Shulou(Shulou.com)06/01 Report--

In the process of enterprise development, more and more business forms often incur new business risks. Simple business protection is no longer enough to solve the problem. A complete set of business risk control system can help enterprises to effectively avoid risks and reduce losses.

TH-Nebula (Nebula) is a business risk control system that threatens hunters' open source. At a time when the threshold for business security applications is generally too high, we hope to lower the threshold for learning and use in an open source way, so that we can build a risk control system from scratch at a lower cost. In the process of use, we are aware of the importance of risk control.

Since the release of TH-Nebula (Nebula), there are still some problems with how to deploy, how to use, and why a risk control system is needed.

This article takes how to prevent library collision as an example, explains why a "system" is needed to solve business security problems, and then teaches you how to deploy this system and how to use our set of risk control to block risks, and provide a simulation test demo.

Attached git address of the project:

Https://github.com/threathunterX/nebula

1 how to prevent hitting the library 1.1 what is hitting the library?

When it comes to hitting the library, let's start with the "social work library", which is short for social engineering database. This database contains everyone's behavior records (accounts, passwords, shared photos, credit card records, phone records, text messages, room records, etc.) on different websites.

So when * wants to try to log in to a website or APP, he will use the information in the "social work library" to try to log in one by one and "bump" out the correct account one by one.

1.2 how to prevent collision with the library?

From the perspective of the enterprise's Web service, if you find the following situations, you can basically determine that you are hitting the library:

An account has multiple password attempts in a short period of time.

The occurrence frequency of the same password is very high in a certain period of time.

The same ip or the same device attempts to log in many times with different account passwords in a short period of time.

In this case, the simplest and most rude way is to add security policy directly to the login interface.

Such as:

In case a, limit the number of password errors in a day.

In the case of b, login is prohibited for passwords with a particularly high frequency (or you can log in only after verifying SMS / secret guarantee problems).

In the case of c, a threshold limit is imposed on the ip or the unique id of the device, such as the number of times to access the login interface 6379/tcp in one minute.

Cron RUNNING pid 27, uptime 4 days, 22:23:47

Java_web RUNNING pid 33, uptime 4 days, 22:23:47

Labrador RUNNING pid 10286, uptime 2 days, 21:26:41

Nebula:incident_babel_db_writer RUNNING pid 19, uptime 4 days, 22:23:47

Nebula:nebula_db_query_web RUNNING pid 12, uptime 4 days, 22:23:47

Nebula:nebula_offline RUNNING pid 14, uptime 4 days, 22:23:47

Nebula:nebula_online RUNNING pid 19720, uptime 0:29:22

Nebula:nebula_query_web RUNNING pid 15, uptime 4 days, 22:23:47

Nebula:nebula_web RUNNING pid 11, uptime 4 days, 22:23:47

Nebula:notice_babel_db_writer RUNNING pid 13, uptime 4 days, 22:23:47

Nginx RUNNING pid 29, uptime 4 days, 22:23:47

2.2 Sniffer Services

To facilitate later simulation testing, it is recommended to start the Sniffer service directly with the simplest bypass traffic (bro driver), that is, the default configuration on git:

....

-SOURCES=default

# default driver

-DRIVER_INTERFACE=eth0

-DRIVER_PORT=80,8080,9001

....

Description:

DRIVER_PORT represents the port of traffic that is being monitored, except for the monitoring of 80808080 here. The traffic on port 9001 is also monitored to facilitate testing and capture the Web control center traffic of the Nebula service itself. The actual production environment can be removed.

If the Nebula and Sniffer services are started normally, you can access the TH-Nebula interface through http://IP Sniffer port, as shown in the figure:

2.3 configure rules to prevent library collisions

After the github tutorial is deployed, run. / ctrl.sh status to view the running status of the Nebula service. As shown in the figure below, the deployment is successful. By default, the Web control center of Nebula is accessed through port 9001:

You can also customize the new rule or modify the default rule. Refer to the following github document:

Https://github.com/threathunterX/nebula_doc/blob/master/chapter3/section3/section3.1.md

3 simulated crash library test

After the rules are deployed and configured, the next step is to verify the risk detection logic of the system by simulating the process of hitting the library.

The principle of the simulation script is to continuously issue 1000 login requests for port 9001 that the Sniffer module listens to. (here, for the convenience of testing, the login interface is not implemented on the server, but the access to the risk control system will also be captured). The specific python code is as follows:

#! / usr/bin/env python

#-*-coding: utf-8-*-

From requests import get

From requests import put

From requests import post

From requests import delete

Port = 9001

Class NewRequestsData (object):

Def _ _ init__ (self, url, data, cookies, method='get'):

Self.data = data

Self.url = url

Self.cookies = cookies

Self.method = method

Def request (self):

M = dict (

Get=get

Put=put

Post=post

Delete=delete

)

Method = m [self.method]

Text = 'default mode'

Code = 'None'

Header = {

"connection": "close"

"content-type": 'application/json'

}

Try:

If self.method in ['get',' delete']:

Response = method (self.url, params=self.data, cookies=self.cookies, timeout=10

Headers=header)

Elif self.method in ['post',' put']:

Data = dumps (self.data, ensure_ascii=False) .encode ('utf8')

Response = method (self.url, data=data, timeout=8, headers=header, cookies=self.cookies)

Else:

Raise ValueError

Text = response.text

Code = response.status_code

Except Exception as e:

Print ("error", e)

Finally:

Return (text, code)

Def attack_login ():

Data = dict (

Username= "threathunter@threathunter.cn"

)

R = NewRequestsData ('http://127.0.0.1:{}/login'.format(port), data, {})

Code, text = r.request ()

If _ _ name__ = ='_ _ main__':

I = 0

For i in range (1000):

Attack_login ()

Print ('Total visits:', I)

Capture a screenshot of the traffic:

4 use TH-Nebula to block the risk of discovery

Because TH-Nebula belongs to bypass analysis mode, it can not actively intercept risk events, so it needs to be integrated with enterprise applications to achieve automatic blocking function.

For blocking the business system, the system provides the following two risk data acquisition methods:

Active push: TH-Nebula can push the risk found by analysis to the interceptor node for automatic risk blocking.

Passive call: TH-Nebula can provide the list of risks found by analysis to the interceptor node to judge the risk by interface.

For more information, please refer to the documentation:

Https://github.com/threathunterX/nebula_doc/blob/master/chapter3/section5.md

The above is the whole process of configuring anti-collision library strategy through the deployment of TH-Nebula open source risk control system.

In the course of using the system, if you have any questions, you can give feedback on Github:

Https://github.com/threathunterX/nebula

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.