Description
This article describes an example of configuring an Anti-Defacement feature, to examine a website's files for changes at specific time intervals. If it detects a change that could indicate a defacement attack, the FortiWeb appliance can notify and quickly react by automatically restoring the website contents to the previous backup.
Scope
FortiWeb 5.2 and later.
Solution
To configure anti-defacement:
1) Go to Web Protection -> Web Anti-Defacement -> Anti Defacement.
2) Select 'Create New'. Alternatively, select an entry to view its contents, then select the Edit button. A dialogue appears.
3) Configure the following:
Web Site Name: Type a name for the website. This name is not used when monitoring the website. It does not need to be the web site's FQDN or virtual hostname.
Description: Enter a comment, up to 63 characters long. This field is optional.
Enable Monitor: Enable to monitor the website's files for changes, and to download backup revisions that can be reverted to the website to its previous revision if the FortiWeb appliance detects a change attempt. Note: While intentionally modifying the website, turn off this option and Restore Changed Files Automatically. Otherwise, the FortiWeb appliance will detect the changes as a defacement attempt, and undo them.
Hostname/IP Address: This will be used when connecting by SSH or FTP to the web site to monitor its contents and download backup revisions, hence, could be different from the real or virtual web hostname that may appear in the Host: filed of HTTP headers.
Connection Type: Select which protocol (FTP, SSH or Windows Share) to use when connecting to the web site in order to monitor its contents and download web site backups.
FTP/SSH Port: Enter the TCP port number on which the website's real server listens.
Folder of Web Site: Type the path to the website's folder, such as public_html, on the real server. The path is relative to the initial location (typically the home/root directory)when logging in with the username that was specified in User Name.
User Name: Enter the user name, such as 'FortiWeb', that the FortiWeb appliance will use to log in to the website's real server.
Password: Enter the password for the user name entered in the User Name.
Alert Email Address: Select an existing email policy that contains one or more recipient email address (MAIL TO:) to which the FortiWeb appliance will send an email when it detects that the web site has changed.
Monitor Interval for Root Folder: May leave it as a default value.
Monitor Interval for Other Folder: May leave it as a default value.
Maximum Depth of Monitored Folders: May leave it as a default value.
Skip Files Larger Than: Files exceeding this size will not be backed up. The default file size limit is 10240KB. Note: Backing up large files can impact performance. Skip Files With These Extensions (eg. iso, avi to exclude form the web site backup.)
Restore Changed Files Automatically: Enable to automatically restore the web site to the previous revision number when it detects that the web site has been changed.
Acknowledge Changed File Automatically: Enable to automatically accept changes to the website when FortiWeb detects that the website has been changed.
Description: Enter a comment, up to 63 characters long. This field is optional.
Enable Monitor: Enable to monitor the website's files for changes, and to download backup revisions that can be reverted to the website to its previous revision if the FortiWeb appliance detects a change attempt. Note: While intentionally modifying the website, turn off this option and Restore Changed Files Automatically. Otherwise, the FortiWeb appliance will detect the changes as a defacement attempt, and undo them.
Hostname/IP Address: This will be used when connecting by SSH or FTP to the web site to monitor its contents and download backup revisions, hence, could be different from the real or virtual web hostname that may appear in the Host: filed of HTTP headers.
Connection Type: Select which protocol (FTP, SSH or Windows Share) to use when connecting to the web site in order to monitor its contents and download web site backups.
FTP/SSH Port: Enter the TCP port number on which the website's real server listens.
Folder of Web Site: Type the path to the website's folder, such as public_html, on the real server. The path is relative to the initial location (typically the home/root directory)when logging in with the username that was specified in User Name.
User Name: Enter the user name, such as 'FortiWeb', that the FortiWeb appliance will use to log in to the website's real server.
Password: Enter the password for the user name entered in the User Name.
Alert Email Address: Select an existing email policy that contains one or more recipient email address (MAIL TO:) to which the FortiWeb appliance will send an email when it detects that the web site has changed.
Monitor Interval for Root Folder: May leave it as a default value.
Monitor Interval for Other Folder: May leave it as a default value.
Maximum Depth of Monitored Folders: May leave it as a default value.
Skip Files Larger Than: Files exceeding this size will not be backed up. The default file size limit is 10240KB. Note: Backing up large files can impact performance. Skip Files With These Extensions (eg. iso, avi to exclude form the web site backup.)
Restore Changed Files Automatically: Enable to automatically restore the web site to the previous revision number when it detects that the web site has been changed.
Acknowledge Changed File Automatically: Enable to automatically accept changes to the website when FortiWeb detects that the website has been changed.
Monitor indicates whether or not it is currently enabled for the web site(s).
- Green icon: Anti-defacement is enabled.
- Flashing yellow-to-red icon: Anti-defacement is OFF because the Enable Monitor option is disabled.
- Green icon: Anti-defacement is enabled.
- Flashing yellow-to-red icon: Anti-defacement is OFF because the Enable Monitor option is disabled.
