Website Behind the WAF

by Vince
in Blog
Hits: 1777

You have a website, you want to protect it from attacks, and you hide it behind a web application firewall (WAF).  If your site was already public and you move it behind a WAF, bad actors can find your site.  Depending upon which WAF you're using, your site's actual location could also be discovered regardless of whether it was previously public on another server.  And if you're not locking down access to the site exclusively to the WAF, bad actors can attack your site without the protection of the WAF.

There are "services" that can be used to locate the actual server and you want to restrict access to your site.  If your site is hosted on Linux, you can restrict access using iptables.  I won't go into too much detail because if this is completely foreign, you should play around with this a bit before you do something to your site which causes you more harm than good.  But if you're familiar with iptables, you can view existing settings with:

sudo iptables -S

In its default state, you should see:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Configuring our server:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -s 192.168.77.0/24 -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -s 192.168.77.0/24 -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -j DROP
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent reload

The first line is keeping existing connections alive.

The next two lines are for the loopback interface.

Assuming you have SSH open, we're allowing traffic but you should restrict this to your IP address.  For the sake of not locking you out, I'm setting this to full access.

The next two lines are restricting HTTP and HTTPS to my imaginary WAF subnet.  Restrict to your WAFs IP address, block, or blocks.  You can add multiple subnets or IP's on the same line.  For example:

sudo iptables -A INPUT -s 192.168.77.0/24,192.168.78.0/24,10.10.5.5/32 -p tcp --dport 80 -j ACCEPT

Prior to issuing the line with the DROP statement, you can recheck your rules to be certain you have what you want.  You issue your drop statement and you have your rules but they won't save on reboot.  You apt-get iptables-persistent which will allow you to retain your rules after a reboot.  The next two lines save and reload your rules if you're using Ubuntu 16.  If you're using an earlier version:

sudo /etc/init.d/iptables-persistent save
sudo /etc/init.d/iptables-persistent reload

If possible, reboot your server and run:

sudo iptables -S

Again, we want to check that our rules are as we want them to be.

You can check the ports of the actual IP address and if they are not open, you can check access to your site from a browser which should render your site.  I can't speak for all WAFs but I think most use some sort of caching so you'll want to clear the cache in advance of testing your site.