Hello world protected by a WAF
Prerequisites
To run this onboarding tutorial, we should first have:
- a k8saas cluster deployed
To ask and set up your own cluster, look at the section Getting Started.
And downloaded the following file:
Tutorial
This tutorial is about deploying simple website application and simulate an attack to it.
Get your credentials
az aks get-credentials --name "$K8SAAS_RESOURCE_NAME" --resource-group "$K8SAAS_RESOURCE_NAME" \
The cluster name and the resource group name are the same within k8saas.
Deploy the application
Deploy the application, composed of :
- a kubernetes Deployment object: which spin up the application pod (container) and make sure it's up and running at all time;
- a kubernetes Service object: which exposes the pod internally;
- a kubernetes Ingress object: which exposes the pod to the internet.
Using the following commands:
# this start a hello world pod and service
kubectl apply -f aks-helloworld-one.yaml --namespace dev
# this exposes the port to the internet
kubectl apply -f hello-world-ingress.yaml --namespace dev
The application is now available online at:
curl -k https://hello-world-ingress.demo.kaas.thalesdigital.io
Simulate an attack
Now, to simulate an attack, you're to use the user agent of nikto:
curl -H "User-Agent: Nikto" -k https://hello-world-ingress.demo.kaas.thalesdigital.io
You should have:
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
Then, check the logs.
If it's the first time you access to log analytics, follow the onboarding doc.
Run the following query:
ingress_CL
| where kubernetes_labels_app_kubernetes_io_name_s contains "ingress-nginx"
| where log_s contains "ModSecurity"
| project TimeGenerated, log_s
You should see this message:
2021-02-11T01:15:07.52754143Z stderr F 2021/02/11 01:15:07 [error] 855#855: *666244 [client 192.168.0.35] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.0.10"] [uri "/"] [unique_id "161300610710.914637"] [ref ""], client: 192.168.0.35, server: hello-world-ingress.demo.kaas.thalesdigital.io, request: "GET / HTTP/2.0", host: "hello-world-ingress.demo.kaas.thalesdigital.io"
The WAF successfully detected the malicious user-agent and blocked it.
Using "SecRuleEngine DetectionOnly" does not generate any log.
Next steps
Disable or add custom rules following this documentation.
Remove your test
$ kubectl delete -f aks-helloworld-one.yaml --namespace dev
$ kubectl delete -f hello-world-ingress.yaml --namespace dev