Web Application Firewall (WAF) supports the account security feature. The feature allows you to monitor user authentication-related endpoints, such as the endpoints used for registration and logon. The feature also allows you to detect account security events that may threaten user credentials. The events include dictionary attacks, brute-force attacks, spam user registration, weak password sniffing, and SMS flood attacks. This topic describes how to configure an account security rule and view account security reports.

Prerequisites

  • A WAF instance of the Pro edition or higher is purchased. For more information, see Purchase a WAF instance.
  • Your website is added to WAF. For more information, see Add a website.

Background information

Before you enable the account security feature, you must obtain the endpoint information that is required for configurations. The information includes the domain name, the URI to which user credentials are submitted, and the parameters that specify the username and password. Each WAF instance allows you to enable the account security feature for a maximum of three endpoints.

Add an endpoint

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Protection Lab > Account Security.
  4. On the Account Security page, click Add Endpoint.
    If this is the first time you go to the Account Security page, skip this step.
    Note Each WAF instance allows you to enable the account security feature for a maximum of three endpoints. If three endpoints are added, Add Endpoint is dimmed.
  5. Configure the parameters and click Save. Add an endpoint
    Parameter Description
    Endpoint to be Detected Select the domain name for which you want to enable the account security feature. Then, enter the URI to which user credentials are submitted.

    Do not enter the URI of the logon page. For example, do not enter /login.html. Instead, enter the URI to which the username and password are submitted.

    Note If you have enabled the asset discovery feature of WAF and added the selected domain name to WAF, all the URIs that belong to the domain name are automatically listed. Select a URI from the drop-down list. For more information, see Asset discovery.
    Request Method Select the request method for the endpoint. Valid values: POST, GET, PUT, and DELETE.
    Account Parameter Name Enter the username.
    Password Parameter Name Enter the password. If passwords are not required to access the endpoint, you do not need to configure this parameter.
    Protective Action Select the action to manage requests that compromise account security. Valid values:
    • Report
    • Block
    Configuration examples:
    • Example 1: If the URI of the logon page is /login.do and the body of the POST request is username=Jammy&pwd=123456, set the Account Parameter Name parameter to username and the Password Parameter Name parameter to pwd.
    • Example 2: If the parameters that specify user credentials are included in the URI of a GET request, such as /login.do?username=Jammy&pwd=123456, set the Request Method parameter to GET. Keep other settings the same as those in Example 1.
    • Example 3: If passwords are not required to access the endpoint, such as a registration endpoint, configure the Account Parameter Name parameter. You do not need to configure the Password Parameter Name parameter.
    • Example 4: If a mobile number is required to access the endpoint, enter the mobile number for the account parameter. For example, the URI is /sendsms.do?mobile=1381111****. In this example, set the Endpoint to be Detected parameter to /sendsms.do and the Account Parameter Name parameter to mobile. You do not need to configure the Password Parameter Name parameter.
    After you add the endpoint, WAF automatically dispatches detection tasks. If the network traffic of the endpoint meets the account security rule, account security events are reported within a few hours.
    Note After you enable the account security feature, all requests that are destined for your website are checked by using the account security rule. You can configure a whitelist to allow the requests that meet the account security rule to bypass the check. For more information, see Configure a whitelist for Data Security.

View account security reports

If you want to view account security reports, find the endpoint on the Account Security page, and click View Report in the Actions column. You can also view account security reports on the Security Report page.

The following procedure describes how to view account security reports on the Security Report page.

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, click Security Report.
  4. On the Web Security tab, click Account Security and select the domain name, URI, and time range for which you want to check account security events. You can select Yesterday, Today, 7 Days, or 30 Days for the time range. Account security

    The following table describes the fields in an account security report.

    Field Description
    Endpoint The URI for which account security events are detected.
    Domain The domain name to which the URI belongs.
    Malicious Requests Occurred During The time range during which account security events are detected.
    Blocked Requests The number of requests that are blocked based on WAF protection rules during the time range displayed in the Malicious Requests Occurred During field.

    The WAF protection rules refer to the effective rules of different protection modules, such as the Protection Rules Engine, custom protection policy (ACL), HTTP flood protection, and region blacklist. The proportion of blocked requests indicates the account security status of the endpoint.

    Total Requests The total number of requests that are sent to the endpoint during the time range displayed in the Malicious Requests Occurred During field.
    Alert Triggered By The reason why the alert is triggered. The following list describes the possible reasons:
    • A request fits the behavior model of dictionary attacks or brute-force attacks.
    • The traffic baseline of the endpoint is abnormal during the specified time range.
    • A large number of requests that are sent to the endpoint match the rules that are described in the threat intelligence library during the specified time range.
    • Weak passwords are detected in a large number of requests that are sent to the endpoint during the specified time range. In this case, dictionary attacks and brute-force attacks may occur.

References

The account security feature only detects account risks. We recommend that you select suitable solutions based on your business requirements to safeguard your business. For more information, see Account security best practices.