Iziko lethu lokhuselo lwe-cyber linoxanduva lokhuseleko lweziseko zewebhu zabathengi kwaye ligxotha uhlaselo kwiindawo zabaxumi. Sisebenzisa i-FortiWeb application firewalls (WAF) ukukhusela ekuhlaselweni. Kodwa neyona i-WAF ipholileyo ayikho i-panacea kwaye ayikhuseli ngaphandle kwebhokisi kuhlaselo olujoliswe kuyo.
Ke ngoko, ukongeza kwi-WAF sisebenzisa . Inceda ukuqokelela zonke iziganeko kwindawo enye, iqokelele izibalo, ibonakale kwaye ivumele ukuba sibone ukuhlaselwa okujoliswe kuyo ngexesha.
Namhlanje ndiza kukuxelela ngokubanzi indlela esiwela ngayo "umthi weKrisimesi" kunye ne-WAF kunye nento ephuma kuyo.
Ibali lohlaselo olunye: indlela yonke into esebenze ngayo ngaphambi kokutshintshela kwi-ELK
Umthengi unesicelo esifakwe kwilifu lethu elisemva kwe-WAF yethu. Ukusuka kwi-10 ukuya kwi-000 abasebenzisi abaqhagamshelwe kwisiza ngosuku, inani lonxibelelwano lifikelele kwi-100 yezigidi ngosuku. Kwaba, abasebenzisi be-000-20 babengabahlaseli kwaye bazama ukukrazula indawo.
I-FortiWeb ivale ifom yesiqhelo ye-brute force kwidilesi enye ye-IP ngokulula. Inani lokubethelwa ngomzuzu kwisiza beliphezulu kunelo labasebenzisi abasemthethweni. Simane sibeka imida yokusebenza kwidilesi enye kwaye sirhoxise uhlaselo.
Kunzima kakhulu ukulwa "nohlaselo olucothayo," xa abahlaseli besebenza kancinci kwaye bezenza abathengi abaqhelekileyo. Basebenzisa iidilesi ze-IP ezininzi ezizodwa. Umsebenzi onjalo awukhange ubukeke njengomkhosi omkhulu okhohlakeleyo kwi-WAF; bekunzima ukuwulandela ngokuzenzekelayo. Kwakukho nomngcipheko wokuthintela abasebenzisi abaqhelekileyo. Sijonge ezinye iimpawu zohlaselo kwaye saqwalasela umgaqo-nkqubo ukuvala ngokuzenzekelayo iidilesi ze-IP ngokusekelwe kolu phawu. Ngokomzekelo, iiseshoni ezininzi ezingekho mthethweni zinemihlaba eqhelekileyo kwi-header yesicelo se-HTTP. Le mihlaba yayisoloko kufuneka ikhangelwe ngesandla kwiilog zeminyhadala ye-FortiWeb.
Kwavela ixesha elide kwaye lingakhululekanga. Kumgangatho wokusebenza kwe-FortiWeb, iziganeko zirekhodwa kwisicatshulwa kwii-3 ezigciniweyo ezahlukeneyo: ukuhlaselwa okufunyenweyo, ulwazi lokucela, kunye nemiyalezo yenkqubo malunga nokusebenza kwe-WAF. Uninzi okanye amakhulu eziganeko zohlaselo zinokufika ngomzuzu.
Akunjalo kangako, kodwa kuya kufuneka unyuke ngesandla kwiilog ezininzi kwaye uphindaphinde kwimigca emininzi:
Kwilogi yokuhlaselwa sibona iidilesi zomsebenzisi kunye nohlobo lomsebenzi.
Akwanelanga ukuskena ngokulula itafile yelog. Ukufumana olona lwazi lunomdla kwaye luluncedo malunga nobunjani bohlaselo, kufuneka ujonge ngaphakathi kwesiganeko esithile:
Imimandla ephawulweyo inceda ukufumanisa "uhlaselo olucothayo". Umthombo: umfanekiso wekhusi ukusuka .
Ewe, eyona ngxaki ibalulekileyo kukuba yingcali ye-FortiWeb kuphela enokuyifumana le nto. Ngelixa ngeeyure zomsebenzi sisenako ukubeka iliso kwizenzo ezikrokrisayo ngexesha lokwenyani, uphando kwizehlo zasebusuku zinokuthatha ixesha elide. Xa imigaqo-nkqubo ye-FortiWeb ingasebenzi ngesizathu esithile, iinjineli zokutshintsha ebusuku emsebenzini azikwazanga ukuvavanya imeko ngaphandle kokufikelela kwi-WAF kwaye zivusa ingcali ye-FortiWeb. Sajonga kwiiyure ezininzi zemithi kwaye safumana umzuzu wohlaselo.
Ngoluhlu olunjalo lolwazi, kunzima ukuqonda umfanekiso omkhulu ekuqaleni kwaye wenze ngokukhawuleza. Emva koko sagqiba ekubeni siqokelele idatha kwindawo enye ukuze sihlalutye yonke into kwifom ebonakalayo, fumana ukuqala kokuhlaselwa, ukuchonga ulwalathiso lwayo kunye nendlela yokuvimbela.
Ukhethe ntoni?
Okokuqala, sijonge izisombululo esele zisetyenziswa ukuze singaphindaphindi amaqumrhu ngokungeyomfuneko.
Enye yeenketho zokuqala yaba I-Nagiosesisetyenziselwa ukubeka iliso , , izilumkiso malunga neemeko zonxunguphalo. Oonogada bakwasebenzisa yona ukwazisa amagosa xa kukho izithuthi ezikrokrelayo, kodwa akazi ukuba ziqokelelwa njani iinkuni ezithe saa kwaye ngoko azisafuneki.
Kwakukho ukhetho lokuhlanganisa yonke into esetyenziswayo I-MySQL kunye nePostgreSQL okanye enye idatabase yobudlelwane. Kodwa ukuze ukhuphe idatha, bekufuneka uzenzele esakho isicelo.
Inkampani yethu ikwasebenzisa I-FortiAnalyzer ukusuka eFortinet. Kodwa akuzange kulunge nakule meko. Okokuqala, ilungiselelwe ngakumbi ukusebenza nge-firewall FortiGate. Okwesibini, useto oluninzi lwalulahlekile, kwaye ukusebenzisana nayo kufuna ulwazi olubalaseleyo lwemibuzo yeSQL. Kwaye okwesithathu, ukusetyenziswa kwayo kuya kwandisa iindleko zenkonzo kumthengi.
Le yindlela esize ngayo ukuvula umthombo ngendlela ye I-ELK.
Kutheni ukhetha i-ELK
I-ELK yiseti yeenkqubo zomthombo ovulekileyo:
- Elasticsearch - i-database ye-time series, eyenzelwe ngokukodwa ukusebenza kunye nomthamo omkhulu wombhalo;
- I-Logstash β indlela yokuqokelela idatha enokuguqula iilogi zibe yifomathi efunekayo;
- IKibana -Imboniselo elungileyo, kunye nojongano olunobuhlobo ngokufanelekileyo lokulawula i-Elasticsearch. Ungayisebenzisa ukwenza iigrafu ukuba iinjineli ezisemsebenzini zinokubeka iliso ebusuku.
Umda wokungena kwi-ELK uphantsi. Zonke iimpawu ezisisiseko zisimahla. Yintoni enye efunekayo ukuze wonwabe?
Siyidibanise njani yonke into ibe yinkqubo enye?
Senza izalathisi kwaye sishiye kuphela ulwazi oluyimfuneko. Silayishe zonke iilogi ezintathu ze-FortiWEB kwi-ELK kwaye iziphumo zaziziinkomba. Ezi ziifayile kunye nazo zonke iilogi eziqokelelweyo kwithuba elithile, umzekelo, usuku. Ukuba besinokubona ngoko nangoko, besiya kubona kuphela amandla ohlaselo. Ngeenkcukacha, kufuneka "uwele" kuhlaselo ngalunye kwaye ujonge amasimi athile.
Siye saqaphela ukuba okokuqala kufuneka simise uhlalutyo lolwazi olungacwangciswanga. Sithathe imimandla emide ngohlobo lweentambo, ezinje ngo "Umyalezo" kunye "ne-URL", kwaye sayicalula ukuze sifumane ulwazi oluthe kratya lokwenza izigqibo.
Umzekelo, ngokusebenzisa ukwahlulahlula, sichonge ngokwahlukeneyo indawo yomsebenzisi. Oku kwanceda ukuqaqambisa ngokukhawuleza uhlaselo oluvela phesheya kwiindawo zabasebenzisi baseRussia. Ngokuvala lonke unxibelelwano oluvela kwamanye amazwe, sanciphisa inani lohlaselo ngesiqingatha kwaye sakwazi ukujongana ngokuzolileyo nokuhlaselwa ngaphakathi eRashiya.
Emva kokwahlulahlula, saqala ukukhangela ukuba loluphi ulwazi esinokulugcina kwaye sibe nomfanekiso ngqondweni. Kwakungenakwenzeka ukushiya yonke into kwiphephancwadi: ubungakanani besalathisi esinye sikhulu - i-7 GB. I-ELK ithathe ixesha elide ukucubungula ifayile. Noko ke, yayingeyiyo yonke inkcazelo eyayiluncedo. Kukho into ephindiweyo kwaye yathatha indawo eyongezelelweyo-ifuna ukulungiswa.
Ekuqaleni sasiskena nje isalathiso kwaye sasusa iziganeko ezingeyomfuneko. Oku kuye kwaba yinto engathandekiyo ngakumbi kwaye ixesha elide kunokusebenza ngeelog kwiFortiWeb ngokwayo. Inzuzo kuphela "yomthi weKrisimesi" kweli nqanaba kukuba sakwazi ukubona ngeso lengqondo ixesha elikhulu kwisikrini esinye.
Asizange siphelelwe ithemba, saqhubeka sidla i-cactus, sifunde i-ELK kwaye sikholelwa ukuba siya kukwazi ukukhupha ulwazi oluyimfuneko. Emva kokucoca izalathisi, saqalisa ukuba nomfanekiso-ngqondweni wento esasinayo. Le yindlela esifike ngayo kwiideshibhodi ezinkulu. Sizame ezinye iiwijethi - ngokubonakalayo nangobuhle, iKrisimesi yokwenyani!
Umzuzu wohlaselo wabhalwa. Ngoku kwakufuneka siqonde ukuba ukuqala kohlaselo kubonakala njani kwigrafu. Ukuyifumanisa, sijonge iimpendulo zeseva kumsebenzisi (iikhowudi zokubuyisela). Sinomdla kwiimpendulo zeseva ngezi khowudi zilandelayo (rc):
Ikhowudi (rc)
Isihloko
inkcazelo
0
I-DROP
Isicelo somncedisi sivaliwe
200
Ok
Isicelo siqhutywe ngempumelelo
400
Isicelo esibi
Isicelo esingasebenziyo
403
Nga vunywanga
Ugunyaziso lwaliwe
500
Impazamo yeSeva yangaphakathi
Inkonzo ayifumaneki
Ukuba umntu waqala ukuhlasela indawo, umlinganiselo weekhowudi utshintshile:
- Ukuba kukho izicelo eziphosakeleyo kunye nekhowudi ye-400, kodwa inani elifanayo lezicelo eziqhelekileyo kunye nekhowudi ye-200 yahlala, ithetha ukuba umntu wayezama ukuqhekeza isayithi.
- Ukuba ngexesha elifanayo izicelo ngekhowudi ye-0 nayo yanda, ngoko ke abapolitiki be-FortiWeb nabo "babone" ukuhlaselwa kwaye basebenzise iibhloko kuyo.
- Ukuba inani lemiyalezo enekhowudi ye-500 linyukile, oko kuthetha ukuba indawo ayifumaneki kwezi dilesi ze-IP - kwakhona uhlobo lokuthintela.
Kwinyanga yesithathu, sasisele simisele ideshboard ukuze silandelele loo msebenzi.
Ukuze singabeki esweni yonke into ngesandla, siseta udibaniso kunye neNagios, ephonononge i-ELK ngamaxesha athile. Ukuba ndifumene amaxabiso afikelelekayo kwiikhowudi, ndathumela isaziso kumagosa omsebenzi malunga nomsebenzi okrokrelekayo.
Idityaniswe 4 imizobo kwinkqubo esweni. Ngoku kwakubalulekile ukubona kwiigrafu umzuzu xa uhlaselo lungavalwanga kwaye kufuneka ungenelelo lonjiniyela. Kwiitshati ezi-4 ezahlukeneyo amehlo ethu abe mfiliba. Ke ngoko, sidibanise iitshathi kwaye saqala ukubeka esweni yonke into kwiscreen esinye.
Ngexesha lokubeka iliso, sijonge indlela iigrafu zemibala eyahlukileyo ezitshintshileyo ngayo. I-splash ebomvu ibonise ukuba uhlaselo luqalile, ngelixa iigrafu ze-orange kunye ne-blue zibonisa impendulo ye-FortiWeb:
Yonke into ilungile apha: bekukho utyando lomsebenzi βobomvuβ, kodwa iFortiWeb yahlangabezana nayo kwaye ishedyuli yohlaselo yaba lilize.
Siphinde sazizobela umzekelo wegrafu efuna ungenelelo:
Apha sibona ukuba i-FortiWeb iye yanda umsebenzi, kodwa igrafu yokuhlasela ebomvu ayizange iyancipha. Kufuneka utshintshe useto lwakho lwe-WAF.
Ukuphanda ngeziganeko zasebusuku nako kuye kwaba lula. Igrafu ngokukhawuleza ibonisa umzuzu xa ilixesha lokuza ukukhusela indawo.
Oku kuyenzeka ngamanye amaxesha ebusuku. Igrafu ebomvu - uhlaselo luqalile. Blue - umsebenzi weFortiWeb. Uhlaselo aluzange luthintelwe ngokupheleleyo, ngoko kwafuneka ndingenelele.
Singise phi?
Ngoku siqeqesha abalawuli bomsebenzi ukuba basebenze ne-ELK. Abo basemsebenzini bafunda ukuvavanya imeko kwideshibhodi kwaye benze isigqibo: lixesha lokunyuka kwi-FortiWeb ingcali, okanye imigaqo-nkqubo kwi-WAF yanele ukugxotha ngokuzenzekelayo ukuhlaselwa. Ngale ndlela sinciphisa umthwalo kwiinjineli zokhuseleko lolwazi ebusuku kwaye sahlule iindima zenkxaso kwinqanaba lenkqubo. Ukufikelela kwi-FortiWeb kuhlala kuphela kwiziko lokukhusela i-cyber, kwaye kuphela benza utshintsho kwiisetingi ze-WAF xa kuyimfuneko.
Sikwasebenzela ukunika ingxelo kubathengi. Siceba ukuba idatha kwi-dynamics ye-WAF yokusebenza iya kufumaneka kwi-akhawunti yomthengi. I-ELK iya kwenza imeko ibe sobala ngakumbi ngaphandle kokuqhagamshelana ne-WAF ngokwayo.
Ukuba umthengi ufuna ukubeka esweni ukhuseleko lwabo ngexesha langempela, i-ELK nayo iya kuba luncedo. Asikwazi ukunika ukufikelela kwi-WAF, kuba ukuphazamiseka kwabathengi emsebenzini kunokuchaphazela abanye. Kodwa unokuthatha i-ELK eyahlukileyo kwaye uyinike ukuba "idlale" nayo.
Ezi ziimeko zokusebenzisa "umthi weKrisimesi" esiwuqokelele mva nje. Yabelana ngezimvo zakho ngalo mba kwaye ungalibali ukunqanda ukuvuza kwedatha.
umthombo: www.habr.com