бұрын

Hi Jackson, thanks for this good question. You are correct, NAXSI is described by its creators as a whitelist based WAF. The core rules that are downloaded must however not be mistaken with signatures like we see in other WAF solutions that follow a blacklist approach. A signature based WAF compares each request and response against the available signature list, and if a match is detected it blocks the connection. Pro's of this approach are little-to-no false positives, con's these lists are large and need to be updated regularly and if a new attack is used and its not included in the signature list, it will bypass the WAF. NAXSI on the other hand, was created to avoid signatures altogether, it uses a rule-based detection approach and kind of works like a inference engine seen in AI, where it uses the small set of logical core rules that we download to attempt to "intelligently" deduce if an attack pattern is present by looking for common keywords or characters used in attacks. Each one of these carries a score value which gets added to a total score, and based on the final total score, NAXSI makes its decision how to deal with the situation. Rough logic example: *IF "

Usefull demo: will test it quite soon. Thx for sharing your knowledge ;)

Now I understand what a WAF is and how it works :)

please do an update video where you also install this from scratch on a reverse proxy

First, and watching this 100% ..

Thank you!

What does the NAT Port Forward rule look like? Currently my webapp requires a NAT port forward rule with redirect IP and then that auto-creates a WAN interface rule to allow ingress to internal IP of webapp server. Specifically, what would I change on my NAT Port Forward rule for the Redirect IP when incorporating the nginx WAF protections. I changed the destination to 'this firewall', but for the redirect IP I do not have a 'this firewall' value and I'd like to verify if this should be the internal IP of the webapp or the WAN int IP address for nginx to pickup?

Hello, thank you for this record. My question is : it’s possible with naxsi waf on opnsense web gui to easy configure to analyse web server https ssl tls Behind opnsense with man in middle ?

Me again. I'm trying to re-setup Crowdsec and was referred by you by your other video to this video. Said I need to set up WAF. But I'm all read using Zenarmor. Can I continue with your Crowdsec video even though I Zenarmor setup? I love OPNsence and all its stuff. I run it as a VM on Proxmox I have 3 Nic's, one onboard and two usb 2.5 gig nic's I use Cloudflare Alias and DNS to access management. The LAN is connected to my OpenWRT router configured with a BR-LAN with 3 diff SSID's all with different vLAN's with DHCP coming from my OPNSence. Next I would like to set up Captiveportal and maybe a good use for Wireguard. Thanks again. Sorry for rambling but can I proceed with your video on setting up Crowdsec with out messing up my OPNsence?

Very interesting. Since you're running this on 80/443 ports, how would you use this alongside internal reverse proxy to serve public domains?

@ls111cyberEd

Жыл бұрын

Hi, thanks for watching! In this scenario OPNSense is fulfilling those reverse proxy responsibilities by using the NGNIX plugin, so you would not need anything else. To serve public domains, you will need to point your DNS records to the public IP of your OPNSense firewall and setup the rest as per the video. The only thing I did not cover in detail was the use of certificates which you will most likely want to setup in addition to this.

@TwinTailTerror

Жыл бұрын

@@ls111cyberEd this was really good cool to see i see a lot of firewall stuff not much on opensense and i like it better than pfsense mostly as it a bit more user friendly IMO. does the same stuff however. so if i run this outside can i also run this inside? example my waf will run but inside in a docker i have NGINX PROXY MANAGER that way any traffic from any website not carrying my sec keys is just bounced off right away. but i plan to host several games 7days to die dst minecraft x 5 ark (if i can figure it out) i also have plex and want to make jellyfin open via web to family but want to bounce the baddys off im not good with certs and its my first actual server i could use a bit of advice / help i tried alot of discord i get nothing much in terms of actual help just insults.

Hi can you create a video for opnwaf

How you did that from the same machine I didn't get the point, I tried this but set the opnsense in one VM and then I ran another VM as an attacker and I stuck here, I opened the vulnerable web by the first VM ip address which I wrote in the upstream server, I enabled the rules but still it didn't prevent the attack like this!

@ls111cyberEd

Жыл бұрын

Thanks for watching, you are correct, both OPNSense and the attacker machine should be running in their own VM's. As far as the DVWA is concerned, I ran that in a docker container attached to the LAN interface of the OPNSense VM. Your upstream settings will need to point to the docker containers IP address. I then used my attacker machine to configure both OPNSense by allowing port 8443 (like I configured at 3:55 in the video) in on the WAN interface, and to attack the DVWA. By default all incoming connection on the WAN will be dropped and its generally not advised to expose your firewall login dashboard on this interface, however, to make this video easier to record, I allowed this so I could use one machine for everything. Hopefully this makes sense now.

HI friend, I found your channel and I am fascinated, but I have a problem, I am doing a test laboratory like yours. I downloaded the DVWA ISO from VulnDB, connected it to my Vmware via DMZ, performed the same steps as you did in the video, but NAXSI does not detect attempted SQLi attacks. What could be wrong? Could you make a video explaining how to configure DVWA to integrate it with NAXSI.

@ls111cyberEd

9 ай бұрын

Hi, thanks for watching! I setup DVWA in a docker container and placed it on the LAN network behind the firewall and exposed the HTTP ports, nothing more than that. Be sure that when you perform the attack that you are attacking from the outside or WAN network, if you don't, NAXSI won't intercept the connection. Hopefully this helps.

@primenetwork27

6 ай бұрын

Hi can you also creata a video for the business edition and openwaf?​@@ls111cyberEd

I wonder if this is still needed if setting up zenarmor ?

@Kaltenbrunner2

4 ай бұрын

wonder too

If you have unifi controller in opnsense please do not set to 8443 and give yourself a panick. If you alr done so, just restart your opnsense and set to another port

Works great except the server behind the waf is only logging the waf IP and not the actual IPs.

@ls111cyberEd

7 ай бұрын

Thanks for watching, I think this would be expected behavior since the WAF is now acting as a proxy, you will probably need to check the WAF/NGNIX logs to see the incoming IP addresses if you need that info.

𝙥𝙧𝙤𝙢𝙤𝙨𝙢

i have a question

@user-kh1qr3fh5u

10 ай бұрын

I have created a VMware lab environment with individual VMs to check the WAF. Here my OPNsense WAN: 192-168-1-100, LAN:172-16-1-100, DVWA-ubuntu(172-16-1-101). DVWA gateway is 172-16-1-100, so 192-168-1-100,172-16-1-100 & 172-16-1-101 all are reachable to another. Despite diligently following your instructional video, I have encountered an issue wherein the WAF does not appear to be operational. Specifically, I am able to establish a connection from the attacker machine (192-168-1-101) to the DVWA instance at 172-16-1-101. Moreover, I have observed an absence of logs within Services> Nginx> Logs / HTTP Error. This leads me to suspect that network traffic might not be traversing through the WAN as expected, resulting in an inadequacy of WAF protection for the DVWA instance. Could you kindly provide guidance on resolving this matter?

@ls111cyberEd

10 ай бұрын

Thanks for watching, based on the information provided, it looks like your network topology is correct and if you are able to access DVWA from the outside WAN network on your attacker machine this indicates that the nginx reverse proxy is functioning. I would start troubleshooting from the point where we set up the NAXI WAF module, make sure all core rules have been downloaded correctly, and make sure that you select the "enable security rules" and that the custom security policies have been applied to the HTTP location configuration seen from 8:30 onward. Make sure you save and apply all the changes once done, and try again. Hopefully, this helps in some way.

How do I install DVWA on the Nginx server?

@ls111cyberEd

11 ай бұрын

Thanks for watching! NGINX is what we use as the reverse proxy and WAF on OPNSense and we don't install DVWA on this server. To install DVWA I used a docker container on a different server that is behind the OPNSense firewall. There is a link in the description.