Press "Enter" to skip to content

Use Hihttps WAF to Protect Your Web Application

0

Recently found a interesting WAF Hihttps. Github address is https://github.com/qq4108863/hihttps and website is https://hihttps.com which says it has :

Unsupervised learning autonomous confrontation

himqtt / hihttps is a free web application firewall and IoT MQTT firewall with basic functions. It supports traditional security rule detection (such as SQL injection, XSS, malicious vulnerability scanning, password brute force cracking, CC, DDOS, etc.), and more importantly It is the unsupervised learning of the sample collected by the machine, which automatically generates the confrontation rules. Click to download the free version of CentOS 


Redefining cybersecurity

If more than 99% of the samples are all in the form of https://www.hihttps.com/hihttps.html?id=123, then the following URLs will be considered as attacks:
https://www.hihttps.com/hihttps.html?id=123 ‘or 1 =’ 1
https://www.hihttps.com/hihttps.html?id=1234567890&t=123
https://www.hihttps.com/hihttps.html?id=abc
Machine deep learning is an effective way to defend against unknown attacks and 0DAY vulnerabilities, but it has a long way to go.

It also provides a free version for CentOS to download. I decided to give it a try to see how it is working. Actually free version in CentOS is quite easy to install and it works as well. I have not try other rules such as mod_security’s rules, but based on default settings, it is able to defense some attacks I simulated using Qualys VM scan. 

Download Free Version – Hihttps WAF

It can be downloaded from https://hihttps.gitee.io/down.html. It is a 15MB tar file. File name is hihttps.tar.gz

I am using Firezilla upload it to my CentOS server in Azure cloud.

One uploaded, just using command  “tar –zxvf hihttps.tar.gz”  to extract it to any directory. There are 3 core files and 3 directories:
1. hihttps is an executable file that supports centos 64-bit system.
2. hihttps.cfg is a configuration file, such as port / reverse proxy server IP, etc.
3. ml.cfg is a machine learning configuration file.
4. The rules directory is confrontation rules, including OWASP SQL injection, XSS, CC, DDOS, password cracking, malicious scanning, and machine learning autonomous confrontation rules.
5. The train directory is an unsupervised machine learning sample collection directory.
6. The log directory is to put the alarm log.

Default hihttps Configuration

Default configuration is in the hihttps.cfg file. By default, hihttps configures the front end to bind port 443 (HTTPS) and port 81 (HTTP) by default, and port 80 for reverse proxy connection:

https: // serverip / <==> http://127.0.0.1/
http: // serverip: 81 / <==> http://127.0.0.1/

Note: serverip is the actual IP address or domain name of your server. It will be my CentOS’s public ip and domain.

If you are testing in the lab environment or vmware virtual machine, or there is no web server on the server, please install nginx or apache first although it is not mandatory:
yum install nginx or yum install httpd, open the browser http: // serverip / , confirm that access to port 80 is successful.

My Lab hihttps Configuration

As we explained before,  hihttps opens two web ports, 81 and 443. Note that 443 needs to be bound to a PEM format certificate. By default, a digital certificate called server.pem is provided. If so, please replace it with the source server Certificate of authenticity. The configuration is as follows:

Default https.cfg:

frontend web
mode http
bind: 81
default_backend s_default

frontend web_ssl
mode http
bind: 443 ssl crt server.pem #PEM certificate is recommended to use an absolute path such as /home/xxx/server.pem

default_backend s_default
errorloc302 400 http://www.hihttps.com/ # *** Redirect the webpage, only DROP blocking mode works

#Real back-end WEB server port
backend s_default
mode http
server server_default 127.0.0.1:80

My Configuration : FrontEnd port is 80, and BackEnd port is 81.

[[email protected] hihttps]$ cat hihttps.cfg
global
  pidfile  /var/run/hihttps.pid
        maxconn 5000
        user root
  group root
  tune.ssl.default-dh-param 2048

defaults
        mode http
        timeout connect 120s
        timeout client 120s
        timeout server 120s
        option http-server-close

frontend web
  mode http
        bind    :80
        default_backend s_default

frontend web_ssl
        mode http
        bind :443 ssl crt server.pem     
        default_backend s_default
        errorloc302 400 https://www.51sec.org/           

backend s_default
        mode                    http
        server          server_default 127.0.0.1:81

[[email protected] hihttps]$

Launch Hihttps


[[email protected] ~]$ cd hihttps/
[[email protected] hihttps]$ ls
hihttps  hihttps.cfg  log  logs  ml.cfg  README.txt  rules  server.pem  train
[[email protected] hihttps]$ ./hihttps
++++++++++++++++++++++++++++++++++++++++++++The OWASP ModSecurity Core Rules++++++++++++++++++++++++++++++++++++++++++++
ruleid:20               severity:'CRITICAL'             LOGIN Brute Force Password test
ruleid:20               severity:'CRITICAL'             LOGIN Brute Force Password test
ruleid:22               severity:'CRITICAL'             CC and DDOS test
ruleid:913100           severity:'CRITICAL'             Found User-Agent associated with security scanner
ruleid:913110           severity:'CRITICAL'             Found request header associated with security scanner
ruleid:913120           severity:'CRITICAL'             Found request filename/argument associated with security scanner
ruleid:913101           severity:'CRITICAL'             Found User-Agent associated with scripting/generic HTTP client
ruleid:941100           severity:'CRITICAL'             XSS Attack Detected via libinjection
ruleid:942100           severity:'CRITICAL'             SQL Injection Attack Detected via libinjection
+++++++++++++++++++++++++++++++++++++++++++++++++++end+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
******************************************Machine Learning for Automatic Defence Rules*********************************
1        URL=/hihttps.html
*********************************************************end***********************************************************
hihttps config file is /home/netsec/hihttps/hihttps.cfg ,start ok......

If there is no error or alarm messages showing and it says start ok…., it is running now. 

Checking Ports

[[email protected] hihttps]$ netstat -lntp | grep 80
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
[[email protected] hihttps]$

If you want to put it into background to run, just add & at the end of command.  You also can export output from console to a log file using following command:
./hihttps >> log.txt &





References

Leave a Reply

Your email address will not be published. Required fields are marked *