Security Features and basic protection for cloud services
With the development of the Internet and cloud computing, public cloud servers are becoming more and more acceptable. The most common benefit is cost saving. Enterprises do not have to purchase, install, operate or maintain servers or other devices as they own Private clouds. On a platform provided by a public cloud service provider, enterprises only need to use or develop their own applications. However, the security of public clouds is also obvious. Internet-based public cloud services allow users all over the world to access their ECs instances, its data on VM instances and on the cloud is more threatened and more complex. The data is in an unstable state than that on the private cloud. Cloud computing, whether it is traditional informatization or future trends, faces security risks. From the security protection perspective, we need to improve the security system in a step-by-step manner. Generally, the construction sequence is network security, host security, and data security.
However, for many small and medium-sized enterprises, there are not too many devices, that is, a few to dozens. it is not worthwhile to spend too much energy on security, if you don't do it, you feel uneasy. So what content is concerned by small and medium-sized enterprises? I personally think that access security should be given priority, that is, whether or not anyone illegally accesses your server, because in the cloud platform, anyone who accesses the network can access your machine. Therefore, I think we should give priority to this information and report non-work hours access, non-work location access, password speculation, account speculation, account speculation, and other behaviors. As I know, there are currently no effective open-source or free tools available for you to use. elk currently uses many tools, but it is not suitable for small and medium-sized enterprises in most cases, the threshold is too high. Therefore, the company has specially developed the log analysis software of mongorandd. It can be analyzed based on the above situations, and the cost of simple deployment learning is very low.
First, create a portal:
The following are several types of alarms:
Non-work hours Logon
This alarm rule is used to log on to the system during non-working hours. The main purpose is to prevent someone from logging on to the system during non-working hours. This situation is quite dangerous.
Verification process:
First, configure the non-working hours. This system is already built in, and is in the security configuration of the security configuration. The default value is to, and the non-working hours are from.
Then, use an ssh connection tool, such as SecureCRT, to log on to the system. At this time, there will be a log record.
It can be seen from the log that the logon time is 21:32:28, which is not the start time. After logging on, wait for two or three minutes to view logs and alarms in the WEB link system.
The system records logs and generates alarms.
Non-Work Location Login
This alarm rule is used to log on to the system from a non-work location. The main purpose is to prevent someone from logging on to the system from a non-work location. This situation is quite dangerous.
Verification process:
First, configure the work location. The data should be set according to the work environment. We can see that there is no 192.168.21.1 in it. Note that you need to restart the collector to load the configuration parameters after the configuration is complete.
The verification process is the same as the non-working hours. At this time, a non-work location alarm will be generated. Note that if multiple alarm rules are met for the same event, multiple alarms are generated, but only one log is generated.
From the details of the alarm log, the log is the same as the previous non-work-time logon.
When 192.168.21.1 is added to the work place, a logon operation is performed. If no alarm is generated, the rule takes effect.
Password guessing attack
Password guessing attack is a very common attack method. It is characterized by a period of continuous logon error logs, which can be determined as a password guessing attack.
Verification process:
You can enter the wrong password continuously within a period of time. According to the log, three wrong passwords are entered in a short time.
The generated alarms are as follows:
Corresponding event:
The question is that there is only one log for multiple logs, but the number of alarms is 3, because the original events are merged in the system, when the system finds that the original event is a type of event, these events are merged into an event, and the number of corresponding events is the actual number of events.
Account guessing attack
Account guessing attack is a very common attack method. Generally, attackers must first determine the host account before launching further attacks. Therefore, attackers will first guess the root account. Therefore, it is very effective to modify the root account name or disable remote login of the root account. It is characterized by continuous accounts that do not contain logon logs for a period of time, which can be identified as account guessing attacks. The alarm rules are as follows:
During verification, log on to the system with an account that does not exist in the system.
The generated alarms are as follows:
The corresponding log details are as follows:
Password guessing attack successful
Password guessing attack success is a very serious attack, indicating that the attacker has successfully attacked and has entered the system. This situation is very dangerous, especially the alarm. The main feature of this alarm is that at the beginning, the user had a password guess, and then the user had a successful login, after these two behaviors are combined, we can conclude that the password guess attack is successful.
During verification, you must first log on to the system several times with the wrong password, and then use the correct password to log on.
Two alarms are generated. One is password guessing attack, and the other is successful password guessing attack.
Let's take a look at the logs recorded in the system. We can see that there are five failed logons first, followed by a successful log.
It can be seen from the above that it can basically meet the requirements of small and medium-sized companies for log analysis.