Configuring Intrusion Prevention

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.
   Figure 1 CFW Dashboard
   

4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
5. In the navigation pane, choose Attack Defense > Intrusion Prevention.

   Table 1 Intrusion prevention functions

   Function		Description
   Protection Mode		Observe: Attacks are detected and recorded in logs. Intercept: Attacks and abnormal IP address access are automatically intercepted. Intercept mode - loose: The protection granularity is coarse. In this mode, only attacks with high threat and high certainty are blocked. Intercept mode - moderate: The protection granularity is medium. This mode meets protection requirements in most scenarios. Intercept mode - strict: The protection granularity is fine-grained, and all attack requests are intercepted. You are advised to configure false alarm masking rules after the service has been running for a period of time, then enable the strict mode. NOTE: After selecting a protection mode, you can modify a rule in the basic protection rule library. For details, see "Basic Protection Rule Management" in Cloud Firewall User Guide.
   Basic Protection		Basic protection on your assets. It is enabled by default. Its functions are as follows: Scan for threats and scan vulnerabilities. Detects whether traffic contains phishing, Trojan horses, worms, hacker tools, spyware, password attacks, vulnerability attacks, SQL injection attacks, XSS attacks, and web attacks. Checks whether there are protocol anomalies, buffer overflow, access control, suspicious DNS activities, and other suspicious behaviors in traffic.
   Virtual Patching		Hot patches are provided for IPS at the network layer to intercept high-risk remote attacks in real time and prevent service interruption during vulnerability fixing.
   Advanced	Sensitive Directory Scan Defense	Defense against scan attacks on sensitive directories on your servers. Action: Observe: If a sensitive directory scanning attack is detected, CFW records it in logs only. For details about how to view attack logs, see Cloud Firewall User Guide > Log Query. Block session: If the firewall detects a sensitive directory scan attack, it blocks the current session. Block IP: If CFW detects a sensitive directory scan attack, it blocks the attack IP address for a period of time. Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s. Threshold: CFW performs the specified action if the scan frequency of a sensitive directory reaches this threshold.
   	Reverse Shell Defense	Defense against reverse shells. Action: Observe: If a reverse shell attack is detected, it is only recorded in attack logs. For details about how to view attack logs, see "Querying Logs" in Cloud Firewall User Guide. Block session: If the firewall detects a reverse shell attack, it blocks the current session. Block IP: If CFW detects a reverse shell attack, it blocks the attack IP address for a period of time. Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s. Mode: Conservative: coarse-grained protection. It observes or blocks frequent attacks, ensuring that no false positives are reported. Sensitive: fine-grained protection. It ensures that attacks can be detected and handled.