How to prevent DOS attacks in AEM ?

-

Prevent Denial of Service (DoS) Attacks : AEM 


A denial of service (DoS) attack is an attempt to make a computer resource unavailable to its intended users.

You can get more information on DDoS prevention in Apache

At the dispatcher level, there are two methods of configuring to prevent DoS attacks:

  • Use the mod_rewrite module (for example, Apache 2.4) to perform URL validations (if the URL pattern rules are not too complex).
  • Prevent the dispatcher from caching URLs with spurious extensions by using filtersFor example, change the caching rules to limit caching to the expected mime types, such as
.html
.jpeg
.gif
.swf
.js
.doc
.pdf
.ppt
.... as per your project requirement.
    An example configuration file is given below,  for this includes restrictions for mime types.

        When configuring Dispatcher you should restrict external access as much as possible. The     following example provides example for the minimal access for external visitors, you can refer the default file. 

    /filter
      {
      # Deny everything first and then allow specific entries
      /0001 { /type "deny" /glob "*" }

       # Enable extensions in non-public content directories, 
       #using a regular expression
      /0041
        {
        /type "allow"
        /extension '(css|gif|ico|js|png|swf|jpe?g)'
        }

      # Enable features # enable personalization
      /0062 { /type "allow" /url "/libs/cq/personalization/*"  }  

      # Deny content grabbing, on all accessible pages, using regular expressions
      /0081
        {
        /type "deny"
        /selectors '((sys|doc)view|query|[0-9-]+)'
        /extension '(json|xml)'
        }
      # Deny content grabbing for /content and its subtree
      /0082
        {
        /type "deny"
        /path "/content/*"
        /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'
        /extension '(json|xml|html)'
        }

    # allow one-level json requests
#     /0087 { /type "allow" /method "GET" /extension 'json' "*.1.json" } 
}

      To safely enable full functionality on the publish instances, configure filters to prevent access to the following nodes:

      • /etc/
      • /libs/

      Then, configure filters to allow access to the following node paths:

      • /etc/designs/*

      • /etc/clientlibs/*

      • /etc/segmentation.segment.js

      • /libs/cq/personalization/components/clickstreamcloud/content/config.json

      • /libs/wcm/stats/tracker.js

      • /libs/cq/personalization/* (JS, CSS and JSON)

      • /libs/cq/security/userinfo.json (CQ user information)

      • /libs/granite/security/currentuser.json (data must not be cached)

      • /libs/cq/i18n/* (Internalization)

    Once you are done with these configuration, Make sure you have proper logging configured to understand and debug the DDoS attack in your system. 
     
     
     

    Comments

    1. Mary JamesJune 18, 2022 at 5:35 AM

      I read the above article and I got some knowledge from your article. It's actually great and useful data for us. Thanks for share it.Hire A Cell Phone Hacker

      ReplyDelete

    Post a Comment

    Popular Posts

    How to Increase Apache Request Per Second ?

    -
    Image
    How to Increase Apache Request Per Second ? By default, Apache web server is configured to support 160 requests per second. As your website traffic increases, Apache will start dropping additional requests and this will spoil customer experience.  Here’s how to increase Apache requests per second. 1. Install MPM module We need to install MPM Apache module to be able to increase Apache requests per second. You can use mpm_worker or mpm_event module for this, instead of mpm_prefork module which consumes a lot of memory. You can easily install MPM module in Apache with following command For CentOS7/RHEL7 : Adjust /etc/httpd/conf.modules.d/00-mpm.conf Comment the line LoadModule mpm_prefork_module modules/mod_mpm_prefork.so by adding # in front of it. Uncomment the line LoadModule mpm_worker_module modules/mod_mpm_worker.so by removing # in front of it. For Ubuntu/Debian :  Use a2dismod / a2enmod to disable mpm_prefork and enable mpm_worker 2. Increase Max Connections in Apach...
    Read more

    how to clear dispatcher cache in aem ?

    -
    Image
    How to clear dispatcher cache in aem ? As you may know, the Dispatcher cache in Adobe Experience Manager (AEM) is used to improve the performance of your website by caching static resources and pages. However, sometimes you may need to clear the cache to ensure that the latest content and changes are displayed on your website. In this blog post, we'll show you how to clear the Dispatcher cache in AEM.   This method will clear the entire Dispatcher cache, including all cached pages and resources. Keep in mind that clearing the cache may affect the performance of your website, as it may take some time to rebuild the cache. Clear Cache using the Dispatcher Flush Agent You can use the Dispatcher Flush Agent. Follow these steps:   Log in to your AEM instance and navigate to http://localhost:4502/etc/replication/agents.author.html . Click on the "Dispatcher Flush" agent to open the agent's configuration page. Clic...
    Read more

    Configure/Decoding AEM AuditLogs

    -
    Image
    AEM Developers, Infrastructure Engineers / Dev-ops teams working in the financial domain regularly come across a challenge for event auditing in AEM. This helps in identifying most of the activities happening in AEM. Audit logs are a very effective way to debug the content issue & to know what all is happening in your environment and by whom. This article addresses in a simple way on how to enable the audit logs, its different ways, and how to understand the audit logs.  This article covers the following - How can we enable Audit logs in AEM. How can we read and understand the Audit logs/ tools to use it. Audit log on file system in crx-quickstart/logs folder.   Audit logs for User creation / Modification. How can you archive/purge the audit logs. How can we enable Audit logs in AEM?            By Default, the Audit logs are pre-configured in AEM, for a few basic operations of DAM and for all other operations of Pages ...
    Read more

    How to Configure CSP header in AEM , Dispatcher ?

    -
    Image
    How to Configure CSP header in AEM ? Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS) and other code injection attacks by restricting the sources from which a page can load resources. To implement a CSP header in an Apache web server, you can use the Header directive in your Apache configuration. Here are the steps to implement a CSP header in Apache: Determine your CSP policy: First, you need to determine your CSP policy. This policy defines the rules for what types of content can be loaded from which sources. You can use a CSP policy generator like the one available on the Mozilla Developer Network (MDN) website to generate a policy that meets your needs. Add the CSP header to your Apache configuration: Once you have your CSP policy, you can add the CSP header to your Apache configuration. To do this, open your Apache configuration file (usually located at /etc/httpd/conf/httpd.conf or a similar location depending on your setup) and ...
    Read more

    How to protect AEM against CSRF Attack ?

    -
    Image
    How to protect AEM against CSRF Attack ? Adobe Experience Manager (AEM) is a popular content management system that is widely used to develop and manage websites, mobile apps, and other digital experiences. However, like any other web application, AEM is vulnerable to cross-site request forgery (CSRF) attacks. CSRF attacks are malicious attacks where an attacker tricks a user into performing an action they did not intend to perform by exploiting the user's active session on a website. In this blog, we will discuss some measures that can be taken to protect AEM from CSRF attacks.   Implement CSRF protection in AEM:   The first and most important step to protect AEM from CSRF attacks is to implement CSRF protection in the application. AEM provides a built-in CSRF protection mechanism that can be enabled by setting the "sling.filter.methods" property in the OSGi configuration. This property specifies which HTTP methods are allowed to execute without requiring a CSRF ...
    Read more

    How to prevent DDoS in Apache ?

    -
    Image
    Prevent DDoS in Apache & IP Block Automation DDoS (Distributed Denial of Service) attacks are a type of cyberattack that can cause serious damage to your web server. These attacks involve flooding your server with a huge volume of traffic, overwhelming its resources and causing it to crash. In this blog post, we'll discuss how to prevent DDoS attacks in Apache, without using any third part tool/application.     Available Options to Prevent DDoS : You can use various mentioned methods to achieve the same. But using WAF, CDN, etc will cost extra dollars. Which might not be necessary for a small scale application.   Use a Web Application Firewall (WAF): A WAF can help detect and block malicious traffic before it reaches your Apache server. It can also help block common attack vectors, such as SQL injection and cross-site scripting (XSS). Install mod_evasive: mod_evasive is an Apache module that helps detect and block DDoS attac...
    Read more

    Security best Practice in AEM

    -
    Image
     Adobe Experience Manager (AEM) is a popular content management system that is widely used by businesses to manage and publish digital content. With the increasing amount of sensitive data being stored and shared online, it's important for AEM users to be aware of the security features that the platform offers. In this blog, we'll discuss some of the key security features of AEM and provide tips for keeping your AEM instance secure. Authentication and Authorization AEM provides several options for authentication and authorization. Users can log in using their credentials, which can be verified using LDAP or other external identity providers. Once authenticated, users are assigned roles and permissions, which determine what actions they can perform within AEM. To keep your AEM instance secure, it's important to ensure that users only have the permissions they need to perform their jobs. For example, if a user doesn't need to publish content, they should not be given perm...
    Read more

    Difference between Adobe AEM Enterprise vs Adobe AEM as a Cloud Service

    -
    Image
    Difference between Adobe AEM Enterprise VS Adobe AEM as a Cloud Service. ( AEMaaCS) Adobe Manages Services Enterprise (AMS) and AEM as a Cloud Service (AEMaaCS) are two different offering by Adobe for AEM.   While AMS is more of a hosting offers for AEM (similar to on-premise setups but run managed by Adobe), While AEMaaCS is a SaaS offering.    In AMS you can have access of your servers , can login and check the required files by your self & will have a dedicated Customer Success Engineer, while in AEMaaCS is completely SAS and you won’t have any access of servers , for everything you need Cloud manager.   Below are the Major difference between AMS Enterprise and AEMaaCS. Please note these difference are as of March 2023. Post this things may differ.  The following article can be referred for AEMaaCS details  AEM as a Cloud Service
    Read more

    How Does S3 works with AEM ?

    -
    Image
    How Does S3 works with AEM  ? Accommodating a huge amount of assets in any content management platform is challenging. Adobe Experience Manager offers an integration with the Amazon S3 storage solution, allowing binary data for images, documents and videos to be stored in an S3 bucket. Amazon S3 is highly performant and offers nearly infinite storage capacity.   When talking about terabyte storage, performance is everything. The choices made during the planning and architecting phase can literally make or break the performance of a CMS system and the websites running on it.  Adobe Experience Manager offers a number of storage methods, each offering a different way of storing data. Each of these options has its strengths and weaknesses. In AEM storage the mechanisms are called Micro Kernels, or MK for short.  In this article we will look at the AEM with S3 data store. For the detailed steps for S3 configuration you can refer -  https://www.aemrules.com/...
    Read more

    OakAccess0000: Access denied

    -
    Image
    ERROR :-   OakAccess0000: Access denied We often observe while doing the AEM development or in live running environment we get the error code  OakAccess0000 , while running a workflow or any asset upload.  This impact the business as content author are unable to upload any content.  Error stack trace :- Javax.jcr.AccessDeniedException: OakAccess0000: Access denied  at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:232) [org.apache.jackrabbit.oak-api:1.10.6]  at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:213) [org.apache.jackrabbit.oak-api:1.10.6]  at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:669) [org.apache.jackrabbit.oak-jcr:1.10.6]  at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:495) [org.apache.jackrabbit.oak-jcr:1.10.6]  at org.ap...
    Read more