Correctly configuring the source ECS security group and SLB whitelist prevents hackers from directly attacking your source IP address. This paper introduces the configuration method of source server protection.

Background information

Source protection is not required. Failure to configure source site protection does not affect service forwarding, but may cause attackers to bypass the Web application firewall and directly attack your source site when the source site IP address is exposed.

How do I confirm source leaks?

In a non-Ali cloud environment, you can directly use the Telnet tool to connect to the service port of the public IP address of the source site and check whether the connection is established successfully. If yes, the source site is exposed. Once hackers obtain the public IP address of the source site, they can bypass the WAF and access the source site directly. If no, there is no source site leakage risk.

For example, check whether port 80 and port 800 of the source IP address that has been connected to WAF protection can be successfully connected. If the test result shows that the port is reachable, the source IP address leakage risk exists.

Caution Configuring a security group is risky. Note the following before configuring source site protection:

  • Ensure that all domain names on the ECS or SLB instance are connected to the Web application firewall.
  • When the Web application firewall cluster is faulty, domain name access requests may be rerouted to the source in off-line mode to ensure normal website access. In this case, if the source site has been configured with security group defense, the source site may fail to access the network from the public network.
  • When the Web application firewall cluster is added to a new source network segment, if the source site has been configured with security group protection, 5XX errors may occur frequently.

steps

  1. Log in to the Web application firewall console of CLOUD Shield.

  2. Go to the Administration > Site Configuration page and select the region where the WAF instance is located.

  3. Click the Web application firewall source IP address segment list to view all the source IP address segments of the Web application firewall.

    Note The WAF source IP address segment is updated periodically. Pay attention to the change notification periodically. Add the updated source IP address segment to corresponding security group rules in a timely manner to avoid interception.

  4. In the WAF Source IP Address Segment dialog box, click Replicate IP address segment to copy all the source IP addresses.

  5. Repeat the following steps to configure the source site to allow only WAF access back to the source IP address.

    • The source station is ECS

      1. Go to the ECS instance list, locate the ECS instance for which you want to configure a security group, and click Manage in the Operation column.

      2. Switch to the security group page of this instance.

      3. Select the target security group and click the configuration rule in the operation column.

      4. Click Add security group rule and configure the following security group rule:

        The authorization object of security group rules can be an IP address segment in 10.x.x.x/32 format, and multiple authorization objects (separated by commas (,)) can be added. A maximum of 10 authorization objects can be added.

        • Nic type: Intranet

          Note If the network type of the ECS instance is classical, set the NIC type to public network.

        • Regular direction: incoming direction

        • Authorization Policy: Permit

        • Protocol type: TCP

        • Authorization type: Address segment access

        • Port range: 80/443

        • Authorized object: Paste all the Web application firewall source IP address segments copied in Step 4

        • Priority: 1

      5. After adding security group rules for all the source IP address segments of the Web application firewall, add the following security group rules to deny access from all IP address segments in the inbound direction of the public network. The priority is 100.

        • Nic type: Intranet

          Note If the network type of the ECS instance is classical, set the NIC type to public network.

        • Regular direction: incoming direction

        • Authorization Policy: Reject

        • Protocol type: TCP

        • Port range: 80/443

        • Authorization type: Address segment access

        • Authorization object: 0.0.0.0/0

        • Priority: 100

      Note If the server protected by this security group interacts with other IP addresses or applications, you need to whiten the IP addresses and ports that interact with each other through the security group or add a full-port permit policy with the lowest priority at the end of the security group.

    • Source site Yes The SLB adds the source IP address of the Web application firewall to the whitelist of the corresponding load balancing instance in a similar way. For details, see Setting Whitelist Access Control for load Balancing.

      1. Log in to the load Balancing management console, go to the access control page, and click Create an access control policy group.
      2. Enter the policy group name, add the WAF source IP address segment, and click OK.
      3. On the instance Management page, select the load balancing instance.
      4. On the Listening TAB, select Port listening records, click More > Set Access Control.
      5. Enable access control, set the access control mode to whitelist, select the created ACCESS control policy group in the source IP address segment of the WAF, and click OK.

Subsequent steps

After the source site protection configuration is complete, you can test whether port IP80 and port 8080 of the source site that are connected to WAF protection can be established to verify that the configuration takes effect. If the port cannot be directly connected but services on the website can be accessed, the source protection is successfully configured.

Buy me a cup of coffee 🙂