Bunkerity

A lot of #WAF / #WAAP users fear false positives 😱 They are not a product of chance, but come from very logic and sometimes complex rules. To help you get to the bottom of this kind of issue, we made a top 5 of the most common false positives on #BunkerWeb 🛡️ and most importantly how to fix them properly: → Rate Limiting → ModSecurity / OWASP CRS Rules → Bad Behavior → Allowed HTTP Methods → Error Code Interception Tired of fixing lots of false positives? Check the article on how to fix them and try the Easy Resolve plugin in BunkerWeb PRO! 👉 Read the full article by Alexandre AGASSEAU: https://lnkd.in/d9Ew8BD5 #opensource #cybersecurity #opensecurity

🔒 Just Published: Complete BunkerWeb Setup & Security Guide I'm excited to share my latest technical deep-dive on BunkerWeb – the open-source Web Application Firewall (Bunkerity) that sits in front of your services and blocks attacks before they reach your applications. 📖 What's Inside the Guide ✅ Complete Docker Deployment – Get BunkerWeb running in minutes on any Linux host ✅ First-Time Setup Walkthrough – From admin user creation to dashboard tour ✅ Real Attack Demonstrations – Watch SQL Injection, XSS, and Path Traversal get blocked in real-time (with code-level comments!) ✅ ModSecurity + OWASP CRS Deep Dive – See exactly how rules 942100, 941100, and 930120 trigger ✅ Troubleshooting Common Issues – Port conflicts, IP access, and Docker pull problems 🛡️ Why BunkerWeb? In today's threat landscape, you can't afford to expose raw applications to the internet. BunkerWeb provides: OWASP Top 10 protection out of the box Automatic SSL/TLS with Let's Encrypt Rate limiting, DDoS mitigation, and CrowdSec integration Enterprise-grade security for free 💡 Key Takeaway from the Guide After deploying on Ubuntu 26.04 (Resolute) and running live attack simulations, BunkerWeb's ModSecurity engine with OWASP CRS successfully blocked every single attack – returning clean 403/404 responses while logging everything to audit logs. 🔗 Read the Full Guide 👉 https://lnkd.in/gia5mXVb #BunkerWeb #CyberSecurity #WAF #DevSecOps #OpenSource #WebSecurity #ModSecurity #OWASP #Docker

Today I committed Bunkerity (Bunkerweb) to the FreeBSD Ports Collection. BunkerWeb is an open-source web application firewall (WAF) and security platform with a web-based management interface. https://lnkd.in/dGDSGkw8 What I initially expected to be a relatively straightforward port turned into a project that took about six weeks from start to finish. As is often the case, the challenge wasn't just creating the port itself. A significant amount of work went into adapting the software to FreeBSD, integrating it cleanly into the Ports Collection, fixing platform-specific issues, and testing the various components to ensure they work reliably on FreeBSD systems. The result is now available in the official FreeBSD Ports Collection as: https://lnkd.in/dv23yXsn I've tested the port extensively during development, but I'm looking forward to feedback from the wider FreeBSD community. Real-world usage is often the best way to discover edge cases and opportunities for improvement. A big thank you to the BunkerWeb developers for their support and responsiveness throughout the porting process. #FreeBSD #OpenSource #CyberSecurity #WAF #PortsCollection

It's been to long since I last managed to contribute code to an active open source project but with the new bunkerweb release from Bunkerity comes a very small personal contribution from myself. I really do need to find a bit more time to give back to open source. It's an enjoyable feeling. Particularly because these types of open source projects are bringing critical tools to the masses at a time when sovereignty has never been more important. Having the option to self host means your data stays yours and all with robust publicly audited code.

Do Pipeline ao Post: Segurança e Observabilidade no meu novo blog com Ghost CMS + BunkerWeb 🛡️🤖 Como profissional de DevSecOps e MLSecOps, acredito que "casa de ferreiro, espeto de ferro". Ao subir meu novo blog em Ghost CMS, a prioridade foi desenhar uma arquitetura que não fosse apenas funcional, mas resiliente e orientada a dados. A solução? Uma stack containerizada protegida pelo BunkerWeb (WAF) atuando como a primeira linha de defesa. O que essa abordagem traz para o jogo: ✅ Hardening Automatizado: O BunkerWeb gerencia o hardening de rede e proteção contra exploits comuns (OWASP Top 10) de forma declarativa, integrando-se perfeitamente ao fluxo de infraestrutura como código (IaC). ✅ ML-Ready Logging: A configuração foi desenhada para exportar logs estruturados. O objetivo? Alimentar futuramente um pipeline de detecção de anomalias, onde modelos de ML possam identificar padrões de ataques de força bruta ou "LLM scraping" que WAFs baseados apenas em assinaturas podem deixar passar. ✅ Interface Segura para LLMs: No contexto de LLMSecOps, garantir que a API do CMS esteja protegida contra injeções de prompt ou extração de dados não autorizada é o primeiro passo para futuras integrações com agentes de IA. Por que Ghost + BunkerWeb? Pela flexibilidade. O Ghost me entrega uma API limpa, e o BunkerWeb me dá o controle granular necessário para ajustar as regras de segurança sem quebrar a experiência do usuário (ou a minha, ao publicar via API). O próximo passo é fechar o loop de MLOps: automatizar a retreinagem de regras de bloqueio com base nos logs de tráfego real. 🔄 Segurança não é um produto, é um processo contínuo de monitoramento e ajuste. Quem mais está integrando camadas de inteligência na proteção de infraestruturas web? #DevSecOps #MLSecOps #LLMSecOps #BunkerWeb #GhostCMS #CyberSecurity #DataScience #SecurityAsCode

Did you know you can easily add #SSO authentication to your web services using #BunkerWeb ? 🛡️ We’re seeing several recurring use cases across our clients: ✅ Protecting legacy applications without modern authentication ✅ Centralizing SSO configuration and management ✅ Securing applications in hybrid environments (on-premise and cloud) BunkerWeb goes beyond a traditional #WAF / #WAAP, it unifies security, identity, and access control into a single strategic layer. A new article, written by Alexandre AGASSEAU, is now live on our blog. It walks through how to implement #OpenID Connect authentication with #Keycloak. 👉 Read the full article here: https://lnkd.in/dkH4Ejmc #OpenSource #Cybersecurity #OpenSecurity

Web application security shouldn't be an afterthought. For those running Ubuntu 22.04 LTS, I’ve just published a comprehensive A-to-Z guide on deploying BunkerWeb WAF to protect your edge. In this write-up, I break down: 🔹 Choosing between the Easy Installation Script and manual package management. 🔹 Integrating CrowdSec for real-time intrusion prevention and virtual patching. 🔹 Configuring the BunkerWeb Scheduler for seamless configuration reloads without downtime. 🔹 Leveraging the Web UI Setup Wizard for a professional, guided deployment. Whether you’re securing a single service or a high-availability cluster, this guide covers the hardening steps necessary for modern web infrastructure. #BunkerWeb #WAF #CyberSecurity #Ubuntu #DevOps #InfoSec #OpenSource

Good cloud-native security solution 🛡️ should do more than protect. It should: - integrate with your platform, - scale with your workloads, - fit your automation model, - and reduce operational complexity. 👉 That is why BunkerWeb listed in the Cloud Native Computing Foundation (CNCF) landscape matters : https://landscape.cncf.io/ It is a strong reminder that, when evaluating a security solution today, cloud-native ☁️ readiness is not optional. It is a core buying criterion. Protection is expected. Operational fit is what makes adoption sustainable. #WAF #WAAP #CloudNative #Cybersecurity #OpenSource

Securing the management plane is never optional 🛡️ Xen Orchestra is a powerful interface for managing virtualized infrastructure. That also makes it a high-value target: if the admin interface is exposed without the right protections, the risk is significant. We recently published a new article showing how to protect the Xen Orchestra administration interface from Vates Virtualization Management Stack (XCP-ng / Xen Orchestra) with BunkerWeb: 👉 https://lnkd.in/e27QruX6 We also released an open-source BunkerWeb template to make deployment easier. What makes this especially meaningful is the shared DNA between Bunkerity and Vates Virtualization Management Stack (XCP-ng / Xen Orchestra) : ✔️ Open-source by design ✔️ Sovereign by conviction ✔️ Built to give organizations more control over their infrastructure and security Protecting critical administration interfaces like Xen Orchestra is a key part of a strong security posture. And doing it with open, sovereign technologies matters more than ever. #XenOrchestra #XCPNG #CyberSecurity #WAF #WAAP #OpenSource

Votre application web est exposée sur Internet. Qu’est-ce qui filtre le trafic avant qu’il n’atteigne votre backend ? Injections SQL, XSS, scans Nikto, brute force sur les pages de login… c’est le quotidien de toute application exposée. Et dans beaucoup d’équipes, il n’y a encore aucun vrai filtre devant. BunkerWeb est un WAF open source basé sur NGINX qui se place en reverse proxy devant une application existante. Il embarque notamment ModSecurity + OWASP CRS v4, du rate limiting, du ban automatique et des blacklists communautaires. En pratique, un docker compose up suffit pour avoir un premier niveau de protection exploitable. J’ai publié un guide complet pour aller plus loin : - architecture réelle : instance, Scheduler, API interne, Web UI - différence entre lab et production - déploiement minimal avec Docker Compose - protections actives par défaut - tests d’attaque avec les vrais logs de blocage - configuration de la vraie IP client - HTTPS : auto-signé pour le lab, Let’s Encrypt pour la prod - Web UI d’administration avec captures d’écran - BunkerNet natif vs CrowdSec externe - tuning : faux positifs, paranoia level, anomaly scoring - comparaison Free vs PRO par capacité Le piège classique : sans USE_REAL_IP, BunkerWeb voit surtout l’IP interne du proxy ou du réseau Docker. Résultat : rate limiting, logs et bans deviennent trompeurs. C’est un détail d’architecture, mais en pratique il change tout. Le guide : https://lnkd.in/ezakSJkU #BunkerWeb #WAF #Docker #SecOps #ModSecurity #OpenSource #CyberSecurity Florian Pitance