WAF
Powerful but painful Web Application Firewalls
WAF
Extending the ModSecurity WAF, with Denial Of Service protection — using HAProxy
Our long time partner Metaswitch, desperately needed to stop brute force login attacks on the enterprise phone system that they supply to large telecom companies...
How-tos
A comprehensive guide to log monitoring with ModSecurity and HAProxy
With numerous options available, choosing and configuring the right tool can be daunting...
Security
Cybersecurity series: Five security attacks WAFs can help you with...
There seems to be a lot of confusion about the role of a Web Application Firewall (WAF) in application security, and what types of threat a WAF can help mitigate in your deployment...
WAF
A beginner's guide to WAF: When and how should you use a Web Application Firewall?
Some network engineers think that Web Application Firewalls (WAFs) are so complicated, they've been known to run away and hide for days when they've encountered one...
WAF
Why you shouldn't lose sleep over the commercial end-of-life of ModSecurity
The ModSecurity web application firewall (WAF) engine is set to go end-of-life (EOL) on 1 July 2024...
Security
Should an load balancer be your first line of defense against Denial of Service (DoS) attacks?
There are two schools of thought on this: ‘yes, it should’ and ‘no, it shouldn't’. Let's look at the arguments both for and against...
Security
OWASP doesn't want you to have crAPI security
Here's what we learned from crAPI about API security, and how a Web Application Firewall (WAF) can help you take things one step further...
WAF
Report back from the OWASP Core Rule Set Community Summit and OWASP Global AppSec 2023: The WAF conundrum
I had the privilege of speaking in Dublin at this year's OWASP Core Rule Set Community Summit before then attending OWASP Global AppSec immediately afterwards...
WAF
Handling large requests with a Web Application Firewall (WAF) while avoiding Denial of Service (DoS) attacks
Sometimes, we need to pass unusually large HTTP requests through our WAF stack...
HAProxy
How to rate limit with HAProxy Stick Tables and the WAF
A while ago I was asked if it would be possible to apply some general rate limiting in HAProxy and the WAF, in order to help prevent DOS-style attacks on a customer's servers...
Open source
ModSecurity DoS vulnerability (CVE-2021-42717)
All WAF vendors and services using ModSecurity are affected by this vulnerability (unless they have the vulnerable piece of code disabled, by chance)...
How-tos
Simplifying web application security with the Core Rule Set v3
A WAF isn't a magic bullet, but, as part of a defense in depth strategy, a properly configured WAF should catch and stop common, everyday attacks...
WAF
Extending ModSecurity: How to add completely custom WAF functionality
In this example, I’m going to add a new transformation function to ModSecurity to calculate the Scrabble score of a variable. This will allow us to block HTTP requests containing query string parameters with a Scrabble score above a chosen threshold...
Open source
ModSecurity and the Case of the Never Decreasing Variables
In the world of web application security, it can be invaluable to consider a user's behaviour across the entire duration of their web app session...
WAF
How to train your Web Application Firewall (WAF)
Let's look at the best way to use the WAF with as little pain as possible!..
WAF
Secure connections: encrypt, inspect and decrypt traffic when using a WAF
We’re often asked how to configure our load balancer to protect both web servers and users...
How-tos
Security through Geography: blocking traffic by country, continent, or IP address using ModSecurity
Imagine you’re running a business and you often see malicious-looking web traffic from the other side of the globe hitting your website...
WAF
Why use a WAF? Because what doesn't kill you makes you stronger
Our helpdesk often encounters confusion about Web Application Firewalls, or WAFs - what they are, how to use them, and what issues they can potentially cause...
WAF
Brute force login: Simple protection techniques with the ModSecurity WAF
The web-based login to your application is a juicy target for hackers. And once they get past the login, they can cause you some serious pain...
WAF
Darktrace: When looks aren't everything
An engineer at a business using Darktrace, confessed that many IT staff ignored the pricey security software because it sent so many false alerts...
Application Management
Load Balancing Web Servers with OWASP Top 10 WAF in Azure
In the Azure Management Portal, select the Virtual Machines option, click on the newly deployed Load Balancer VM, click on Network interfaces and then select the network interface attached to the load balancer, then click IP configurations and ensure that IP forwarding is Enabled...
Security
Load Balancing Apache Web Servers with OWASP Top 10 WAF in Azure
The WAF addresses the OWASP Top 10 vulnerabilities and is very quick and simple to deploy...
Security
Security through obscurity - double login protection made easy...
Security through obscurity is not a great idea when it is your ONLY protection technique. For example moving your SSH port from 22 -> 23 won't fool any hackers for long! However, I've always liked putting a 'double login' in front of important web sites to frustrate simple automated hacking tools...
WAF
Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure
SSL offload is handled by STunnel, while HAProxy handles back-end server re-encryption...