How to protect rails application from suspicious and abuse attacks?

Introduction

Many of DevOps teams are suffering from different attacks from people around the world who are trying to hack your website, compromise any information, robot sign up, send robots email, visit non-existing URLs.

These attacks if did not harm your application, it will increase the load on your environment and consume even the resources in not a good way. So, these attacks have to be prevented and blocked. In this article, we will discuss how to protect your ruby on rails app from suspicious and abuse attacks using simple methods which act as web application firewall (WAF) without the need to use and pay for external security services or WAF services.

Rails is a web application development framework written in the Ruby programming language that has been introduced at 2003. It is designed to make programming web applications easier by making assumptions about what every developer needs to get started. It allows you to write less code while accomplishing more than many other languages and frameworks.

Ruby on Rails is one of the popular framework built on Model View Controller (MVC) architecture pattern and has a large developer community which made it robust and easy to get support.

Methodology

We will discuss the steps you will need to obtain the full protection on your application.

Logging

In order to protect your application, you have to observe the activities on your application and monitor them, this does not have to be watching all your logs and each user individually. You can have simple rules to alert some suspicious behavior on your environment. Moreover, logs should be initiated for all activities, for example, web activities, service calls, and transactions level.

There are many logs add-ons and tools to help you on that, I will focus on simple logging tool called paper trail.

You can follow the instruction described in the installation page for paper trail gem https://github.com/paper-trail-gem/paper_trail#1b-installation, the logs will be look like this.

Paper-trail logs

As you will notice that activities shows the requested page and parameters are used for that and how this rendered the views.

You can set up alerts, for example, specific keyword, failure message, or even from specific IP, this alert will send you an email with all activities related to the alert configuration, so you can be always active without keep watching them.

reCAPTCHA

Some attacks can be using web bots that can cause a denial-of-service attack by a botnet. reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.

You can setup reCAPTCHA on rails app very easy by using rails reCAPTCHA gem.

Google reCAPTCHA
  • Remember, if you would like to make your development environment work with reCAPTCHA, you will have to add localhost and 127.0.0.1 in your domains list. Also, choose reCAPTCHA v2, the v3 did not work for me like v2 but you can give it a try.
  • After setting up the google reCAPTCHA, you will have two keys; Site Key and Secret Key.
  • Create recaptca.rb file on config/initializers folder and add this text
Recaptcha.configure do |config|
  config.site_key  = ENV['RECAPTCHA_SITE_KEY']
  config.secret_key = ENV['RECAPTCHA_SECRET_KEY']
end
  • Add your keys to .env file in the rails app root directory
  • You can after that add to your views
<%= form_for @foo do |f| %>
  # …
  <%= recaptcha_tags %>
  # …
<% end %>
  • If everything is correct, you should see the reCAPTCHA screen appears in the form
reCAPTCHA
  • You can also validate the reCAPTCHA validation by using this simple code.
if verify_recaptcha
  # Do something
else
  # Do other thing
end

Web filtering

The third way of preventing the attacks is using middleware for rails to block the attack at all using different rules. For this, I’m using rack-attack gem. You can follow the simple instruction for installation and try it on your development environment as well.

Here are some tips for rules that you can use especially that many rails apps get attacks from users who think this is PHP application.

If you have followed the instructions, you should have rake_attack.rb created in the initializers folder.

For blocking a rang of IP you can use this simple rule

(0..255).map{ |val| Rack::Attack.blocklist_ip("xx.xx.xx."+ val.to_s) }

In order to block all specific requests with a keyword like PHP, you can use this simple rule

Rack::Attack.blocklist('any php request') do |req|
  req.path =~ /\.php/ && req.get?
end

To show a good message for the attacker who is trying to hit the website and the blocking rules catch the attacks, you can simply use the below code.

Rack::Attack.blocklisted_response = lambda do |env|
  [ 503, {}, ['You have been forbidden because you have been trying to abuse the website.]]
end

Moreover, to show all the attacks’ logs you can use the code below

ActiveSupport::Notifications.subscribe('rack.attack') do |_name, _start, _finish, _request_id, req|
  req = req[:request]
  msg = [req.env['rack.attack.match_type'], req.ip, req.request_method, req.fullpath, ('"' + req.user_agent.to_s + '"')].join(' ')
  puts "__________________________"
  puts "External Abuse or attack"
  puts msg
end

Finally, the logs will appear in your application logs, and you can configure alert rules as illustrated previously in paper-trial to be informed directly if any user is trying to abuse, the logs will look like this now.

Attack logs

Others

Furthermore, there are a lot of other methods to protect your applications as well, for example, to use authentication and authorization models inside your application in order to control which resources and requests requested the user to be signed in and which also is authorized to the user to view even after the successful sign in.

Ruby on Rails has powerful gems to help you kickstart that based on proven practices and large community-based usage.

Conclusion

What gets monitored gets protected and managed

Mohamed Sami

The success key toward the protection of your app is smart monitoring of your application, things became easier now to protect your business from abuse attacks with simple methods that easy to be implemented and get achievements very fast as well.

I hope you have liked the article, please consider like and share with your development team.


Also published on Medium.

Advertisements
Summary
How to protect rails application from suspicious and abuse attacks?
Article Name
How to protect rails application from suspicious and abuse attacks?
Description
Many of DevOps teams are suffering from different attacks from people around the world who are trying to hack your website, compromise any information, robot sign up, send robots email, visit non-existing URLs.
Author
Publisher Name
melsatar.blog
Publisher Logo

Let me know your thoughts