This article describes how to build a safe website with Alibaba Cloud security products DDoS Protection, Web Application Firewall (WAF) and Security Center.
DDoS Protection is a service that features a set of high-defensive IPs, and acts as a protective barrier for the origin. It safeguards network servers under high volume DDoS attacks. There are two DDoS Protection editions in Alibaba Cloud, they are Anti-DDoS Pro and Anti-DDoS Premium.
Web Application Firewall (WAF)
Alibaba Cloud WAF helps you to defend against common web attacks such as SQL injections, Cross-site scripting (XSS), web shell, Trojan, and unauthorized access, and to filter out massive HTTP flood requests. It protects your web resources from being exposed and guarantees your website security and availability.
Security Center service with security event detection, vulnerability scanning, and configuration baseline check.
Limitations of use DDoS Protection and Web Application Firewall in China
According to Measures for the Administration of Internet Information Services and Registration Administration Measures for Non-Commercial Internet Information Services, China mandates a filing system for non-commercial Internet information services and a licensing system for commercial Internet information services. Anyone that has not obtained an ICP registration is prohibited from operating Internet information services. Specifically, all websites that provide services to Mainland China must first obtain the ICP registration. If your website is hosted on an instance deployed within Mainland China or uses Security Products like DDoS Protection, Web Application Firewall (WAF) within Mainland China, you can apply for ICP registration through the Alibaba Cloud ICP Filing system. For more information, see ICP Registration.
Before you begin, make sure of the following:
The following figure illustrates the best practice to build up a safe website:
In order to improve user experience in Mainland China. Alibaba Cloud recommend you to duplicate your website resources in China Region to guarantee performance is not impacted by GFW. You can also use Alibaba Cloud DNS to ensure all DNS queries are rapidly responded to by the server in closest geographic proximity. For more information, see Alibaba Cloud DNS.
|Protection Function||Recommended Setting||Description|
|Web Application Protection||
||When you find that many requests are intercepted by mistake under the normal mode, we recommend that you use the Loose mode. When you require stricter protection against path traversal, SQL injection, and command running attacks, we recommend that you use the Strict mode.|
|Malicious IP Penalty||Status: Enable||The IP address would be blocked for 6 minutes if there are 2 threats from that IP found in 1 minute.|
|HTTP Flood Protection||
||When you find many HTTP flood attacks are not blocked in the Normal mode, you can switch to the Emergency mode. In Emergency mode, WAF imposes strong blocking rules against HTTP flood attacks, but it may also cause many false positives.|
|HTTP ACL Policy||
||If your website is not serve public. You can configure IP HTTP fields in HTTP ACL Policy to whitelist certain of IP addresses. You can also combine three conditions at most to fit different business scenarios such as anti-leech and allow specify User-Agent.|
|New intelligent protection engine||Status: Enable||The intelligent protection engine mainly protects against SQL injection and other web attack methods, not HTTP flood attacks. If you have high web attack protection requirements, we recommend that you enable the new intelligent protection engine function.|
|Sensitive information leak prevention||
||You can set rules to block of specific HTTP request status codes to avoid leaking sensitive server information. For example, you can set the following protection rule to block HTTP 404 status codes. For specified webpage URLs that may display mobile phone numbers, ID card numbers, and other sensitive information, configure the relevant rules to filter this information or provide warnings. For example, you can set the following protection rule to filter ID card numbers on the webpage.|
Below are listed of supported check items and recommended setting:
|Category||Check items||Recommended Setting|
||If you are running NoSQL services in ECS. Select the according database security baseline checking.|
||Depends on the operating system you are running. Select the according system security baseline checking.|
||Depends on the operating system you are running. Select Linux Weak Password or Windows Account Weak Password. If you are running additional services in ECS. Select the according weak password baseline checking.|
||Currently Alibaba Security Center only support Tomcat 7 security baseline checking. If you are running Tomcat 7 in ECS. Select Apache Tomcat 7 Security Baseline checking.|