Web Application Firewall Server: Shadow Daemon
Web Application Firewall Server: Shadow Daemon is a collection of tools to detect, record and preventattacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability.
This is the main component that handles the analysis and storage of requests.
Shadow Daemon is easy to install and can be managed with a clear and structured web interface. The interface lets you examine attacks in great detail. If you just want to protect your site, but otherwise do not care about attacks you can forget about the web interface once Shadow Daemon is installed and configured.The interface also comes with shell scripts that can be used to send weekly reports via e-mail, rotate the logs and the like.
Web Application Firewall Server
High coverage
Shadow Daemon uses small connectors on application level to intercept requests. This guarantees that the analyzed data is exactly the same as the input data of the web application, a task many firewalls fail to do properly. The installation of the connectors is easy and does not require coding abilities.
At the moment the following programming languages, libs and frameworks are supported:
- PHP
- Perl
- CGI
- Mojolicious
- Mojolicious::Lite
- Python
- CGI
- Django
- Werkzeug
- Flask
Additional connectors are planned by developer and will be released at some point in the future.
Accurate detection
Shadow Daemon combines blacklisting, whitelisting and integrity checking to accurately detect malicious requests. The blacklist makes use of sophisticated regular expressions to search for known attack patterns in the user input. The whitelist on the other hand searches for irregularities in the user input based on strict rules that define how the input should look like. The integrity check compares cryptographically secure checksums of the executed scripts against predefined values.
Together they can detect almost any attack on a web application and still have a very low false-positive rate.
Shadow Daemon is able to detect common attacks like:
- SQL injections
- XML injections
- Code injections
- Command injections
- Cross-site scripting
- Local/remote file inclusions
- Backdoor access
- And more …
Discreet protection
Unlike many other web application firewalls Shadow Daemon does not completely block malicious requests if possible. Instead it only filters out the dangerous parts of a request and lets it proceed afterwards. This makes attacks impossible, but does not unnecessary frustrate visitors in the case of false-positives.
Secure architecture
Shadow Daemon is closer to the application than most other web application firewalls. It receives exactlythe same input that the web application receives and thus it is almost impossible to bypass the detection by obfuscating the attack. However, the most complex parts of Shadow Daemon are separated from the web application to guarantee a certain standard of security.
Who should use Shadow Daemon?
- Shadow Daemon is for people who want to run their own dynamic website without constantly having to worry about attacks and vulnerabilities.
- Shadow Daemon is for people who want to know if and how their website is attacked.
- Shadow Daemon is for people who do not want to blindly place their trust in closed-source software that does its work in secret and costs a fortune.
Installation
Preparation
Use cmake to configure and prepare the project. It is a good idea to create a separate directory for this. A typical installation might look like this.
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_BUILD_TYPE=Release ..
Compilation
If cmake is successful it creates a makefile. Use it to compile and install the project.
make shadowd
make install
Database
Install and configure a database server. At the moment shadowd officially supports PostgreSQL and MySQL. Afterwards create a new user and database for shadowd and import the correct layout.
If you are using PostgreSQL you can use
psql to import the layout.psql -Ushadowd shadowd < /usr/share/shadowd/pgsql_layout.sql
If you are using MySQL you can use
mysql to import the layout. The user requires the CREATE ROUTINEprivilege.mysql -ushadowd -p shadowd < /usr/share/shadowd/mysql_layout.sql
Configuration
The installer copies the configuration file to /etc/shadowd/shadowd.ini. The file is annotated and should be self-explanatory.
![[WAF-FLE] Web application firewall: fast log and event console](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNUiNj5SjQeu8VhkRyfVjV4mP1bHFkRLpos0NqOznjOFmrqXmnTaqDd-0btKDqtpn3Ay_K8B6Vy75b8yyJyCeSZrUY7NJPG0GRBfEbdmFs1A7fpWMRKQa5jzzm8JOrTc3zAC7GIumQmTk/s72-c/waf-fle.png "[WAF-FLE] Web application firewall: fast log and event console")
0 comments: