but now they… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1848464&goto=newpost
do you use any firewall or waf to protect your billing system and client sites ?… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1845838&goto=newpost
I’m aware of Cloudflare, Comodo cWatch and others which are more c… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1845448&goto=newpost
I have to implement AWS WAFv2 on my CloudFront applications, I have been looking into the AWS managed/free rulesets, I want to understand what kind of custom rulesets should I implement or are generally used in best practices (Eg. 8Kb ruleset and Blocking request methods like Options, Delete, Put)
Yes. A firewall appliance (or a firewall application) will be able to distinguish between HTTP and HTTPS requests and, in the case of HTTP requests, will be able to view all the data being transmitted (not just the domain and IP). It can then block or modify any data going through.
You can also do this with HTTPS requests if you have a firewall that supports TLS interception, but then you’ll need to install the firewall appliance’s root certificate into your browser for it to trust it.
at the moment, our application servers are directly accessable on the internet, like the following picture shows.
one server who takes it all
With this in mind, it would be aful if a server crashes (hardware-failure) or stops doing it work somehow.
To prevent this, i would like to split my application server and put a load balancer in front of it, like the next picture shows. A separate server for the database shows up here, but this is not part of the question, but a note, that database will be extracted from the APS, too.
load balancer and more AP-servers
Whilst the WAF (modsecurity for apache) run on the application servers at the moment, would you put the WAF on the loadbalancer on the new configuration? I thought about using NGINX as a proxy/loadbalancer for it. Or should i leave it on the APS? I am also not sure if there is any influence if the TLS-termination is done by the APS’s or on the load-balancer.
Our concerns are most about security, availability and of course performance.
Thank you 🙂
I have Layer3 ddos protection, but I want to upgrade it to Layer7 ddos protection. But when i look about Layer7 Ddos attacks, I see that they are usually HTTP/HTTPS based attacks. I have two questions;
While i do web application pen-testing, i have found Boolean sql injection vulnerability by confirm it via:
?id=22 AND 1=1 --+ ?id=22 AND 1=11 --+
but when i try to extract database names , i figure out that the waf has been block my request when i put () in the request .
so is there any thing that i can do to bypass this WAF ?
I am considering increasing security on my website an want to know if anyone has experience with Comodo cWatch o… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1831769&goto=newpost
I am searching evaluated WAF rules that check OWASP Top 10 and even more to have decent protection of a web infrastructure.