Deploying NGINX Proxy Manager With Appsec agent with Checkpoint signatures

Deploying NGINX Proxy Manager With Appsec agent with Checkpoint signatures

Deploy With Docker-Compose#

Prerequisites#

How to Deploy / Update the Advanced Machine Learning Model#

  1. Create a folder for your new open-appsec deployment and switch to that folder, e.g.
Terminal window
mkdir open-appsec-deployment
cd ./open-appsec-deployment

An Advanced Model can be downloaded from open-appsec portal. This is more accurate and recommended for Production use.

Download the advanced machine learning model by going to: User Menu -> Download Advanced ML Model.

  1. Copy the tgz file into the folder.
  2. Map this .tgz file into the appsec container to “/advanced-model/open-appsec-advanced-model.tgz” file inside the container.
Terminal window
version: '3.3'
# docker compose for npm open-appsec integration
services:
appsec-npm:
container_name: npm-attachment
image: 'ghcr.io/openappsec/nginx-proxy-manager-attachment:latest'
ipc: host
restart: unless-stopped
ports:
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
- ./appsec-logs:/ext/appsec-logs
- ./appsec-localconfig:/ext/appsec
appsec-agent:
container_name: appsec-agent
image: 'ghcr.io/openappsec/agent:latest'
network_mode: service:appsec-npm
ipc: host
restart: unless-stopped
environment:
# adjust with your own email below
- user_email=user@email.com
- nginxproxymanager=true
- autoPolicyLoad=true
volumes:
- ./appsec-config:/etc/cp/conf
- ./appsec-data:/etc/cp/data
- ./appsec-logs:/var/log/nano_agent
- ./appsec-localconfig:/ext/appsec
- ./open-appsec-advanced-model/open-appsec-advanced-model.tgz:/advanced-model/open-appsec-advanced-model.tgz:rw
command: /cp-nano-agent --standalone
  1. Validate the use of the Advanced Model
Terminal window
open-appsec-ctl --status
Alternative text description

The model being used by each agent can also be validated using the Agents tab in the web UI:

Alternative text description

Web Application Protection Advanced Settings#

Web Attacks Settings#

Browse to Assets, edit the web application asset object you have created and click on the “Web Attacks” Tab and look at the “Web Attacks” sub-practice configuration

Alternative text description

Configuration Options#

Setting the Mode to As Top Level means inheriting the primary mode of the practice. Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.

  1. Confidence-dependent Prevent Mode

The option Activate when confidence is becomes available if practice or sub-practice are set to Prevent. The value determines the threshold in which open-appsec will block attacks and prevent them, rather than just send a log according to Log Trigger configuration.

Alternative text description
  1. Advanced settings window

When clicking on Advanced additional advanced settings appear:

Alternative text description

For all Size Limits - open-appsec Web Attacks engine will accept traffic that exceeds the limits if set to Detect/Learn mode (and that traffic will bypass inspection), or block traffic that exceeds the limits if set to Prevent mode.

Advanced SettingMeaning
URL Size (Bytes)Determines the URL size limit for inspection
Max Object DepthDetermines the depth limit of a JSON/XML object inspected in the HTTP request. This includes embedded XML in JSON and the opposite.
Body Size (Kilobytes)Determines the HTTP body size limit for inspection
Header Size (Bytes)Determines the HTTP header size limit for inspection
CSRF ProtectionDetermines the mode for the advanced CSRF protection, which blocks CSRF attacks. Important: This protection has a performance impact.
Error DisclosureDetermines the mode for the advanced Error Disclosure protection, which replaces internal error codes in the response and injects a different response instead. Important: This protection has a performance impact.
Open RedirectDetermines the mode for the advanced Open Redirect protection, which prevents client side redirection to other domains (e.g. as used by Phishing attacks). Important: This protection has a performance impact.
Non-Valid HTTP methodsWhen set to No and practice is set to Prevent, non-valid HTTP methods are blocked.

Valid HTTP methods are:
GET, POST, DELETE, PATCH, PUT, CONNECT, OPTIONS, HEAD, TRACE, MKCOL, COPY, MOVE, PROPFIND, PROPPATCH, LOCK, UNLOCK, VERSION-CONTROL, REPORT, INDEX, CHECKOUT, CHECKIN, UNCHECK, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, MKREDIRECTREF, BIND, UNBIND
  1. Intrusion Prevention System (IPS)

In addition to the Contextual Machine-Learning based engine, open-appsec provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). One specific benefit of these signatures is the ability to see logs that indicate a specific CVE number.

Once the asset edit window opens, select the Web Attacks tab and scroll to the Intrusion Prevention sub-practice.

Alternative text description

Edit the settings of the Intrusion Prevention sub-practice

The settings allow:

When making the first change to the default Web Application/API Best Practice’s configuration such as making changes to the default configuration of the IPS engine settings, you will be prompted to change the name of the Practice to your own custom practice name

Alternative text description

Make sure the Mode of the Intrusion Prevention sub-practice is as desired

Setting the Mode to As Top Level means inheriting the primary mode of the practice.

Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.

You can also set up a specific action per confidence level of the the protection that caught the attack. According to Practice mode means the sub-practice’s mode determines the action. But you can set up Detect/Prevent/Disable specifically for that group of protections per confidence level. For example - the default configuration of the IPS sub-practice configures that Low confidence protections will be set to “Detect” mode, unrelated to the general IPS mode.

License

CC BY-NC-SA 4.0 This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Related Posts