Help Center/ Edge Security/ User Guide/ Security Protection/ Protection Policy/ Configuring Protection Policies/ Configuring Basic Protection Rules to Defend Against Common Web Attacks
Updated on 2024-10-31 GMT+08:00

Configuring Basic Protection Rules to Defend Against Common Web Attacks

After this function is enabled, EdgeSec can defend against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. You can also enable basic web protection, such as web shell detection.

Prerequisites

A protected website has been added. For details, see Adding a Website to EdgeSec.

Constraints

  • Basic web protection has two modes: Block and Log only.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
  • If you select Block for Basic Web Protection, you can configure access control criteria for a known attack source. EdgeSec will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Content Delivery & Edge Computing > CDN and Security.
  3. In the navigation pane on the left, choose Edge Security > Website Settings. The Website Settings page is displayed.
  4. In the Policy column of the row containing the domain name, click the number to go to the Policies page.

    Figure 1 Website list

  5. In the Basic Web Protection configuration area, change Status and Mode as needed by referring to Table 1.

    Figure 2 Basic Web Protection configuration area
    Table 1 Parameter description

    Parameter

    Description

    Status

    Status of Basic Web Protection

    • : enabled.
    • : disabled.

  6. In the Basic Web Protection configuration area, click Advanced Settings.
  7. On the Protection Status tab page, enable protection types you need by referring to Table 3.

    Figure 3 Basic web protection

    If you select Mode for Block on the Protection Status tab, you can select a known attack source rule to let EdgeSec block requests accordingly. For details, see Configuring a Known Attack Source Rule.

    1. Set the protection level.

      In the upper right part of the page, set Protection Level to Low, Medium, or High. The default value is Medium.

      Table 2 Protection levels

      Protection Level

      Description

      Low

      EdgeSec only blocks the requests with obvious attack signatures.

      If a large number of false alarms are reported, Low is recommended.

      Medium

      The default level is Medium, which meets a majority of web protection requirements.

      High

      At this level, EdgeSec provides the finest granular protection and can intercept attacks with complex bypass features, such as Jolokia cyber attacks, common gateway interface (CGI) vulnerability detection, and Druid SQL injection attacks.

      Configure global whitelist rules after the service has been running for a period of time, and then enable the strict mode.

    2. Set the protection type.

      By default, General Check is enabled. You can enable other protection types by referring to Table 3.

    Table 3 Protection types

    Type

    Description

    General Check

    Defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. SQL injection attacks are mainly detected based on semantics.

    NOTE:

    If you enable General Check, EdgeSec checks your websites based on the built-in rules.

    Webshell Detection

    Protects against web shells from upload interface.

    NOTE:

    If you enable Webshell Detection, EdgeSec detects web page Trojan horses inserted through the upload interface.

Example - Blocking SQL Injection Attacks

If domain name www.example.com has been connected to EdgeSec, perform the following steps to verify that EdgeSec can block SQL injection attacks.

  1. Enable General Check in Basic Web Protection and set the protection mode to Block.

    Figure 4 Enabling General Check

  2. Enable EdgeSec basic web protection.

    Figure 5 Enabling EdgeSec basic web protection

  3. Clear the browser cache and enter a simulated SQL injection (for example, http://www.example.com?id=' or 1=1) in the address box.

    The access request is intercepted, as shown in Figure 6.

    Figure 6 Block page

  4. Go to the EdgeSec console. In the navigation pane on the left, choose Events. View the event on the Events page.