20.09.2025
11 min
675
Protecting infrastructure from automated vulnerability scanners and exploit attempts is a basic level of security hygiene for any public-facing resource. Using BunkerWeb makes it possible to quickly deploy a layered defense against many of the most common threats on the internet. This open-source security platform can effectively detect and block brute-force attempts, aggressive scraping, and the exploitation of known CVEs, helping keep server resources safe and unaffected.
Another classic type of modern pentest attack is the pass-the-hash (PTH) attack, which attacks a particular type of account where the pre-authentication option had been turned off many years ago — usually because the system was an older legacy system. In AD settings, this would be represented by the DONT_REQ_PREAUTH flag.
The attacker will not require a pre-existing footprint on the network — they can simply make an empty request to the server to provide an AS-REP. Because the pre-authentication has been turned off, the KDC will respond with the requested information. Again, as part of that response, the user’s password will be hashed and encrypted. The attacker can then feed the results to Hashcat, waiting for the cracking process to complete.
This is most commonly done with scripts found within the Impacket tool kit, particularly GetNPUsers.py.
What does the Impacket fingerprint look like in network traffic? It is fairly easy to recognize based on the pattern of the flags it uses — FORWARDABLE | PROXIABLE | RENEWABLE — and requesting weak RC4 encryption. In HEX, this appears as a consistent byte sequence:
In essence, the BunkerWeb is based upon one of the most popular web-servers in the world, NGINX, which has been highly customized for improved security. Instead of creating their own proxy server from scratch, the Bunkerity development team created a sensible deployment environment using a mature platform, combined this platform with established open-source security methods and created a reasonable method of managing the configuration of the platform to deploy the resulting product under an open-source license (AGPLv3).
The tool is used as a reverse-proxy server located in front of a web-based application, back-end or API. As soon as it is started, it will begin filtering the incoming traffic to block a significant portion of the common types of threats including: simple attacks, automated vulnerability scanning (such as the scanning provided by tools like Acunetix, Nessus or OpenVAS) and password guessing attempts, as well as exploit attempts against previously identified CVE’s. The main benefit is that administrators do not have to create all of the individual security rules.
A review of the official GitHub repository and documentation reveals an impressive set of capabilities available immediately after installation. Below is a breakdown of the core mechanisms that power BunkerWeb’s security model.
The time of manual Certificate Renewal and/or using fragile Cron Jobs (for running) Certbot is disappearing. BunkerWeb has a totally transparent and integrated method for working with the free public Lets Encrypt Service.
You simply have to tell the system what your Domain Name is in the config. The System will then create the TLS Certificate(s), configure the correct and most current Secure Cryptographic Protocols for use, manage the automatic certificate renewal, and correctly set up the 301 redirects from HTTP to HTTPS.
Once the configuration is complete, all of this will be completely hands off and run on autopilot.
The core of the security features on the BunkerWeb Platform is the ability to utilize ModSecurity and ship with pre-configured OWASP Core Rule Set tuning.
As such, immediately upon deployment to a site, the OWASP Core Rule Set provides immediate protection for a number of common attacks:
– SQL Injection (SQLi) – Blocks attempts to modify database query logic using injected payloads (e.g., classic SQL injection payloads “OR 1 = 1 –“).
– Cross Site Scripting (XSS) – Blocks execution of malicious client-side JavaScript from a website to an unsuspecting visitor’s browser.
– Local File Inclusion (LFI) and Remote Code Execution (RCE) – Blocks attempts to include sensitive server files (/etc/passwd) or execute arbitrary code on a remote server.
A key point here is that the OWASP Ruleset is configured to minimize false positives which can be frustrating when they occur and prevent legitimate users of a web application to interact with it normally.
Content scraping by competitors, brute-forcing admin panels, and spam flooding comment sections all create unnecessary load on infrastructure. BunkerWeb automatically detects suspicious activity and presents automated scripts with various types of challenges.
Multiple protection levels are available:
Silent verification through special cookie validation mechanisms.
JavaScript computational challenges, which filter out most primitive scripts using Python/Requests or similar tools that lack a full browser engine.
Interactive CAPTCHA systems, including traditional text-based CAPTCHA as well as modern services like hCaptcha and Google reCAPTCHA.
The System does not rely on the presence of Known Attack Signatures in order to monitor HTTP Response Patterns created by the Backend that the System is protecting.
If an IP Address begins to generate a large amount of 404 (Not Found) or 403 (Forbidden) Responses; this could be indicative of Automated Directory Discovery Tools (DirBuster, gobuster, etc.) looking for Hidden Directories, Admin Panels, Backup Files, etc., and this can be blocked by the System.
Additionally, The WAF will syncronize with well known DNS-based Blacklists (DNSBL) which contain malicious IP Addresses and will block traffic that originates from compromised Hosts.
Massive Layer 3/4 Denial of Service (DDoS) Attacks that reach Hundreds of Gigabits Per Second normally need specialized Providers like Cloudflare or AWS Shield to Mitigate. However, Layer 7 Denial of Service (DOS) Attacks that target a Back-end with Heavy Queries are Extremely Effective at being Mitigated by BunkerWeb.
Flexible Connection and Request Limits can be configured for Individual Clients. In addition, the System will perform the Following Server Hardenings Automatically:
Add Security Headers such as Strict-Transport-Security, X-Content-Type-Options, and Content-Security-Policy
Hide Software Version Information so the Amount of Attack Surface is Reduced and Makes Reconnaissance More Difficult for Potential Attackers
These Measures will greatly Strengthen the Defensive Posture of Any Web Service that is Publicly Accessible.
One of the main indicators of quality for any modern DevOps tool is how easily it integrates into an existing technology stack. If deploying a WAF requires spinning up a separate virtual machine, compiling kernels, and resolving dependency conflicts, the tool quickly becomes more trouble than it’s worth. With BunkerWeb, however, the deployment process is carefully designed and streamlined.
The platform officially supports a wide range of environments:
Classic Linux (Bare Metal) – For those who prefer running services directly on physical infrastructure without relying on containerization.
Docker – Ready-to-use optimized images are available on Docker Hub for multiple architectures, including x64, x86, armv7, and arm64. Most configuration is handled through standard environment variables.
Docker Autoconf (Dynamic Configuration) – One of the most powerful features of the project. In traditional setups, changing security settings usually requires restarting the WAF container, which temporarily drops connections and causes short downtime. BunkerWeb solves this elegantly. A dedicated autoconf helper container monitors Docker daemon events. Instead of editing the WAF configuration directly, administrators simply attach specific labels to application containers (for example,
bunkerweb.USE_ANTIBOT=captcha). The autoconf service detects these changes and dynamically applies the new security rules to the relevant application without restarting the main server.
Docker Swarm and Kubernetes – Designed for enterprise-scale deployments. In Kubernetes environments, BunkerWeb operates as a full Ingress controller. It can automatically read Ingress resources and ConfigMaps, dynamically adjusting its rules whenever cluster configuration changes. An official Helm chart is available for easier deployment.
Microsoft Azure – For organizations using Microsoft’s cloud ecosystem, a ready-to-deploy ARM template is provided.
The developers clearly understand the realities of modern hosting environments, where a single powerful server often serves several completely different web projects. By default, the WAF is configured to protect a single application, which simplifies setup for beginners. However, when multiple resources need protection, Multisite mode comes into play.
Technically, this is an implementation of the classic virtual host (vhost) concept. It allows completely independent security policies to be applied to each domain passing through the proxy.
Let’s look at a practical example.
Project A (Corporate WordPress Blog) Because WordPress is a popular CMS and a frequent target for attacks, the configuration may include aggressive static caching, strict ModSecurity rules against SQL injection, and mandatory CAPTCHA protection on the
/wp-adminlogin page to prevent brute-force attempts.
Project B (Python Backend API) CAPTCHA would break integration with client mobile applications, so it must be disabled. Instead, strict rate limiting is essential, along with GeoIP-based restrictions that allow access only from Ukrainian IP addresses.
Project C (Static Landing Page) This project requires only minimal protection — basic XSS filtering and proper security headers — without consuming additional server resources for complex traffic analysis.
All three projects, each with very different and sometimes conflicting security requirements, can operate smoothly behind a single BunkerWeb instance running in Multisite mode, with each application protected according to its own policy.
While terminal commands will continue to be used to manage infrastructure for a long time, a modern, well-structured Graphical User Interface (GUI) can greatly increase your ability to quickly respond to threats. BunkerWeb provides a complete, modern web-based UI dashboard. The dashboard is completely optional, but can make your life easier when performing routine monitoring.
BunkerWeb’s dashboard allows you to view the current state of each instance you protect in real-time, view logs of blocked attacks, view traffic and load graphs, instantly block suspicious IP addresses, and easily modify security options. All of these functions can be performed without needing to connect via SSH or manually edit YAML configuration files.
To provide additional assistance to new users wishing to learn how to use the Web UI, the developers provide a publicly accessible “read-only” demo version of their Web UI.
There are multiple methods of obtaining funding for open source software projects to allow them to be maintained at a high level of quality. As with many other prominent players in the industry (e.g., GitLab, pfSense, Proxmox), BunkerWeb has followed a dual-distribution model of providing a free community (open source) version and a commercially available PRO version.
Unlike many projects where free versions are severely crippled and therefore useless in most real-world production environments (“freemium” models with artificial limits), BunkerWeb uses a vastly different model. The open source version already contains all the primary protection methods described above. For approximately 95% of all real-world projects (from simple personal blogs and portfolios to mid-size e-commerce sites and news portals), the open source version is perfectly suitable.
The PRO version is intended for Enterprise and large organization environments. The major benefits of the PRO version include:
Exclusive Plugins – custom protection rules for specific platforms, custom API validation based on OpenAPI specifications, and more comprehensive integration with Enterprise-level Authentication systems.
Enhanced Monitoring & Analytics – Professional Dashboards for displaying a detailed breakdown of attacks, including logging to export to SIEM platforms.
Technical Support SLA (Service Level Agreement) – Direct access to the BunkerWeb Development Team for resolving urgent issues and configuring infrastructure.
For users who wish to try out some of the premium features, BunkerWeb also offers one free month of access to the PRO version using the promotional code “freetrial”.
Additionally, there is BunkerWeb Cloud, a fully managed SaaS (Software as a Service) offering. This option may be ideal for companies that lack a internal security team and/or do not have dedicated System Administrators. To utilize BunkerWeb Cloud, a company simply needs to update their A records to route their website traffic through BunkerWeb’s cloud-based infrastructure and then BunkerWeb Cloud will handle all aspects of Threat Filtering and Protection.
With cyberattacks now taking place on the digital battle field, and every new infrastructure project facing an endless stream of automated scanning, DDoS, and exploit attempts on vulnerabilities, a dependable WAF is no longer a luxury item – but a requirement.
The BunkerWeb application plays an essential role in making cybersecurity accessible to everyone; there is no longer the need to spend weeks reading NGINX configuration documentation, nor to scour online forums looking for the ultimate configuration to set up your own web application firewall. Instead, deploy a container, configure a few environment variables, and you will be utilizing a multi-layered security system that can block a large number of the most common attack vectors automatically.
For those who would like to get more information about the platform, we recommend reviewing the official GitHub page, review the source code, show your appreciation by giving the developer(s) a star, and test drive the WAF. Even the most skeptical engineers may find themselves pleasantly surprised at how much automated protection this application offers.
