How to prevent DOS attacks in AEM ?

-

Prevent Denial of Service (DoS) Attacks : AEM 


A denial of service (DoS) attack is an attempt to make a computer resource unavailable to its intended users.

At the dispatcher level, there are two methods of configuring to prevent DoS attacks:

  • Use the mod_rewrite module (for example, Apache 2.4) to perform URL validations (if the URL pattern rules are not too complex).
  • Prevent the dispatcher from caching URLs with spurious extensions by using filtersFor example, change the caching rules to limit caching to the expected mime types, such as
.html
.jpeg
.gif
.swf
.js
.doc
.pdf
.ppt
.... as per your project requirement.
    An example configuration file is given below,  for this includes restrictions for mime types.

        When configuring Dispatcher you should restrict external access as much as possible. The     following example provides example for the minimal access for external visitors, you can refer the default file. 

    /filter
          {
          # Deny everything first and then allow specific entries
          /0001 { /type "deny" /glob "*" }

           # Enable extensions in non-public content directories, 
           #using a regular expression
          /0041
            {
            /type "allow"
            /extension '(css|gif|ico|js|png|swf|jpe?g)'
            }

          # Enable features # enable personalization
          /0062 { /type "allow" /url "/libs/cq/personalization/*"  }  

          # Deny content grabbing, on all accessible pages, using regular expressions
          /0081
            {
            /type "deny"
            /selectors '((sys|doc)view|query|[0-9-]+)'
            /extension '(json|xml)'
            }
          # Deny content grabbing for /content and its subtree
          /0082
            {
            /type "deny"
            /path "/content/*"
            /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)'
            /extension '(json|xml|html)'
            }

    # allow one-level json requests
    #     /0087 { /type "allow" /method "GET" /extension 'json' "*.1.json" } 
    }

      To safely enable full functionality on the publish instances, configure filters to prevent access to the following nodes:

      • /etc/
      • /libs/

      Then, configure filters to allow access to the following node paths:

      • /etc/designs/*

      • /etc/clientlibs/*

      • /etc/segmentation.segment.js

      • /libs/cq/personalization/components/clickstreamcloud/content/config.json

      • /libs/wcm/stats/tracker.js

      • /libs/cq/personalization/* (JS, CSS and JSON)

      • /libs/cq/security/userinfo.json (CQ user information)

      • /libs/granite/security/currentuser.json (data must not be cached)

      • /libs/cq/i18n/* (Internalization)

    Once you are done with these configuration, Make sure you have proper logging configured to understand and debug the DDoS attack in your system. 


     

    Comments

    Post a Comment

    Popular Posts

    AEM Security Headers

    -
    Image
    Added Security in AEM via Headers:-  In design a robust architecture AEM Architects, Developers, Infrastructure Engineers regularly come across a challenge for adding the additional security in AEM.  In this article, we will understand the key security headers which can be used in webserver and give an additional layer of security for your Publish server and content.  I have used Apache webserver for all the examples.  This article covers -  1 - X-XSS protection  2 - HTTP Strick Transport Security 3 - X-Frame Option  4 - Content Security  1- X-XSS Protection:-  X-XSS-Protection header can prevent some level of XSS (cross-site-scripting ) attacks.  Configure the x-xss-protection header to 1 in your apache httpd.conf file or Vhost file if you have for all domains as applicable.   <IfModule mod_headers.c>   <FilesMatch "\.(htm|html)$">                         #Force XSS (should be on by default in most browsers anyway)                         Header always set X-XSS-
    Read more

    Managing AEM Repository Size Growth ?

    -
    Image
     Managing AEM Repository Size Growth Managing your AEM repository size growth can be challenging for numerous reasons. What’s more, it may suddenly start to grow unexpectedly and fill up space in the assigned drive of your AEM application. In this post, I want to share a few AEM utilities & methods which can help you to not only manage the AEM repository size but also help to improve the AEM application performance. 1: Tar Compaction (also known as Revision Cleanup) By running the regular tar compaction, you can not only control the AEM repository size growth, but it will also help improve the AEM application performance. Tar compaction reclaims the disk space by removing the obsolete/redundant data from your AEM application. You can use both online and offline compaction. You can schedule online Tar compaction during weekdays after business hours & offline compaction on weekends (Non-business hours or during your designated Maintenance Window). 2: Garbage Collection By running
    Read more

    AEM ACL and how they are evaluated

    -
    Image
    ACL's and how they are evaluated ? AEM Developers, Infrastructure Engineers / Dev-ops teams working in any domain regularly come across a challenge for understanding the ACL & its evaluation mechanism.  Adobe Experience Manager is designed to cater for content authoring of multiple sites by multiple content authors. Naturally, this process needs to be controlled by strict Access Control Lists (ACLs) to manage. AEM WCM uses Access Control Lists (ACLs) to organise the permissions being applied to the various pages. This article addresses in a simple way on how to understand the ACL's , its different ways,  This article covers the following - How can we read and understand the ACL.  Evaluation of user permissions.  Concurrent Permission on ACL Access Control Lists are made up of the individual permissions and are used to determine the order in which these permissions are actually applied. The list is formed according to the hierarchy of the pages under consideration. How can w
    Read more

    How to Increase Apache Request Per Second ?

    -
    Image
    How to Increase Apache Request Per Second ? By default, Apache web server is configured to support 160 requests per second. As your website traffic increases, Apache will start dropping additional requests and this will spoil customer experience.  Here’s how to increase Apache requests per second. 1. Install MPM module We need to install MPM Apache module to be able to increase Apache requests per second. You can use mpm_worker or mpm_event module for this, instead of mpm_prefork module which consumes a lot of memory. You can easily install MPM module in Apache with following command For CentOS7/RHEL7 : Adjust /etc/httpd/conf.modules.d/00-mpm.conf Comment the line LoadModule mpm_prefork_module modules/mod_mpm_prefork.so by adding # in front of it. Uncomment the line LoadModule mpm_worker_module modules/mod_mpm_worker.so by removing # in front of it. For Ubuntu/Debian :  Use a2dismod / a2enmod to disable mpm_prefork and enable mpm_worker 2. Increase Max Connections in Apache Open MP
    Read more

    Dispatcher flush from AEM UI

    -
    Image
    How to Delete Dispatcher cache without logging into the Dispatcher servers? Our Authoring team faces day to day challenges while deleting/flush the dispatcher cache. when the changes are not visible on server. They have to be depended on the IT operations/Dev ops teams to do the same. Which some time get very much time consuming for a small work.  In this article we will see it can be configure and used by Author UI itself.  This will allow  AEM authors (or “super authors”) to flush parts of the dispatcher cache manually without the involvement of IT Operations. How to Use 1. Log in to AEM Author 2. Download the ACS commons tool from  ACS Commons Official page 3. Install the downloaded package via aem package manager.   4. Make sure you create the dispatcher flush agents on Author for all Dispatchers. from http://<<host:port>>/miscadmin#/etc/replication/agents.author, check the NOTE's part at the end of page. 5. Navigate to Tools 6. Under the acs-commmons/dispatcher-flu
    Read more

    How Does S3 works with AEM ?

    -
    Image
    How Does S3 works with AEM  ? Accommodating a huge amount of assets in any content management platform is challenging. Adobe Experience Manager offers an integration with the Amazon S3 storage solution, allowing binary data for images, documents and videos to be stored in an S3 bucket. Amazon S3 is highly performant and offers nearly infinite storage capacity.   When talking about terabyte storage, performance is everything. The choices made during the planning and architecting phase can literally make or break the performance of a CMS system and the websites running on it.  Adobe Experience Manager offers a number of storage methods, each offering a different way of storing data. Each of these options has its strengths and weaknesses. In AEM storage the mechanisms are called Micro Kernels, or MK for short.  In this article we will look at the AEM with S3 data store. For the detailed steps for S3 configuration you can refer -  https://www.aemrules.com/2022/05/how-to-configure-s3-in-aem
    Read more

    How to Sync HMAC in AEM ?

    -
    Image
    Crypto Support in AEM (Syncing HMAC among AEM instances) AEM OOTB provides a feature where we can encrypt the secured and confidential data through OOTB AEM Crypto Support and store it in a code repository in the form of OSGi configuration. Crypto Support is based on keys (hmac and master files) which are unique for each AEM instance. Encrypted text generated for the same plain-text string on one AEM instance will be different from another instance. This can raise alarms in cases where we have the same OSGi configuration values shared among Author and Publish instances under the same topology. For e.g. /apps/project/config.prod/com.day.cq.db.dbservice.xml Here DB password for Default DB Service will be same across all Prod AEM instances. So, in order to make sure that the same encrypted value works on all Prod instances, we will have to sync hmac and master files among Prod Author and Publish instances. Vital Points to know before HMAC SYNC  Sync of HMAC/keys will break the AEM SSL and
    Read more

    Build is failing due to CHECKSUM issue.

    -
    Image
     Maven build is failing due to CHECKSUM issue.  AEM Developers, Infrastructure Engineers regularly come across a challenge on building the AEM code & dispatcher module use to get failed while mvn build. The article addresses in a simple way on how to understand the mechanisms of dispatcher module build, and gives a detailed explanation of how it can be resolved.  This is useful for  building the code for a deployment via Pipeline either it is Adobe Cloud manager or Jenkins, you can see this error while your local build itself.  This error is caused, as the dispatcher owner does not not want you to change/modify few of its default files which are marked as immutable in dispatcher server.  You can find full list of immutable files on of dispatcher provided by Adobe.  https://helpx.adobe.com/experience-manager/kb/ams-dispatcher-manual/immutable-files.html Issue :- In AEM while doing the deployment it is being seen , user get the exception , Maven mandatory check failed.  [main] [ERR
    Read more

    How to configure s3 in AEM ?

    -
    Image
    How to Configure S3 in AEM  Configuring s3 data stores in AEM 6 In Adobe Experience Manager (AEM), binary data can be stored independently from the content nodes. The binary data is stored in a data store, whereas content nodes are stored in a node store. Both data stores and node stores can be configured using OSGi configuration. Each OSGi configuration is referenced using a persistent identifier (PID). In this article we learn the detailed steps for configuration S3 data store in AEM.  You can get the architectural level understand of S3 with AEM from article -  https://www.aemrules.com/2021/06/how-does-s3-works-with-aem.html   Amazon S3 Data Store AEM can be configured to store data in Amazon’s Simple Storage Service (S3). It uses the org.apache.jackrabbit.oak.plugins.blob.datastore.S3DataStore.config PID for configuration.   In order to enable the S3 data store functionality, a feature pack containing the S3 Datastore Connector needs to be downloaded and installed.  Go to the Adob
    Read more

    Upgrading the AEM dispatcher module

    -
    Image
    Upgrading the dispatcher module in AEM Often the AEM dev-ops team faces the challenge on Dispatcher upgradation. It is not clear anywhere how to do it and what precautions one should take while doing the same.  In this article we will cover these steps,  Upgrading the Dispatcher Module : Step 1 -  Download the required dispatcher module version from the  Adobe dispatcher download page  ,  Make sure you download the dispatcher version module as per the OS. https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/getting-started/release-notes.html?lang=en Step 2 -  Extract the dispatcher module at some location on server or local machine.                      tar -xvzf <dispatcher-xxxxxxxx.tar.gz> (linux)  Step 3 -  Copy the extracted dispatcher-xxxxxxxxxx.so file to the module folder of the server.                          Module folder location can vary based on OS, Installation Type. hence please make sure you find the correct module folder.  Step 4 - Set the
    Read more