DEV Community

Lulu
Lulu

Posted on

ModSecurity + SafeLine WAF for Multi-layer Defense (2)

The article is a bit long, so I've posted it in two parts, the other half is here:ModSecurity + SafeLine WAF for Multi-layer Defense (1)

Part 4: System Hardening

1.Allow Ports in iptables

I used iptables as my firewall and needed to allow ports 8080 and 9443. Here are the steps:

  • Check iptables status: iptables -L -n
  • Add a rule to open a port (e.g., for port 80): iptables -I INPUT -p tcp --dport 80 -j ACCEPT
  • Save the configuration: service iptables save or iptables-save > /etc/iptables.rules
  • Restart iptables: service iptables restart
  • Verify the status: service iptables status

2.Block IPs with iptables
To block specific IPs, use the following commands:

iptables -A INPUT -s IP_address -j DROP
service iptables save
systemctl restart iptables
iptables -nvxL --line
Enter fullscreen mode Exit fullscreen mode

Image description

For example, after applying these rules, traffic from IP 45.148.10.174 is blocked.


Part 5: Implementing Defense in Depth

Here, I combine ModSecurity with SafeLine WAF and use iptables to control external port access, achieving stronger security. I use dual WAFs because SafeLine’s detection rates from the automated WAF testing tool show ModSecurity has a high detection rate but too many false positives. ModSecurity lacks a graphical interface, making it challenging for maintenance and traffic auditing. SafeLine, with its low false-positive rate and GUI, provides easier visibility into the attacks.

1.Configure SafeLine Upstream Server Address

Image description

Set the upstream server to 127.0.0.1 (localhost), and block all traffic except from 127.0.0.1.

2.Set Cloud Security Group Rules

Image description

Configure the cloud firewall to allow only traffic from 127.0.0.1 on port 8080.

3.Apply iptables Rules

Image description

As I had previously opened port 8080 to all IPs, I applied the following rules to limit access:

iptables -A INPUT -i lo -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -i lo -p tcp --dport 8080 -j DROP
iptables -D INPUT 2
Enter fullscreen mode Exit fullscreen mode

Explanation of the commands:

  • -A INPUT: Adds a rule to the INPUT chain (for inbound traffic).
  • -i lo: Matches the local loopback interface (lo).
  • -p tcp: Specifies the protocol as TCP.
  • --dport 8080: Specifies port 8080 as the destination.
  • -s 127.0.0.1: Allows only traffic from 127.0.0.1.
  • -j ACCEPT: Accepts the connection.

The second rule drops traffic that does not match 127.0.0.1. The third command removes the previous rule for port 8080.


Part 6: Issues and Solutions

1.nginx: [alert] kill(30127, 1) failed (3: No such process)

Image description

Solution:

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
Enter fullscreen mode Exit fullscreen mode

The path /usr/local/nginx/sbin/nginx points to the Nginx executable, and -c /usr/local/nginx/conf/nginx.conf specifies the configuration file.

2.nginx: [error] open() "/usr/local/nginx/logs/nginx.pid" failed (2: No such file or directory)

Image description

Re-run the previous command to generate nginx.pid. If you encounter this error again when running nginx -s reload, check if the PID in the file matches the port’s process ID using:

netstat -ntlp
Enter fullscreen mode Exit fullscreen mode

Update the PID in the nginx.pid file and restart Nginx.

3.Common SafeLine Issues

Image description

You can refer to the official docs for troubleshooting, available at:FAQ

Conclusion

Summarize the benefits of using both SafeLine and ModSecurity in tandem for a robust web security setup. Mention how this dual-layer protection helps tackle complex threats, with SafeLine’s user-friendly interface complementing ModSecurity’s high detection capacity.

Top comments (0)