Introduction

Defacement is a common practice across freedom fighters who wants to manifest their statement or gain +10 to respect. In most cases, it's not dangerous, but your PR might suffer.

Example: fbi.com hacked

Since you have installed a FortiWeb to protect your web-application, let's use it to protect your webpage for defacement attacks and any other file modifications on the server. It will also prevent the attacker from uploading a reverse shell file.

I assume you have a basic knowledge of how to work with FortiWeb, so we'll focus on the specific Anti-Defacement features and I'll skip a part in which you create a VIP, server policy, etc.

NOTE: Explanation of each checkbox can be found in the FortiWeb Admin Guide. In my lab, I run FortiWeb in version v6.2.3, so if you are on a different branch, the configuration might be slightly different.

Configuration description

First of all, you have to understand that Anti-Defacement is configured for each backend (real) server, not for Virtual Server. So if you have 3 servers in the load-balancing pool, you have to create 3 Anti-Defacement entries. Otherwise, your implementation won't be effective. So let's create the first entry:

Anti-Defacement settings

Let's examine the most important fields:

  • Web Site Name - local name, can be anything. A good practice is to use a server hostname
  • Enable Monitor - it's basically enable / disable
  • Hostname/IP Address - backend server address
  • FTP/SSH Port - I run Ubuntu server with OpenSSH, so SSH is a natural choice
  • Folder of Web Site - location on the server. I run a default Apache2, so website is located under /var/www/html
  • Username and Password - make sure that you use credentials which have RW access to the web site folder
  • Alert Email Policy - not configured in my lab, but I highly recommend it in the Production. Someone tried to replace or modify files, intentionally or by mistake, you want to know about it
  • Monitor Intervals - I adjusted these values for lab purpose, in production you should have bigger values to avoid constant scanning hundreds of files
  • Restore Changed File Automatically - with that enabled, no attack or website update will succeed
  • Acknowledge Changed File Automatically - with that enabled, all new files and changes are automatically "committed"

NOTE: Now you should repeat the above configuration for all servers in the pool. I'll skip that part to keep this article short.

Different scenarios

Based on the above, there are 4 different sets of settings that control how Anti-Defacement will act when changes are detected.

Case #1

  • Enable Monitor - ON
  • Restore Changed File Automatically - OFF
  • Acknowledge Changed File Automatically - OFF

FortiWeb is tracking all changes and alerts you. Let's see what happens when I create a file in the monitored directory:

Event Log is created:

v009xxxxdate=2020-03-22 time=16:29:19 log_id=11003601 msg_id=000000004203 device_id=FVVM00UNLICENSED vd="root" timezone="(GMT+1:00)Sarajevo,Skopje,Sofija,Warsaw,Zagreb" timezone_dayst="GMTe-1" type=event subtype="system" pri=warning trigger_policy="" user=daemon ui=daemon action=monitor status=failure msg="Unfamiliar file found on site [1]: [/var/www/html/evilFile.php] . Please confirm or delete it."

So let's review that file and make an action:

Anti-Defacement status

Right now, the file is present on the server and you have to either delete it or accept it:

Acknowledge or Delete

When to use it: it's not protecting you from the defacement. It can be useful when you run a script that should modify many files and once it finishes, you want to review that list.  

Case #2

  • Enable Monitor - ON
  • Restore Changed File Automatically - ON
  • Acknowledge Changed File Automatically - OFF

As we expect, file will be automatically deleted/reverted and alert generated, no explicit action is required from administrator:

v009xxxxdate=2020-03-22 time=16:43:45 log_id=11003601 msg_id=000000004210 device_id=FVVM00UNLICENSED vd="root" timezone="(GMT+1:00)Sarajevo,Skopje,Sofija,Warsaw,Zagreb" timezone_dayst="GMTe-1" type=event subtype="system" pri=warning trigger_policy="" user=daemon ui=daemon action=monitor status=failure msg="Unfamiliar file found on site [1]: [/var/www/html/evilFile.php] . Delete successfully."

NOTE: you still have to acknowledge the fact the file was added. There won't be an option to remove it, as it's already gone.

When to use it: it's a proper Anti-Defacement solution. That should be your primary working mode.

Case #3

  • Enable Monitor - ON
  • Restore Changed File Automatically - OFF
  • Acknowledge Changed File Automatically - ON

All new/modified files will be automatically acknowledged, no explicit action is required from the administrator.

New file log:

v009xxxxdate=2020-03-22 time=18:55:04 log_id=11003601 msg_id=000000007312 device_id=FVVM00UNLICENSED vd="root" timezone="(GMT+1:00)Sarajevo,Skopje,Sofija,Warsaw,Zagreb" timezone_dayst="GMTe-1" type=event subtype="system" pri=warning trigger_policy="" user=daemon ui=daemon action=monitor status=failure msg="Unfamiliar file found on site [1]: [/var/www/html/file3.txt] . Acknowledge successfully."

Modified file:

v009xxxxdate=2020-03-22 time=18:55:28 log_id=11003601 msg_id=000000007313 device_id=FVVM00UNLICENSED vd="root" timezone="(GMT+1:00)Sarajevo,Skopje,Sofija,Warsaw,Zagreb" timezone_dayst="GMTe-1" type=event subtype="system" pri=warning trigger_policy="" user=daemon ui=daemon action=monitor status=failure msg="File [/var/www/html/file2.txt] on site [1] has been changed. Acknowledge successfully."

When to use it: enable it before a new release deployment, so all changes are automatically picked up by a FortiWeb.

Case #4

  • Enable Monitor - OFF

Anti-defacement is disabled and it's not monitoring directory changes.

When to use it: when you are actively debugging or developing in the monitored directory. Disable monitor before you start making a lot of frequent file modifications to avoid unnecessary alerts. When it's disabled, it won't track your changes. You can re-enable monitor once you are finished and happy with a result.

Pro Tips

Tip #1

All file changes are tracked by FortiWeb. So at any point, you diff files, revert to a previous version or remove a file from a web-server.

List of all monitored files:

files browser - view versions or remove

Let's dive into file2.txt details:

all versions of file2.txt - view, diff or revert to previous

You can compare a file snapshot with a previous revision:

diff

Tip #2

In a Production, make sure you exclude certain file extensions (like .swp if you edit them with vim) and create a white / black list of files / directories to be monitored. Not everything is worth protecting 😉

Tip #3

Anti-Defacement is taking care of files consistency. It's not a backup solution, so make sure you have a proper backup solution in place. Also, it's not protecting you from database modification! Protect the database separately. In the Fortinet world, there a FortiDB for that.