diff --git a/content/includes/nap-waf/config/v5/build-nginx-image-oss/build-alpine.md b/content/includes/nap-waf/config/v5/build-nginx-image-oss/build-alpine.md index 9d857ac9e..a00a92d5c 100644 --- a/content/includes/nap-waf/config/v5/build-nginx-image-oss/build-alpine.md +++ b/content/includes/nap-waf/config/v5/build-nginx-image-oss/build-alpine.md @@ -1,7 +1,7 @@ ```dockerfile # syntax=docker/dockerfile:1 -# Supported OS_VER's are 3.16/3.19 +# Supported OS_VER's are 3.16/3.17/3.19 ARG OS_VER="3.19" # Base image diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 393a2275f..904f83400 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -20,7 +20,6 @@ When configuring NGINX App Protect WAF, `app_protect_enable` should always be en ## Supported Security Policy Features -{{}} |Protection Mechanism | Description | | ---| --- | |[Attack Signatures](#attack-signatures-overview) | Default policy covers all the OWASP top 10 attack patterns enabling signature sets detailed in a section below. The user can disable any of them or add other sets. | @@ -39,8 +38,7 @@ When configuring NGINX App Protect WAF, `app_protect_enable` should always be en |[Deny and Allow IP lists](#deny-and-allow-ip-lists) | Manually define denied & allowed IP addresses as well as IP addresses to never log. | |[XFF headers & trust](#xff-headers-and-trust) | Disabled by default. User can enable it and optionally add a list of custom XFF headers. | |[gRPC Protection](#grpc-protection-for-unary-traffic) | gRPC content profile detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection can be on [unary](#grpc-protection-for-unary-traffic) or [bidirectional](#grpc-protection-for-bidirectional-streaming) traffic.| -{{}} - +|[Brute Force Attack Preventions](#brute-force-attack-preventions) | Configure brute-force-attack-preventions parameters to secured areas of a web application from brute force attacks.|} ### Disallowed File Types {{< include "nap-waf/config/common/disallowed-file-types.md" >}} @@ -653,6 +651,116 @@ claims['address'] = "{ \"address\": { .... } }" # JSON structs can be accessed u ### Other References {{< include "nap-waf/config/common/json-web-tokens-other-references.md" >}} +## Brute Force Attack Preventions + +### Overview + +Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, +systematic, username/password combinations to discover legitimate authentication credentials. +To prevent brute force attacks, WAF tracks the number of failed attempts to reach login pages +with enforced brute force protection. When brute force patterns are detected, +the WAF policy considers it to be an attack if the failed logon rate increased significantly or +if failed logins reached a maximum threshold. + +### Brute force policy example + +```json +{ + "policy": { + "name": "BruteForcePolicy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "brute-force-attack-preventions" : [ + { + "bruteForceProtectionForAllLoginPages" : true, + "detectionCriteria" : { + "action" : "alarm", + "detectDistributedBruteForceAttack" : true, + "failedLoginAttemptsRateReached" : 100 + }, + "loginAttemptsFromTheSameIp" : { + "action" : "alarm", + "enabled" : true, + "threshold" : 20 + }, + "loginAttemptsFromTheSameUser" : { + "action" : "alarm", + "enabled" : true, + "threshold" : 3 + }, + "measurementPeriod" : 900, + "preventionDuration" : "3600", + "reEnableLoginAfter" : 3600, + "sourceBasedProtectionDetectionPeriod" : 3600 + } + ] + } +} + +``` +### brute-force-attack-preventions fields description + + bruteForceProtectionForAllLoginPages: + When enabled, enables Brute Force Protection for all configured login URLs. + When disabled, only brute force configurations for specific login pages are applied in case they exist. + + detectionCriteria: + Specifies configuration for detecting distributed brute force attacks. + action: + Specifies action that is applied when the defined thresholds ( failedLoginAttemptsRateReached) is reached. + - **alarm**: The system will log the login attempt. + + detectDistributedBruteForceAttack: + When enabled, the system detects distributed brute force attacks. + + failedLoginAttemptsRateReached: + After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt. + + loginAttemptsFromTheSameIp: + Specifies configuration for detecting brute force attacks from IP Address. + + action: + Specifies action that is applied when defined threshold is reached. + - **alarm**: The system will log the login attempt. + - **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page. + - **alarm-and-drop**: The system will log the login attempt and reset the TCP connection. + + enabled: + When enabled, the system counts failed login attempts from IP Address. + + threshold: + After configured threshold (number of failed login attempts from IP Address) defined action will be applied for the next login attempt. + + loginAttemptsFromTheSameUser: + Specifies configuration for detecting brute force attacks for Username. + + action: + Specifies action that is applied when defined threshold is reached. + - **alarm**: The system will log the login attempt. + + enabled: + When enabled, the system counts failed login attempts for each Username. + + threshold: + After configured threshold (number of failed login attempts for each Username) defined action will be applied for the next login attempt. + + measurementPeriod: + Defines detection period (measured in seconds) for distributed brute force attacks. + + preventionDuration: + Defines prevention period (measured in seconds) for distributed brute force attacks. + + reEnableLoginAfter: + Defines prevention period (measured in seconds) for source-based brute force attacks. + + sourceBasedProtectionDetectionPeriod: + Defines detection period (measured in seconds) for source-based brute force attacks. + + url: + Reference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature. ## Custom Dimensions Log Entries diff --git a/content/nap-waf/v5/admin-guide/deploy-on-docker.md b/content/nap-waf/v5/admin-guide/deploy-on-docker.md index 41010fa9f..27de0c4cc 100644 --- a/content/nap-waf/v5/admin-guide/deploy-on-docker.md +++ b/content/nap-waf/v5/admin-guide/deploy-on-docker.md @@ -208,7 +208,7 @@ In your nginx configuration: 2. Configure the Enforcer address at the `http` context: ```nginx - app_protect_enforcer_address waf-enforcer:50000; + app_protect_enforcer_address 127.0.0.1:50000; ``` 3. Enable NGINX App Protect WAF on an `http/server/location` context (make sure you only enable NGINX App Protect WAF with `proxy_pass`/`grpc_pass` locations): @@ -522,11 +522,11 @@ You are ready to [Build the image](#build-image-sub) {{< include "nap-waf/setup-docker-registry.md" >}} #### Download Waf-Enforcer and Waf-Config-mgr Images -Pull the `waf-enforcer` and `waf-config-mgr` images. Replace `5.2.0` with the actual release version you are deploying. +Pull the `waf-enforcer` and `waf-config-mgr` images. Replace `5.4.0` with the actual release version you are deploying. ```shell -docker pull private-registry.nginx.com/nap/waf-enforcer:5.2.0 -docker pull private-registry.nginx.com/nap/waf-config-mgr:5.2.0 +docker pull private-registry.nginx.com/nap/waf-enforcer:5.4.0 +docker pull private-registry.nginx.com/nap/waf-config-mgr:5.4.0 ``` #### Saving and Transferring Images @@ -539,13 +539,13 @@ docker pull private-registry.nginx.com/nap/waf-config-mgr:5.2.0 2. Save the `waf-enforcer` docker image: ```shell - docker save -o waf-enforcer.tar private-registry.nginx.com/nap/waf-enforcer:5.2.0 + docker save -o waf-enforcer.tar private-registry.nginx.com/nap/waf-enforcer:5.4.0 ``` 3. Save the `waf-config-mgr` docker image: ```shell - docker save -o waf-config-mgr.tar private-registry.nginx.com/nap/waf-config-mgr:5.2.0 + docker save -o waf-config-mgr.tar private-registry.nginx.com/nap/waf-config-mgr:5.4.0 ``` 4. Transfer the tar files from the online machine to the offline/air-gapped machine: @@ -601,7 +601,7 @@ In this guide, we have created the following files under `/conf/` directory on t #### Docker Compose File -Create a `docker-compose.yml` with the following configuration on the offline machine: Replace `5.2.0` with the actual release version you are deploying. +Create a `docker-compose.yml` with the following configuration on the offline machine: Replace `5.4.0` with the actual release version you are deploying. ```yaml services: @@ -621,7 +621,7 @@ services: waf-enforcer: container_name: waf-enforcer - image: "private-registry.nginx.com/nap/waf-enforcer:5.2.0" + image: "private-registry.nginx.com/nap/waf-enforcer:5.4.0" environment: - ENFORCER_PORT=50000 volumes: @@ -632,7 +632,7 @@ services: waf-config-mgr: container_name: waf-config-mgr - image: "private-registry.nginx.com/nap/waf-config-mgr:5.2.0" + image: "private-registry.nginx.com/nap/waf-config-mgr:5.4.0" volumes: - app_protect_bd_config:/opt/app_protect/bd_config - app_protect_config:/opt/app_protect/config