All Products
Search

This Product

    Web Application Firewall:Configure account security

    Document Center

    Web Application Firewall:Configure account security

    Last Updated:Sep 15, 2023

    Web Application Firewall (WAF) supports the account security feature. The feature allows you to monitor user authentication-related endpoints, such as the endpoints used for registration and logon. The feature also allows you to detect account security events that may threaten user credentials. The events include dictionary attacks, brute-force attacks, spam user registration, weak password sniffing, and SMS flood attacks. This topic describes how to configure an account security rule and view account security reports.

    Prerequisites

    • A WAF instance of the Pro edition or higher is purchased.

    • Your website is added to WAF. For more information, see Tutorial.

    Background information

    Before you enable the account security feature, you must obtain the endpoint information that is required for configurations. The information includes the domain name, the URI to which user credentials are submitted, and the parameters that specify the username and password. Each WAF instance allows you to enable the account security feature for a maximum of three endpoints.

    Add an endpoint

    1. Log on to the WAF console.

    2. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

    3. In the left-side navigation pane, choose Scenario-specific Protection > Account Security.

    4. On the Account Security page, click Add Endpoint.

      If this is the first time you go to the Account Security page, skip this step.

      Note

      Each WAF instance allows you to enable the account security feature for a maximum of three endpoints. If three endpoints are added, Add Endpoint is dimmed.

    5. Configure the parameters and click Save.

      Parameter

      Description

      Endpoint to be Detected

      Select the domain name for which you want to enable the account security feature. Then, enter the URI to which user credentials are submitted.

      Do not enter the URI of the logon page. For example, do not enter /login.html. Instead, enter the URI to which the username and password are submitted.

      Note

      If you have enabled the asset discovery feature of WAF and added the selected domain name to WAF, all the URIs that belong to the domain name are automatically listed. Select a URI from the drop-down list. For more information, see Asset Discovery.

      Request Method

      Select the request method for the endpoint. Valid values: POST, GET, PUT, and DELETE.

      Account Parameter Name

      Enter the username.

      Password Parameter Name

      Enter the password. If passwords are not required to access the endpoint, you do not need to configure this parameter.

      Protective Action

      Select the action to manage requests that compromise account security. Valid values:

      • Report

      • Block

      Configuration examples:

      • Example 1: If the URI of the logon page is /login.do and the body of the POST request is username=Jammy&pwd=123456, set the Account Parameter Name parameter to username and the Password Parameter Name parameter to pwd.

      • Example 2: If the parameters that specify user credentials are included in the URI of a GET request, such as /login.do?username=Jammy&pwd=123456, set the Request Method parameter to GET. Keep other settings the same as those in Example 1.

      • Example 3: If passwords are not required to access the endpoint, such as a registration endpoint, configure the Account Parameter Name parameter. You do not need to configure the Password Parameter Name parameter.

      • Example 4: If a mobile number is required to access the endpoint, enter the mobile number for the account parameter. For example, the URI is /sendsms.do?mobile=1381111****. In this example, set the Endpoint to be Detected parameter to /sendsms.do and the Account Parameter Name parameter to mobile. You do not need to configure the Password Parameter Name parameter.

      After you add the endpoint, WAF automatically dispatches detection tasks. If the network traffic of the endpoint meets the account security rule, account security events are reported within a few hours.

      Note

      After you enable the account security feature, all requests that are destined for your website are checked by using the account security rule. You can configure a whitelist to allow the requests that meet the account security rule to bypass the check. For more information, see Configure a whitelist for Data Security.

    View account security reports

    If you want to view account security reports, find the endpoint on the Account Security page, and click View Report in the Actions column. You can also view account security reports on the Security Report page.

    The following procedure describes how to view account security reports on the Security Report page.

    1. Log on to the WAF console.

    2. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

    3. In the left-side navigation pane, choose Security Operations > Security Report.

    4. On the Web Security tab, click Account Security and select the domain name, URI, and time range for which you want to check account security events. You can select Yesterday, Today, 7 Days, or 30 Days for the time range. Account security

      The following table describes the fields in an account security report.

      Field

      Description

      Endpoint

      The URI for which account security events are detected.

      Domain

      The domain name to which the URI belongs.

      Malicious Requests Occurred During

      The time range during which account security events are detected.

      Blocked Requests

      The number of requests that are blocked based on WAF protection rules during the time range displayed in the Malicious Requests Occurred During field.

      The WAF protection rules refer to the effective rules of different protection modules, such as the Protection Rules Engine, custom protection policy (ACL), HTTP flood protection, and region blacklist. The proportion of blocked requests indicates the account security status of the endpoint.

      Total Requests

      The total number of requests that are sent to the endpoint during the time range displayed in the Malicious Requests Occurred During field.

      Alert Triggered By

      The reason why the alert is triggered. The following list describes the possible reasons:

      • A request fits the behavior model of dictionary attacks or brute-force attacks.

      • The traffic baseline of the endpoint is abnormal during the specified time range.

      • A large number of requests that are sent to the endpoint match the rules that are described in the threat intelligence library during the specified time range.

      • Weak passwords are detected in a large number of requests that are sent to the endpoint during the specified time range. In this case, dictionary attacks and brute-force attacks may occur.

    References

    The account security feature only detects account risks. We recommend that you select suitable solutions based on your business requirements to safeguard your business. For more information, see Account security best practices.