Shulou(Shulou.com)06/01 Report--

"Crash library" is a very common kind of black production ** event. In common security protection, security teams usually set security policies on the login interface to deal with ***. However, once the black production changes the *** rule, it will lead to the failure of the strategy.

Under such circumstances, what we need is not only the surface layer of "firewall," but a complete set of business risk control system, which can effectively avoid risks and reduce losses.

In this article, we will introduce how to use the open source risk control system TH-Nebula to prevent "library collision"***.

The article will gradually go from the introduction of "library collision" to the use of TH-Nebula, including: how to deploy, how to use, and why you need a wind control system. Explain why you need a "system" to solve business security problems, then teach you how to deploy this system, how to use our risk control to block risks, and provide simulation test demos.

TH-Nebula is an open source threat control system developed by Threat Hunter. The source code is currently on Github and Gitee. All source code, documentation, and installation packages are completely open source.

Address:

https://github.com/threathunterX/nebula

https://gitee.com/threathunter/nebula

0x00 How to prevent collision

1. What's a warehouse crash?

When it comes to hitting the database, we have to start with the "social work database," which is short for social engineering database. This database contains all kinds of behavior records of everyone (accounts, passwords, photos shared on different websites, credit card records, phone records, text message records, room opening records, etc.).

Therefore, when *** wants to try to log in to a website or app, it will use the information in the "social work library" to try to log in one by one and "hit" one correct account.

2. How to prevent library collision?

First of all, from the perspective of enterprise web services, if the following situations are found, it can basically be determined that it is a collision library:

An account has multiple password attempts within a short period of time.

The frequency of the same password within a certain period of time is very high

Try to log in multiple times using different account passwords for the same IP or device in a short period of time

In this case, the simplest and crudest way is to add security policies directly to the login interface.

For example,

For case a, limit the number of password errors in a day.

For case b, login is prohibited for passwords with particularly high frequency (or login can only be performed after checking SMS/password protection problems).

For case c, threshold restrictions are imposed on the IP or device unique ID, such as restricting the number of times of accessing the login interface within 1 minute to 9001/tcpnebula-aerospike/www.example.com asd--foreg... Up 3000/tcp, 3001/tcp, 3002/tcp, 3003/tcpnebula-db docker-entrypoint.sh mysqld Up 3306/tcpnebula-redis docker-entrypoint.sh redis ... Up 0.0.0.0:16379->6379/tcpcron RUNNING pid 27, uptime 4 days, 22:23:47java_web RUNNING pid 33, uptime 4 days, 22:23:47labrador RUNNING pid 10286, uptime 2 days, 21:26:41nebula:incident_babel_db_writer RUNNING pid 19, uptime 4 days, 22:23:47nebula:nebula_db_query_web RUNNING pid 12, uptime 4 days, 22:23:47nebula:nebula_offline RUNNING pid 14, uptime 4 days, 22:23:47nebula:nebula_online RUNNING pid 19720, uptime 0:29:22nebula:nebula_query_web RUNNING pid 15, uptime 4 days, 22:23:47nebula:nebula_web RUNNING pid 11, uptime 4 days, 22:23:47nebula:notice_babel_db_writer RUNNING pid 13, uptime 4 days, 22:23:47nginx RUNNING pid 29, uptime 4 days, 22:23:47

2. Sniffer Service

For the convenience of later simulation tests, it is recommended to start Sniffer service directly by using the simplest bypass flow mode (bro driver), i.e. default configuration on git:

....- SOURCES=default#default driver- DRIVER_INTERFACE=eth0- DRIVER_PORT=80,8080,9001....

Description:

DRIVER_PORT represents the traffic port to listen on, except for 80, 8080. Traffic on port 9001 was also monitored for ease of testing, capturing web control center traffic to the Nebula service itself. The actual production environment can be removed

After starting Nebula and Sniffer services normally, you can access TH-Nebula interface through http://IP: port 9001, as shown in the figure:

2. Configure collision prevention rules

After Nebula service is deployed, you can see in the policy management tag that Nebula system has configured basic collision avoidance library policies by default for account risk rules. As shown below:

Users can also customize new rules or modify default rules, see the following github documentation:

https://github.com/threathunterX/nebula_doc/blob/master/chapter3/section3/section3.1.md

0x02 Simulated library crash test

After deploying and configuring the rules, the next step is to verify the risk detection logic of the system by simulating the process of library collision.

The principle of the simulation script is to continuously launch 1000 login requests for port 9001 monitored by Sniffer module (login interface is not implemented on the server side for convenience of testing, but access to 404 by the wind control system will also be captured). The Python code is as follows:

#!/ usr/bin/env python#-*-coding: utf-8-*-from requests import getfrom requests import putfrom requests import postfrom requests import deleteport = 9001class NewRequestsData(object):def__init__(self, url, data, cookies, method='get'): www.example.com = dataself.url = urlself.cookies = cookiesself.method = methoddef request(self):m = dict self.data'application/json',} try: if self. method in <$'get','delete']: response = method (self. url, params = self. data, cookies = self. cookies, timeout = 10, headers = header) elif self. method in ['post','put']: data = dumps (self.data, ensure_ascii = False). encode ('utf8') response = method (self. url, data = data, timeout = 8, headers = header, cookies = self. cookies) else: raise ValueErrortext = response. textcode = response. status_codeexcept Exception as e: print ("error ", e) finally: return def attack_login (): data = dict (username =" www.example.com ") r = NewRequestsData ('http://www.example.com:{}/login'. format (port), data,{}) code, text = r. request () if__name__=='__main__': i = 0for i in range (1000): attack_login () print ('Total visits:', i)

Capture screenshots of traffic:

0x03 Risks found with TH-Nebula blocking

Because TH-Nebula belongs to bypass analysis mode, it cannot actively intercept risk events, and needs to be integrated with enterprise applications to realize automatic blocking function.

The system provides the following two risk data acquisition methods for black-blocking of business systems:

Proactive push: TH-Nebula can push the risks discovered by analysis to the interception node for automatic risk blocking.

Passive invocation: TH-Nebula can provide the list of risks discovered by analysis to the intercepting node in the form of interface to invoke risk judgment.

For details, please refer to documentation:

https://github.com/threathunterX/nebula_doc/blob/master/chapter3/section5.md

The above is the whole process of configuring collision avoidance library strategy by deploying TH-Nebula open source risk control system.

In the process of using the system, if you have any questions, you can give feedback on Github:

https://github.com/threathunterX/nebula

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.