Isikhungo sethu sokuvikela i-inthanethi sinesibopho sokuphepha kwengqalasizinda yewebhu yeklayenti futhi sixosha ukuhlaselwa kumasayithi amaklayenti. Ukuvikela ekuhlaselweni, sisebenzisa i-FortiWeb Web Application Firewalls (WAFs). Kodwa ngisho ne-WAF ebanda kunazo zonke ayiyona i-panacea futhi ayivikeli "ngaphandle kwebhokisi" ekuhlaselweni okuhlosiwe.
Ngakho-ke, ngaphezu kwe-WAF, sisebenzisa . Kuyasiza ukuqoqa yonke imicimbi endaweni eyodwa, iqongelela izibalo, ibone ngeso lengqondo futhi isivumele ukuthi sibone ukuhlasela okuqondiwe kusenesikhathi.
Namuhla ngizokutshela ngokuningiliziwe ukuthi sawela kanjani isihlahla sikaKhisimusi nge-WAF nokuthi yini eyavela kuso.
Indaba yokuhlasela okukodwa: ukuthi yonke into yasebenza kanjani ngaphambi kokushintshela ku-ELK
Emafini ethu, ikhasimende lifake isicelo ngemuva kwe-WAF yethu. Kusukela ku-10 kuya ku-000 abasebenzisi abaxhumeke kusayithi ngosuku, inani lokuxhumeka lifinyelele ezigidini ezingu-100 ngosuku. Kulaba, abasebenzisi abangu-000-20 babengabangeneleli futhi bazama ukugebenga isayithi.
Ifomu elivamile le-brute force elivela ekhelini elilodwa le-IP livinjwe yi-FortiWeb kalula. Inombolo yamahithi esayithi ngomzuzu ibiphezulu kuneyabasebenzisi abasemthethweni. Simane samisa imikhawulo yomsebenzi kusuka ekhelini elilodwa futhi sahoxisa ukuhlasela.
Kunzima kakhulu ukubhekana "nokuhlasela okuhamba kancane", lapho abahlaseli besebenza kancane futhi bezifihla njengamakhasimende ajwayelekile. Basebenzisa amakheli amaningi e-IP ahlukile. Umsebenzi onjalo awuzange ubukeke njengamandla amakhulu e-WAF, kwakunzima kakhulu ukuwulandela ngokuzenzakalelayo. Futhi bekukhona nengozi yokuvimbela abasebenzisi abajwayelekile. Sibheke ezinye izimpawu zokuhlasela futhi samisa inqubomgomo yokuvimba ngokuzenzakalelayo amakheli e-IP ngokusekelwe kulolu phawu. Isibonelo, amaseshini amaningi angekho emthethweni abe nezinkambu ezivamile kuzihloko zesicelo se-http. Ngokuvamile kwakudingeka ubheke izinkambu ezinjalo ngesandla kulogi lomcimbi we-FortiWeb.
Kwaba isikhathi eside futhi kungakhululekile. Ekusebenzeni okujwayelekile kwe-FortiWeb, izehlakalo zirekhodwa ngombhalo kumalogi angu-3 ahlukene: ukuhlaselwa okutholiwe, ulwazi mayelana nezicelo, nemilayezo yesistimu mayelana nokusebenza kwe-WAF. Amashumi noma amakhulu emicimbi yokuhlasela angafika ngeminithi.
Hhayi kangako, kodwa kufanele ugibele ngesandla ezingodweni ezimbalwa futhi uphindaphinde imigqa eminingi:
Kulogi yokuhlasela, sibona amakheli omsebenzisi kanye nemvelo yomsebenzi.
Akwanele ukumane uskene ithebula lelogi. Ukuze uthole okuthakazelisa kakhulu futhi okuwusizo mayelana nemvelo yokuhlasela, udinga ukubheka ngaphakathi komcimbi othile:
Izinkambu ezigqanyisiwe zisiza ukuthola "ukuhlasela okunensayo". Umthombo: isithombe-skrini esivela ku .
Nokho, inkinga enkulu ukuthi uchwepheshe we-FortiWeb kuphela ongayithola. Uma phakathi namahora ebhizinisi sisengakwazi ukulandelela umsebenzi osolisayo ngesikhathi sangempela, khona-ke ukuphenywa kwezigameko zasebusuku kungase kubambezeleke. Lapho izinqubomgomo ze-FortiWeb zingasebenzi ngesizathu esithile, onjiniyela basebusuku ababesemsebenzini abakwazanga ukuhlola isimo ngaphandle kokufinyelela ku-WAF futhi bavusa uchwepheshe we-FortiWeb. Sabheka izingodo amahora ambalwa futhi sathola isikhathi sokuhlasela.
Ngolwazi oluningi kangaka, kunzima ukuqonda isithombe esikhulu ngokubuka nje kanye nokwenza okuthile. Khona-ke sanquma ukuqoqa idatha endaweni eyodwa ukuze sihlaziye yonke into ngendlela ebonakalayo, thola ukuqala kokuhlasela, ukukhomba isiqondiso sayo nendlela yokuvimbela.
Yini eyakhethwa
Okokuqala, sibheke izixazululo esezisetshenziswa kakade, ukuze singaphindaphindi amabhizinisi ngokungenasidingo.
Enye yezinketho zokuqala kwaba I-Nagiosesiyisebenzisayo ukuqapha , , izexwayiso zesimo esiphuthumayo. Onogada babuye bayisebenzisele ukwazisa abaqaphi uma kwenzeka isiminyaminya esolisayo, kodwa abazi ukuthi baqoqa kanjani izingodo ezihlakazekile ngakho-ke bayanyamalala.
Bekukhona inketho yokuhlanganisa yonke into ngayo I-MySQL ne-PostgreSQL noma enye isizindalwazi esihlobene. Kodwa ukuze ukhiphe idatha, bekudingeka ukubaza uhlelo lwakho lokusebenza.
Njengomqoqi welogi enkampanini yethu nabo bayasebenzisa I-FortiAnalyzer kusuka eFortinet. Kodwa kulokhu, naye akazange alingane. Okokuqala, kubukhali kakhulu ukusebenza nge-firewall I-FortiGate. Okwesibili, izilungiselelo eziningi bezishoda, futhi ukusebenzisana nayo kudinga ulwazi oluhle kakhulu lwemibuzo ye-SQL. Okwesithathu, ukusetshenziswa kwayo kungakhuphula izindleko zesevisi yekhasimende.
Yile ndlela esize ngayo ukuvula umthombo ebusweni Elk.
Kungani ukhetha i-ELK
I-ELK isethi yezinhlelo zomthombo ovulekile:
- Islastiki - i-database yochungechunge lwesikhathi, esanda kwakhiwa ukuze isebenze ngevolumu enkulu yombhalo;
- Logstash - indlela yokuqoqa idatha engaguqula izingodo zibe uhlobo olufunayo;
- Kibana - isibonisi esihle, kanye nesixhumi esibonakalayo esinobungane sokuphatha i-Elasticsearch. Ungayisebenzisa ukuze wakhe amashejuli angagadwa onjiniyela bomsebenzi ebusuku.
Umkhawulo wokungena we-ELK uphansi. Zonke izici eziyisisekelo zimahhala. Yini enye edingekayo ukuze uthole injabulo.
Ukuhlanganise kanjani konke ohlelweni olulodwa?
Wakha izinkomba futhi washiya kuphela ulwazi oludingekayo. Silayishe womathathu amalogi e-FortiWEB ku-ELK - okukhiphayo bekuyizinkomba. Lawa amafayela anawo wonke amalogi aqoqiwe isikhathi esithile, isibonelo, usuku. Uma sizibona ngeso lengqondo zisuka nje, sizobona kuphela amandla okuhlasela. Ukuze uthole imininingwane, udinga "ukuwela" ekuhlaselweni ngakunye futhi ubheke izinkambu ezithile.
Saqaphela ukuthi okokuqala kudingeka simise ukuhlukaniswa kolwazi olungahlelekile. Sithathe izinkambu ezinde njengezintambo, njengokuthi "Umlayezo" kanye "ne-URL", futhi sazihlukanisa ukuze sithole ulwazi olwengeziwe lokuthatha izinqumo.
Isibonelo, sisebenzisa ukuhlukanisa, sikhiphe indawo yomsebenzisi ngokwehlukana. Lokhu kusize ngokushesha ukugqamisa ukuhlasela okuvela phesheya kumasayithi kubasebenzisi baseRussia. Ngokuvimbela konke ukuxhumana okuvela kwamanye amazwe, sehlise inani lokuhlaselwa izikhathi ezi-2 futhi singabhekana kalula nokuhlaselwa ngaphakathi kwe-Russia.
Ngemva kokuhlaziya, baqala ukubheka ukuthi yiluphi ulwazi abangalugcina futhi balubone ngeso lengqondo. Ukushiya yonke into kulogi kwakungalungile: usayizi wenkomba eyodwa wawumkhulu - 7 GB. I-ELK ithathe isikhathi eside ukucubungula ifayela. Nokho, akulona lonke ulwazi olwaluwusizo. Kukhona okuphinde kwaphinda kwathatha isikhala esengeziwe - bekudingeka ukuthi kuthuthukiswe.
Ekuqaleni, sasimane sibheke inkomba futhi sasusa izehlakalo ezingadingekile. Lokhu kubonakale kuphazamisa kakhulu futhi isikhathi eside kunokusebenza ngamalogi ku-FortiWeb ngokwayo. Okuwukuphela kwento evela "esihlahleni sikaKhisimusi" kulesi sigaba ukuthi sikwazile ukubona ngeso lengqondo isikhathi esikhulu esikrinini esisodwa.
Asizange siphelelwe ithemba, saqhubeka sidla i-cactus futhi sifunda i-ELK futhi sikholelwa ukuthi sizokwazi ukukhipha ulwazi oludingekayo. Ngemva kokuhlanza izinkomba, saqala ukubona ngeso lengqondo ukuthi kuyini. Ngakho-ke safika kumadeshibhodi amakhulu. Sihlohle amawijethi - ngokubukeka nangokubukeka, i-ΠLKa yangempela!
Kuthathwe isikhathi sokuhlasela. Manje kwakudingekile ukuqonda ukuthi ukuqala kokuhlasela kubukeka kanjani eshadini. Ukuze siyithole, sibheke izimpendulo zeseva kumsebenzisi (buyisela amakhodi). Sibe nentshisekelo kuzimpendulo zeseva ezinamakhodi anjalo (rc):
Ikhodi (rc)
Isihloko
Incazelo
0
DLULA
Isicelo esiya kuseva sivinjiwe
200
Ok
Isicelo sicutshungulwe ngempumelelo
400
Isicelo esibi
Isicelo esibi
403
Kuso
Ukugunyazwa kunqatshiwe
500
Iphutha Leseva Engaphakathi
Isevisi ayitholakali
Uma othile eqale ukuhlasela isayithi, isilinganiso samakhodi sishintshile:
- Uma bekunezicelo eziyiphutha eziningi ezinekhodi engu-400, kanye nenani elifanayo lezicelo ezijwayelekile ezinekhodi engu-200, khona-ke othile ubezama ukugebenga isayithi.
- Uma, ngesikhathi esifanayo, izicelo ezinekhodi 0 nazo zakhula, khona-ke abezombangazwe be-FortiWeb nabo "babone" ukuhlasela futhi basebenzise amabhulokhi kuwo.
- Uma inani lemilayezo enekhodi 500 lenyuka, khona-ke isayithi alitholakali kulawa makheli e-IP - futhi uhlobo lokuvimbela.
Ngenyanga yesithathu, sase simise ideshibhodi yokulandelela lo msebenzi.
Ukuze singaqapheli yonke into ngesandla, sakha ukuhlanganiswa ne-Nagios, okuxoxwe nge-ELK ngezikhathi ezithile. Uma irekhoda ukuzuzwa kwamanani e-threshold ngamakhodi, ithumele isaziso kubaphathi bomsebenzi mayelana nomsebenzi osolisayo.
Kuhlanganiswe amashadi angu-4 ohlelweni lokuqapha. Manje bekubalulekile ukubona kumagrafu umzuzu lapho ukuhlasela kungavinjiwe futhi ukungenelela konjiniyela kuyadingeka. Emagrafu angu-4 ahlukene, iso lethu lalifiphele. Ngakho-ke, sahlanganisa amashadi futhi saqala ukubuka yonke into esikrinini esisodwa.
Ekuqapheni, sibheke ukuthi amagrafu emibala ehlukene ashintsha kanjani. Ukuqhuma okubomvu kubonise ukuthi ukuhlasela kwase kuqalile, kuyilapho amagrafu awolintshi neluhlaza okwesibhakabhaka abonisa ukusabela kukaFortiWeb:
Konke kuhamba kahle lapha: kube nokwanda komsebenzi "obomvu", kodwa i-FortiWeb yakwazi ukubhekana nesimiso sokuhlasela saphela.
Siphinde sazidwebela isibonelo segrafu edinga ukungenelela:
Lapha singabona ukuthi i-FortiWeb ikhulise umsebenzi, kodwa igrafu yokuhlasela ebomvu ayizange yehle. Udinga ukushintsha izilungiselelo ze-WAF.
Ukuphenya ngezigameko zasebusuku nakho sekulula. Igrafu ikhombisa ngokushesha isikhathi lapho sekuyisikhathi sokuvikela isayithi.
Yilokho ngezinye izikhathi okwenzeka ebusuku. Igrafu ebomvu - ukuhlasela sekuqalile. Okuluhlaza okwesibhakabhaka - Umsebenzi we-FortiWeb. Ukuhlasela akuzange kuvinjwe ngokuphelele, kudingeke ukuthi singenelele.
Siyaphi
Manje sesiqeqesha abaphathi bemisebenzi ukuthi basebenze ne-ELK. Abalindi bafunda ukuhlola isimo kudeshibhodi futhi benze isinqumo: sekuyisikhathi sokudlulela kuchwepheshe we-FortiWeb, noma izinqubomgomo ku-WAF zizokwanela ukuxosha ngokuzenzakalelayo ukuhlasela. Lena yindlela esinciphisa ngayo umthwalo wonjiniyela bezokuphepha ebusuku futhi sabelane ngezindima zokusekela ezingeni lesistimu. Ukufinyelela ku-FortiWeb kuhlala kuphela nesikhungo sokuvikela i-inthanethi, futhi yibona kuphela abenza izinguquko kuzilungiselelo ze-WAF uma zidingeka ngokushesha.
Sisebenzela nokubikela amakhasimende. Sihlela ukuthi idatha ku-dynamics yomsebenzi we-WAF izotholakala ku-akhawunti yomuntu siqu yeklayenti. I-ELK izokwenza isimo sicace ngaphandle kwesidingo sokubhekisela ku-WAF ngokwayo.
Uma ikhasimende lifuna ukuqapha ukuvikela kwalo ngesikhathi sangempela, i-ELK nayo izoba usizo. Asikwazi ukunikeza ukufinyelela ku-WAF, njengoba ukungenelela kwekhasimende emsebenzini kungase kuthinte bonke abanye. Kodwa ungathatha i-ELK ehlukile futhi uyinikeze ukuze "idlale nxazonke".
Lezi yizimo zokusebenzisa isihlahla sikaKhisimusi esisiqongelele kamuva nje. Yabelana ngemicabango yakho ngalokhu futhi ungakhohlwa ukugwema ukuvuza kwesizindalwazi.
Source: www.habr.com