Malo athu achitetezo a cyber ali ndi udindo woteteza zida zamakasitomala ndikuletsa kuwukira kwamakasitomala. Timagwiritsa ntchito ma firewall a FortiWeb web application (WAF) kuti titetezedwe. Koma ngakhale WAF yozizira kwambiri sipanacea ndipo samateteza kunja kwa bokosi kuti asawonongedwe.
Chifukwa chake, kuwonjezera pa WAF timagwiritsa ntchito . Zimathandizira kusonkhanitsa zochitika zonse pamalo amodzi, zimasonkhanitsa ziwerengero, kuziwona m'maganizo ndipo zimatilola kuti tiwone kuukira komwe kukuchitika panthawi yake.
Lero ndikuwuzani mwatsatanetsatane momwe tidawolokera "mtengo wa Khrisimasi" ndi WAF ndi zomwe zidatulukamo.
Nkhani ya kuukira kumodzi: momwe zonse zidagwirira ntchito zisanachitike kusintha kwa ELK
Makasitomala ali ndi pulogalamu yomwe yayikidwa mumtambo wathu womwe uli kuseri kwa WAF yathu. Kuchokera pa 10 mpaka 000 ogwiritsa ntchito omwe amalumikizidwa patsambalo patsiku, kuchuluka kwa maulumikizidwe kudafika 100 miliyoni patsiku. Mwa awa, ogwiritsa ntchito 000-20 anali owukira ndipo anayesa kuthyolako tsambalo.
FortiWeb idaletsa mawonekedwe ankhanza anthawi zonse kuchokera ku adilesi imodzi ya IP mosavuta. Chiwerengero cha omwe adagunda patsambali pamphindi imodzi chinali chokwera kuposa cha ogwiritsa ntchito ovomerezeka. Timangoyika malire a zochita kuchokera ku adilesi imodzi ndikuletsa kuwukirako.
Ndizovuta kwambiri kuthana ndi "kuukira pang'onopang'ono," pomwe owukira amachita pang'onopang'ono ndikubisala ngati makasitomala wamba. Amagwiritsa ntchito ma adilesi ambiri apadera a IP. Zochita zotere sizimawoneka ngati zankhanza zazikulu kwa WAF; zinali zovuta kuzitsata zokha. Panalinso chiopsezo choletsa ogwiritsa ntchito wamba. Tidayang'ana zizindikilo zina zowukira ndikukhazikitsa mfundo zoletsa ma adilesi a IP potengera chizindikirochi. Mwachitsanzo, magawo ambiri osaloledwa anali ndi magawo ofanana pamitu yofunsira ya HTTP. Magawo awa nthawi zambiri amayenera kufufuzidwa pamanja muzolemba za FortiWeb.
Zinakhala zotalika komanso zosasangalatsa. Mu magwiridwe antchito a FortiWeb, zochitika zimalembedwa m'malemba atatu osiyanasiyana: zowukira zomwe zadziwika, zambiri za zopempha, ndi mauthenga amachitidwe okhudza WAF. Zambiri kapena mazana a zochitika zowukira zitha kufika mphindi imodzi.
Osati kwambiri, koma muyenera kukwera pamanja mitengo ingapo ndikubwereza mizere yambiri:
Mu chipika chowukira tikuwona ma adilesi a ogwiritsa ntchito komanso momwe amachitira.
Sikokwanira kungoyang'ana tebulo la chipika. Kuti mupeze zosangalatsa komanso zothandiza kwambiri pakuwukirako, muyenera kuyang'ana mkati mwa chochitika china:
Minda yowunikira imathandizira kuzindikira "kuukira pang'onopang'ono". Source: chithunzi kuchokera .
Chabwino, vuto lofunika kwambiri ndiloti katswiri wa FortiWeb yekha ndi amene angadziwe izi. Ngakhale kuti nthawi ya ntchito timathabe kuyang'anira zochitika zokayikitsa mu nthawi yeniyeni, kufufuza zochitika za usiku kungatenge nthawi yaitali. Pamene ndondomeko za FortiWeb sizinagwire ntchito pazifukwa zina, akatswiri oyendetsa usiku omwe ali pantchito sanathe kuwunika momwe zinthu zilili popanda kupeza WAF ndikudzutsa katswiri wa FortiWeb. Tinayang'ana mkati mwa maola angapo a zipika ndikupeza mphindi ya chiwonongeko.
Ndi kuchuluka kwa chidziwitso chotere, zimakhala zovuta kumvetsetsa chithunzithunzi chachikulu pang'onopang'ono ndikuchitapo kanthu mwachangu. Kenaka tinaganiza zosonkhanitsa deta pamalo amodzi kuti tifufuze chirichonse mu mawonekedwe owonetsera, kupeza chiyambi cha kuukira, kuzindikira njira yake ndi njira yotsekera.
Munasankha chiyani?
Choyamba, tidayang'ana njira zomwe zikugwiritsidwa ntchito kale kuti tisachulutse mabungwe mosafunikira.
Chimodzi mwa zosankha zoyamba chinali Nagioszomwe timagwiritsa ntchito powunika , , machenjezo okhudza ngozi. Alonda amachigwiritsanso ntchito podziwitsa otsogolera ngati pali magalimoto okayikitsa, koma sichidziwa kusonkhanitsa zipika zomwe zabalalika ndipo zimasowa.
Panali mwayi wophatikiza zonse zomwe zimagwiritsidwa ntchito MySQL ndi PostgreSQL kapena database ina yogwirizana. Koma kuti mutulutse deta, munayenera kupanga pulogalamu yanu.
Kampani yathu imagwiritsanso ntchito FortiAnalyzer kuchokera ku Fortinet. Koma sizinagwirizane ndi nkhaniyi. Choyamba, zimapangidwira kwambiri kugwira ntchito ndi firewall Zithunzi za FortiGate. Kachiwiri, makonda ambiri anali kusowa, ndipo kulumikizana nawo kumafuna kudziwa bwino za mafunso a SQL. Ndipo chachitatu, kugwiritsa ntchito kwake kumawonjezera mtengo wantchitoyo kwa kasitomala.
Umu ndi momwe tinafikira kutsegula gwero mu mawonekedwe a mbawala.
Chifukwa chiyani kusankha ELK
ELK ndi gulu la mapulogalamu otseguka:
- Elasticsearch - mndandanda wa nthawi, womwe unapangidwa makamaka kuti ugwire ntchito ndi zolemba zambiri;
- Logstash - njira yosonkhanitsira deta yomwe imatha kusintha zipika kukhala zomwe mukufuna;
- Kibana - wowonera bwino, komanso mawonekedwe ochezeka pakuwongolera Elasticsearch. Mutha kugwiritsa ntchito kupanga ma graph omwe mainjiniya omwe ali pantchito amatha kuwayang'anira usiku.
Njira yolowera ku ELK ndiyotsika. Zofunikira zonse ndi zaulere. Kodi china chofunika nβchiyani kuti munthu akhale wosangalala?
Tinaziyika bwanji zonse pamodzi kukhala dongosolo limodzi?
Tinapanga ma index ndikusiya zofunikira zokha. Tidanyamula zipika zonse zitatu za FortiWEB mu ELK ndipo zotuluka zake zinali indexes. Awa ndi mafayilo okhala ndi zipika zonse zosonkhanitsidwa kwakanthawi, mwachitsanzo, tsiku. Ngati titaziwona nthawi yomweyo, tikanangowona zochitika zowukira. Kuti mudziwe zambiri, muyenera "kugwera" kuukira kulikonse ndikuyang'ana magawo enaake.
Tidazindikira kuti choyamba tifunika kukhazikitsa kugawa kwazinthu zosakonzedwa. Tidatenga mbali zazitali ngati zingwe, monga "Message" ndi "URL", ndikuzigawa kuti tidziwe zambiri zopanga zisankho.
Mwachitsanzo, pogwiritsa ntchito kuwerengera, tidazindikira padera malo a wogwiritsa ntchito. Izi zidathandizira nthawi yomweyo kuwunikira kuukira kochokera kunja kwamasamba a ogwiritsa ntchito aku Russia. Poletsa maulumikizidwe onse ochokera kumayiko ena, tidachepetsa kuchuluka kwa ziwopsezo ndi nthawi za 2 ndipo titha kuthana ndi ziwopsezo mkati mwa Russia.
Pambuyo pokambirana, tinayamba kuyang'ana zomwe tingasunge ndikuziwona m'maganizo. Zinali zosatheka kusiya zonse m'magazini: kukula kwa index imodzi kunali kwakukulu - 7 GB. ELK idatenga nthawi yayitali kukonza fayilo. Komabe, sizinthu zonse zomwe zinali zothandiza. Chinachake chinabwerezedwa ndipo chinatenga malo owonjezera - chinafunika kukonzedwa bwino.
Poyamba tinkangoyang'ana mlozera ndikuchotsa zochitika zosafunikira. Izi zidakhala zovuta kwambiri komanso zazitali kuposa kugwira ntchito ndi zipika pa FortiWeb yokha. Chokhachokha kuchokera ku "mtengo wa Khrisimasi" pa siteji iyi ndikuti tinatha kuwona nthawi yayikulu pazenera limodzi.
Sitinataye mtima, tinapitiliza kudya cactus, kuphunzira ELK ndikukhulupirira kuti titha kuchotsa zofunikira. Titayeretsa ma index, tinayamba kuona m'maganizo mwathu zomwe tinali nazo. Umu ndi momwe tinafikira ku ma dashboard akuluakulu. Tidayesa ma widget - zowoneka bwino komanso zokongola, mtengo weniweni wa Khrisimasi!
Nthawi yakuukira idalembedwa. Tsopano tidayenera kumvetsetsa momwe chiyambi cha kuukira chikuwoneka pa graph. Kuti tizindikire, tidayang'ana mayankho a seva kwa wogwiritsa ntchito (ma code obwerera). Tidachita chidwi ndi mayankho a seva ndi ma code awa (rc):
Kodi (rc)
Mutu
mafotokozedwe
0
Dontho
Pempho kwa seva laletsedwa
200
Ok
Pempho lakonzedwa bwino
400
Funso lolakwika
Pempho lolakwika
403
Zaletsedwa
Chilolezo chakanidwa
500
Cholakwika Cham'kati Chaseva
Ntchito sizikupezeka
Ngati wina ayamba kuwukira tsambalo, chiΕ΅erengero cha ma code chinasintha:
- Ngati pali zopempha zolakwika zambiri ndi code 400, koma chiwerengero chomwecho cha zopempha zomwe zili ndi code 200 zidatsalira, zikutanthauza kuti wina akuyesera kuthyolako tsambalo.
- Ngati panthawi imodzimodziyo zopempha ndi code 0 zinawonjezeka, ndiye kuti ndale za FortiWeb "zinawona" kuukirako ndikugwiritsa ntchito midadada.
- Ngati chiwerengero cha mauthenga omwe ali ndi code 500 chikuwonjezeka, zikutanthauza kuti malowa sakupezeka pa ma adilesi a IP awa - komanso ngati kutsekereza.
Pofika mwezi wachitatu, tinali titakhazikitsa dashibodi yoti tiziona zinthu ngati zimenezi.
Kuti tisayang'ane chilichonse pamanja, tidakhazikitsa mgwirizano ndi Nagios, womwe udasankha ELK nthawi zina. Ndikazindikira kuti ma code afika pachimake, ndidatumiza zidziwitso kwa oyang'anira zantchito yokayikitsa.
Kuphatikiza zithunzi za 4 mu dongosolo loyang'anira. Tsopano kunali kofunika kuti muwone pa ma grafu nthawi yomwe kuukira sikunatsekedwe ndipo kulowererapo kwa injiniya kumafunika. Pa matchati 4 osiyanasiyana maso athu adachita mdima. Chifukwa chake, tidaphatikiza ma chart ndikuyamba kuyang'anira chilichonse pazenera limodzi.
Pakuwunika, tidawona momwe ma graph amitundu yosiyanasiyana adasinthira. Kuphulika kofiira kunawonetsa kuti kuukirako kudayamba, pomwe ma graph alalanje ndi abuluu adawonetsa yankho la FortiWeb:
Chilichonse chili bwino apa: panali zochitika zambiri "zofiira", koma FortiWeb adathana nazo ndipo ndondomeko yowukirayo idalephera.
Tidadziwoneranso tokha chitsanzo cha graph yomwe imafuna kulowererapo:
Apa tikuwona kuti FortiWeb yawonjezera ntchito, koma chithunzi chofiira chofiira sichinachepe. Muyenera kusintha makonda anu a WAF.
Kufufuza zochitika zausiku kwakhalanso kosavuta. Grafu nthawi yomweyo ikuwonetsa nthawi yomwe ili nthawi yoti muteteze tsambalo.
Izi ndi zomwe nthawi zina zimachitika usiku. Red graph - kuukira kwayamba. Blue - Ntchito ya FortiWeb. Kuukirako sikunaletsedwe kotheratu, motero ndinayenera kuloΕ΅ererapo.
Kodi tikulowera kuti?
Pakali pano tikuphunzitsa oyang'anira ntchito kuti azigwira ntchito ndi ELK. Othandizira amaphunzira kuwunika momwe zinthu ziliri pa dashboard ndikupanga chisankho: ndi nthawi yopitira kwa katswiri wa FortiWeb, kapena ndondomeko za WAF zidzakhala zokwanira kuti zithetse vutoli. Chifukwa chake timachepetsa katundu pa mainjiniya achitetezo azidziwitso usiku ndikugawa magawo othandizira pamlingo wamakina. Kufikira ku FortiWeb kumangokhala ndi malo oteteza cyber, ndipo ndi okhawo omwe amasintha zosintha za WAF zikafunika mwachangu.
Tikugwiranso ntchito yopereka malipoti kwa makasitomala. Tikukonzekera kuti deta yokhudzana ndi machitidwe a WAF idzapezeka mu akaunti ya kasitomala. ELK ipangitsa kuti zinthu ziziwoneka bwino popanda kulumikizana ndi WAF yokha.
Ngati kasitomala akufuna kuwunika chitetezo chawo munthawi yeniyeni, ELK ibweranso bwino. Sitingathe kupereka mwayi kwa WAF, popeza kusokoneza kwamakasitomala pantchito kungakhudze ena. Koma mutha kutenga ELK yosiyana ndikuipereka "kusewera" nayo.
Izi ndizochitika zogwiritsira ntchito "mtengo wa Khrisimasi" womwe tasonkhanitsa posachedwa. Gawani malingaliro anu pankhaniyi ndipo musaiwale kupewa kutayikira kwa database.
Source: www.habr.com