Shulou(Shulou.com)06/01 Report--

CDN is to distribute the content of the origin server to the node closest to the user, improve the response speed of user access, and solve the server pressure of the enterprise source website. The CDN industry will continue to grow rapidly in the next five years, with more than 50% of Internet traffic accelerating through CDN.

However, network security is still a very important issue. Although Aliyun Web Application Firewall (WAF) supports all kinds of CDN (such as Internet accommodation, Accelerator, Qiniu, Zaipai, Aliyun CDN, etc.), the price is very expensive, and many small and medium-sized enterprises cannot afford it. So is there a free WAF with good function and performance? the answer is yes.

Hihttps is a free web application firewall, which not only supports traditional WAF detection functions such as SQL injection, XSS, malicious vulnerability scanning, password cracking, CC, DDOS, etc.), but also supports unsupervised machine learning, autonomous confrontation, and redefining web security. The specific principle can be Baidu search "hihttps on the generation of machine learning confrontation rules." Today, let's take CentOS as an example, step by step how to use hihttps to protect the enterprise origin server of the CDN environment for free.

I. installation

Hihttps can be installed directly on the WEB origin server, or it can be deployed independently in front of the server as hardware WAF, using the principle of reverse proxy to protect the origin server.

First, download the hihttp.tar.gz installation package from the http://www.hihttps.com/ official website, and extract the tar-zxvf hihttps.tar.gz to any directory. There are 3 files and 3 directories in the core:

1. Hihttps is an executable file that supports centos 64-bit systems.

2. Hihttps.cfg is a configuration file, such as port / reverse proxy server IP, etc.

3. Ml.cfg is a machine learning profile.

4. The rules directory is a countermeasure rule, including OWASP SQL injection, XSS, CC, DDOS, password cracking, malicious scanning and machine learning autonomous countermeasure rules.

5. The train directory is an unsupervised machine learning sample collection directory.

6. The log directory is * * alarm log.

The default configuration of hihttps is to bind port 443 (HTTPS) and port 81 (HTTP) at the front end, and port 80 for reverse connection:

Https:// serverip / http://127.0.0.1/

Http://serverip:81/ http://127.0.0.1/

Note: serverip is the actual IP address or domain name of your server, which is not described below in this article.

If you are testing in a vmware virtual machine, or if you do not have a web server on the server, please install nginx or apache such as:

Yum install nginx or yum install httpd, open the browser http://serverip/, and confirm that the access to port 80 is successful.

II. Hihttps configuration

1. Port configuration

To facilitate testing, hihttps opens two web ports 81 and 443. Note that 443 needs to be bound with a certificate in PEM format. A digital certificate called server.pem is provided by default. If so, replace it with the real certificate of the origin server. The configuration is as follows:

Https.cfg:

Frontend web

Mode http

Bind: 81

Default_backend s_default

Frontend web_ssl

Mode http

Bind: 443 ssl crt server.pem # PEM certificate absolute path such as / home/xxx/server.pem is recommended

Default_backend s_default

Errorloc302 400 http://www.hihttps.com/ # * redirect web pages, only DROP blocking mode is valid

# Real backend WEB server port

Backend s_default

Mode http

Server server_default 127.0.0.1:80

2. OWASP rule settings

Hihttps is compatible with most of the rules of ModSecurity, the most powerful of which is the famous security community OWASP, which develops and maintains a set of free application protection rules, which is the core rule set of the so-called OWASP ModSecurity (CRS), which almost covers dozens of common WEB*** methods, such as SQL injection, XSS cross-site scripting, malicious scanning, password cracking, DOS and so on.

These items are configured by default in hihttps, which basically meets the requirements of common * protection:

REQUEST-913-SCANNER-DETECTION.conf

REQUEST-941-APPLICATION-ATTACK-XSS conf

REQUEST-942-APPLICATION-ATTACK-SQLI conf

REQUEST-20-APPLICATION-CC-DDOS conf

REQUEST-20-APPLICATION-Brute-PASS conf

White_url.data

Black_url.data

……

For more rules, you can download them from the official https://github.com/SpiderLabs/ModSecurity website and save the files in the rule directory.

3. Machine learning configuration

Generally speaking, machine learning is done automatically and does not need to be configured. Of course, you can also precisely set the directory corresponding to the website files you want to learn for the machine, so that learning is faster and more accurate:

Ml.cfg:

# www_dir / usr/share/nginx/html/

# default is alarm mode ruleAction alert. To set it to block mode, turn on ruleAction drop.

# ruleAction drop

4. Machine learning confrontation rules

Gan.rule in the Rules directory is a confrontation rule file automatically generated by machine learning. In order to facilitate testing, an interface rule https://serverip/hihttps.html?id=xxx is defaulted.

Third, run the test

Run. / hihttps, if the interface prints out OWASP rules, Mache Learning (machine learning rules), and shows start ok. It means it's normal.

1. OWASP rule test

Can use Kali Linux, integrated with many web vulnerability scanning tools, very convenient testing, such as nkito and so on.

Run nikto-h 192.168.0.1-p 80BI 81-C

Or nikto-host www.baidu.com-C port 443-ssl

The hihttps main interface will print out a large number of alarm logs.

2. Machine learning test

Machine learning is the core of hihttps, but it takes time to collect thousands of samples. In order to facilitate testing, a hihttps.html machine learning sample is defaulted.

If more than 99% of the samples collected by https://serverip/hihttps.html?id=123, are in this form, the following URL will be regarded as * by the browser:

* Test samples:

Https://serverip/hihttps.html?id=123' or 1 # 1

Https://serverip/hihttps.html?id=alert(1);

Https://serverip/hihttps.html?id=1234567890&t=123

Https://serverip/hihttps.html?id=abc

If the * log is printed in the above interface, congratulations, the system is running normally and the hihttps protection is successful.

Alarm logs are generated in the log directory and stored on a daily basis in this format.

2020-02-09 21:14:49 192.168.1.153 hihttps.html 59615 [ALERT] [GET / hihttps.html] STR: "ff" Matched, Machine Learning: Detect an attack,value is not a number...

... ..

IV. Formal deployment

As a free version, it ends here. In the actual deployment, change the ports of hihttps and nginx (apache), and bind hihttps to 80 and 443 to 127.0.0.1 hihttps (apache).

Modify the configuration of the hihttps.cfg file:

Http://serverip/ http://127.0.0.1:81/

Https://serverip/ http://127.0.0.1:81/

After a few days of machine learning, if you manually verify that the alarm accuracy is greater than 99.9%, you can modify the ml.cfg file and turn on ruleAction drop blocking mode without affecting production.

Hihttps Enterprise Edition paybook is nothing more than open source, and has a special WEB management interface, the core protection functions are the same, small businesses no longer need to buy expensive WAF.

V. Summary

1. Traditional waf rules are difficult to deal with unknown vulnerabilities and unknown *. It may be the only effective way to let machines learn like human beings and have a certain intelligence to automatically fight against APT*** but * technology itself is the contest of the best intelligence of human beings and WEB security still has a long way to go.

2. Fortunately, free application firewalls like hihttps make a good start in machine learning and autonomous confrontation. in the future, WEB security is likely to be accomplished by feature engineering and machine learning, which is bound to be dominated by AI.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.