IDS/IPS vs WAP.

n00b_noob · 02-23-2021, 06:45 AM

Hello,
An IDS/IPS like Suricata-IDS can't protect a web server like Apache?

Click image for larger version

Name: WAF.jpg
Views: 30
Size: 173.4 KB
ID: 35696

Is a WAF mandatory to protect a website?

Thank you.

uteck · 02-23-2021, 09:03 AM

Is your website running webapps that can be run in users browsers? Then a WAF can help protect it.
Most websites will not get a lot of benefit from a WAF since they are only doing basic things, like let letting people login and post questions/answers.
If the website is used like a portal to access other servers, then a WAF between the web server and the others will help protect them.

n00b_noob · 02-23-2021, 11:24 AM

Quote:

Originally Posted by uteck

Is your website running webapps that can be run in users browsers? Then a WAF can help protect it.
Most websites will not get a lot of benefit from a WAF since they are only doing basic things, like let letting people login and post questions/answers.
If the website is used like a portal to access other servers, then a WAF between the web server and the others will help protect them.

Yes, it is a WordPress website. When people can login and post, then some attacks like XSS and SQL Injection happen!

uteck · 02-23-2021, 12:26 PM

A WAF sits between the webserver and other application servers or databases, so will not help you much in this case since things are all on the same server. Odds are the attacks are coming from security holes in a plugin you installed.

You need some sort of intrusion detection system. If your server has SELinux, you could try setting it to enforcing mode which may prevent exploitation from the plugin exploits. Or better yet, remove the plugin that is causing the breach.

n00b_noob · 02-23-2021, 01:44 PM

Quote:

A WAF sits between the webserver and other application servers or databases...

Can you show me an example of the application servers?
About SELinux:

Code:

$ ls -Z /var/www/
    system_u:object_r:httpd_sys_content_t:s0 apache_pb.svg.bak
system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
    system_u:object_r:httpd_sys_content_t:s0 html
 system_u:object_r:httpd_sys_rw_content_t:s0 wp
$ ls -Z /var/www/wp/
    system_u:object_r:httpd_sys_rw_content_t:s0 cgi-bin
    system_u:object_r:httpd_sys_rw_content_t:s0 error_log
    system_u:object_r:httpd_sys_rw_content_t:s0 googlee4e6cdb3b56c49dd.html
   system_u:object_r:httpd_sys_script_exec_t:s0 index.php
unconfined_u:object_r:httpd_sys_rw_content_t:s0 license.txt
    system_u:object_r:httpd_sys_rw_content_t:s0 readme.html
    system_u:object_r:httpd_sys_rw_content_t:s0 ssl
   system_u:object_r:httpd_sys_script_exec_t:s0 wordfence-waf.php
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-activate.php
    system_u:object_r:httpd_sys_rw_content_t:s0 wp-admin
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-blog-header.php
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-comments-post.php
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-config.php
unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-config-sample.php
    system_u:object_r:httpd_sys_rw_content_t:s0 wp-content
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-cron.php
    system_u:object_r:httpd_sys_rw_content_t:s0 wp-includes
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-links-opml.php
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-load.php
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-login.php
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-mail.php
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-settings.php
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-signup.php
    system_u:object_r:httpd_sys_rw_content_t:s0 wp-statistics.log
   system_u:object_r:httpd_sys_script_exec_t:s0 wp-trackback.php
   system_u:object_r:httpd_sys_script_exec_t:s0 xmlrpc.php
    system_u:object_r:httpd_sys_rw_content_t:s0 zhupclient_key.1567309333.html
    system_u:object_r:httpd_sys_rw_content_t:s0 zhupclient_key.1567317901.html

Is it OK?

computersavvy · 03-01-2021, 12:26 PM

Hard to answer without knowing what those php scripts do and how selinux attributes are configured on the rest of the system. Also ownership has an affect, which could have been shown by "ls -lZ ..."

The fact that they appear to be executable scripts automatically makes them suspect, but as long as they are restricted to functioning within the bounds of the web server and its user space that should be fine.

n00b_noob · 03-02-2021, 12:42 PM

Quote:

Originally Posted by computersavvy

Hard to answer without knowing what those php scripts do and how selinux attributes are configured on the rest of the system. Also ownership has an affect, which could have been shown by "ls -lZ ..."

The fact that they appear to be executable scripts automatically makes them suspect, but as long as they are restricted to functioning within the bounds of the web server and its user space that should be fine.

Thank you.
The owner of the files and directories is "apache" user.