Web Application Firewall (WAF) supports the account security feature. The feature
allows you to monitor user authentication-related endpoints, such as the endpoints
used for registration and logon. The feature also allows you to detect account security
events that may threaten user credentials. The events include dictionary attacks,
brute-force attacks, spam user registration, weak password sniffing, and SMS flood
attacks. This topic describes how to configure an account security rule and view account
security reports.
Background information
Before you enable the account security feature, you must obtain the endpoint information
that is required for configurations. The information includes the domain name, the
URI to which user credentials are submitted, and the parameters that specify the username
and password. Each WAF instance allows you to enable the account security feature
for a maximum of three endpoints.
Add an endpoint
- Log on to the WAF console.
- In the top navigation bar, select the resource group and the region to which the WAF
instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
- In the left-side navigation pane, choose .
- On the Account Security page, click Add Endpoint.
If this is the first time you go to the
Account Security page, skip this step.
Note Each WAF instance allows you to enable the account security feature for a maximum
of three endpoints. If three endpoints are added, Add Endpoint is dimmed.
- Configure the parameters and click Save.

Parameter |
Description |
Endpoint to be Detected |
Select the domain name for which you want to enable the account security feature.
Then, enter the URI to which user credentials are submitted.
Do not enter the URI of the logon page. For example, do not enter /login.html . Instead, enter the URI to which the username and password are submitted.
Note If you have enabled the asset discovery feature of WAF and added the selected domain
name to WAF, all the URIs that belong to the domain name are automatically listed.
Select a URI from the drop-down list. For more information, see Asset Discovery.
|
Request Method |
Select the request method for the endpoint. Valid values: POST, GET, PUT, and DELETE.
|
Account Parameter Name |
Enter the username. |
Password Parameter Name |
Enter the password. If passwords are not required to access the endpoint, you do not
need to configure this parameter.
|
Protective Action |
Select the action to manage requests that compromise account security. Valid values:
|
Configuration examples:
- Example 1: If the URI of the logon page is
/login.do
and the body of the POST request is username=Jammy&pwd=123456
, set the Account Parameter Name parameter to username
and the Password Parameter Name parameter to pwd
.
- Example 2: If the parameters that specify user credentials are included in the URI
of a GET request, such as
/login.do?username=Jammy&pwd=123456
, set the Request Method parameter to GET. Keep other settings the same as those in Example 1.
- Example 3: If passwords are not required to access the endpoint, such as a registration
endpoint, configure the Account Parameter Name parameter. You do not need to configure the Password Parameter Name parameter.
- Example 4: If a mobile number is required to access the endpoint, enter the mobile
number for the account parameter. For example, the URI is
/sendsms.do?mobile=1381111****
. In this example, set the Endpoint to be Detected parameter to /sendsms.do
and the Account Parameter Name parameter to mobile
. You do not need to configure the Password Parameter Name parameter.
After you add the endpoint, WAF automatically dispatches detection tasks. If the network
traffic of the endpoint meets the account security rule, account security events are
reported within a few hours.
Note After you enable the account security feature, all requests that are destined for
your website are checked by using the account security rule. You can configure a whitelist
to allow the requests that meet the account security rule to bypass the check. For
more information, see
Configure a whitelist for Data Security.
View account security reports
If you want to view account security reports, find the endpoint on the Account Security page, and click View Report in the Actions column. You can also view account security reports on the Security Report page.
The following procedure describes how to view account security reports on the Security Report page.
- Log on to the WAF console.
- In the top navigation bar, select the resource group and the region to which the WAF
instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
- In the left-side navigation pane, choose .
- On the Web Security tab, click Account Security and select the domain name, URI, and time range for which you want to check account
security events. You can select Yesterday, Today, 7 Days, or 30 Days for the time range.

The following table describes the fields in an account security report.
Field |
Description |
Endpoint |
The URI for which account security events are detected. |
Domain |
The domain name to which the URI belongs. |
Malicious Requests Occurred During |
The time range during which account security events are detected. |
Blocked Requests |
The number of requests that are blocked based on WAF protection rules during the time
range displayed in the Malicious Requests Occurred During field.
The WAF protection rules refer to the effective rules of different protection modules,
such as the Protection Rules Engine, custom protection policy (ACL), HTTP flood protection,
and region blacklist. The proportion of blocked requests indicates the account security
status of the endpoint.
|
Total Requests |
The total number of requests that are sent to the endpoint during the time range displayed
in the Malicious Requests Occurred During field.
|
Alert Triggered By |
The reason why the alert is triggered. The following list describes the possible reasons:
- A request fits the behavior model of dictionary attacks or brute-force attacks.
- The traffic baseline of the endpoint is abnormal during the specified time range.
- A large number of requests that are sent to the endpoint match the rules that are
described in the threat intelligence library during the specified time range.
- Weak passwords are detected in a large number of requests that are sent to the endpoint
during the specified time range. In this case, dictionary attacks and brute-force
attacks may occur.
|
References
The account security feature only detects account risks. We recommend that you select
suitable solutions based on your business requirements to safeguard your business.
For more information, see Account security best practices.