Go to the web interface and log in with your admin user. By default you can reach it at port 8080, for example http://127.0.0.1:8080 if it is running on localhost.
Navigate to Management, Profiles, and click the Add button at the bottom of the page. Use the form to add a new profile. The default values should be reasonable for most new installations. The only required values that are not added by default are the name and the key.
- You can set the IP address of the connector to only allow connections to
shadowdfrom this source.
- Important: If you use
shadowdctlkeep the default value
*(allow all) because
shadowdis started in a virtual network and does not receive the real addresses of its clients by default.
- You have to add a name for the profile.
- You have to add a secure and unique key to authorize requests from connectors.
- The key has to be added to the configuration file of the connector later on.
- You should set the mode to passive for now until you are sure that the system works correctly.
- In passive mode
shadowdwill never tell a connector to modify or stop a request.
- You should disable the whitelist and integrity checks for now because they need well-fitting rules to work.
- You can enable the blacklist and flooding checks, because they are instantly ready for use.
- The blacklist checks user input for malicious patterns and compares their total impact to the threshold.
- The flooding protection limits the amount of attacks that are stored and analyzed by Shadow Daemon. It does not count non-malicious requests.
What is a good blacklist threshold?
If the threshold of the blacklist is too low there will be lots of false-positives. If the threshold is too high it might miss some attacks. Normally a good (secure) threshold lies between 5 and 10. You should start with a low global value and only increase it over time if there are way too many false-positives. If there are only single exceptions it is best to add blacklist rules that allow you to increase the threshold for very specific input.