Login Through Web

Overview

Devices provide web services. An administrator can log in to the web management page of a device as an AAA authentication user and configure services. Attackers use all IP addresses of the device or initiate slow HTTP attacks to attempt to access the web service of the device. You are advised to configure the following security hardening measures to implement web service security:

Change the local port that provides the web service.
Change the SSL version to a secure one.
Replace the default certificate on the local end.
Enable bidirectional certificate authentication.
Set the maximum number of supported web login users and the timeout period.
Enable slow HTTP attack defense.

Impact on the System

After security hardening, the administrator can use only the client onto which a specified certificate is loaded to access the web service of the device through a fixed interface, IP address, and port. The CA certificate that can verify the client certificate must be loaded onto the device.

Procedure

Change the local port that provides the web service.

system-view
web-manager enable [ port port-number ]

Change the SSL version to a secure one.
For versions earlier than V600R007C20: by default, the FW supports the TLS1.1 and TLS1.2 versions. For V600R007C20 and later versions: by default, the FW supports the TLS1.2 version.
```
web-manager security version tlsv1.2
```
Optional: Specify the certificate that the device sends to the client.
```
web-manager security server-certificate server-certificate-file
```
If no certificate is specified, the server sends the default certificate to the client for authentication when the client attempts to log in to the server through HTTPS. If a certificate is specified, the server sends the specified certificate to the client for authentication. You can obtain the CA certificate from the device's web UI or CA server and import it to the client's browser. The client then uses the imported CA certificate to verify the identity of the device.

The local certificate needs to be applied for from the CA server. After the CA server generates the requested certificate, download the certificate to the device's storage path and then import it into the memory for the certificate to take effect. For detailed configurations, see Configuration Guide > Object > Certificate > Security Protection > Configuring PKI-CLI.
Optional: Configure bidirectional certificate authentication. Before enabling this function, import the client certificate into the browser and import the matching CA certificate into the server. When logging in to the server using HTTPS, the client sends its certificate to the server, which then uses the CA certificate to verify the client certificate.
1. Enable bidirectional certificate authentication between the server and client.
```
web-manager security verify-ssl-peer
```
2. Specify a CA certificate used by the server to verify the client certificate.
```
web-manager security ca-certificate ca-certificate
```
Configure the web service timeout period.
```
web-manager timeout minutes
```
If no operation is performed on the web UI within the specified timeout period, the current user is automatically logged out.
Configure the maximum number of online web users.
```
web-manager max-user-number max-user-number
```

Set parameters used to check abnormal packets for defense against slow HTTP attacks.

web-manager slow-attack check [ content-length content-length | payload-length payload-length | packet-number packet-number ] *

Checking the Security Hardening Result

Run the display web-manager { configurations | users | [ brief ] } command in any view to check information about the web server and web login users.