Amazon offers WAF or Web Application Firewall which hooks directly into a CloudFront setup (Note: CloudFront is a prerequisite to installing WAF). WAF as its name suggests is a really flexible Firewall that isn’t your ordinary Firewall implementation. WAF will replace the Wordfence plugin for security, for your WordPress install. Check out the diagram below, it really highlights some of utility of the solution.
This is the first post in a multipart series in setting up Amazon Web Application Firewall. Click here to follow the second post covering CloudFront installation.
Secure your site with WAF
My WAF install will be protecting a WordPress site. When checking my Google Analytics, I noticed that Russia was surprisingly keen on my blog – which made me suspicious. Coupled with analytics reporting that the language being requested was Secret.google.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump! Weird.
Both things seems suspicious. I assume bots are causing all this traffic, distorting my analytics numbers. The other thing concerning me about my WordPress instance was that in theory someone could brute force guess my password and hack my blog.
I did have Wordfence installed, but to honest it does look cheap and messy. I’d much prefer security concerns to be addressed before hitting my site, so my site can concentrate on doing what it does best – new content.
Wouldn’t it be nicer to only allow certain IPs to connect to WordPress wp-admin folder? Wouldn’t it be nice to remove these fake bots hitting our site from our analytics? Wouldn’t it be nice to make our site harder to hack? Wouldn’t it be nice to stop XSS/SQL Injection attacks?
Quick and Cheap
Before we delve into details, let me first highlight the fact that WAF’s protection can be implemented within a really short period of time and for cheap. Following this guide you should be able to roll out something similar to the diagram above with the click of a button and a few values entered.
Some of the interesting features that are identifiable in the diagram:
Bad Bot and Scraper Protection
A Honeypot can be deployed to attract malicious and nefarious folk into trying to hack the system. Honeypots are designed to look vulnerable and a tempting target. Amazon’s swankery includes the ability to use Amazon’s Lambda to run code to tempt dodgy traffic, log the IP addresses and automatically block them!
SQL Injection Protection and Cross Site Scripting Protection (XSS)
Superficially WordPress has a few attack vectors that can be potentially targeted with SQL or XSS attacks. Anywhere where you see a text box looking for the user to type something in, such as the comments section, is a potential attack point. We wan’t to block anyone trying to do malicious SQL manipulation.
Logs are read to identify suspicious activity such as an abnormal amount of requests or errors.
IP Address Blacklists
WAF has hooks into well maintained IP blacklist authorities.
- TOR exit points are blacklisted (these are people who use the anonymity of TOR to hide their connections.
- Spamhaus – the email blacklist
Don’t Route Or Peer (DROP) list
Extended Drop (EDROP) list
Proofpoint Emerging Threats IP list
You can add any custom IP ranges to the given blacklists.
The next article in the series covers setting up CloudFront, a prerequisite step towards the steps to install WAF on a WordPress instance.