{"id":55100,"date":"2016-03-31T12:57:13","date_gmt":"2016-03-31T10:57:13","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=55100"},"modified":"2021-01-13T12:58:08","modified_gmt":"2021-01-13T11:58:08","slug":"nova-ids-ips-ochrana-u-wedos","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/nova-ids-ips-ochrana-u-wedos","title":{"rendered":"Nov\u00e1 IDS\/IPS ochrana u WEDOS"},"content":{"rendered":"\n<p>N\u011bkolik m\u011bs\u00edc\u016f jsme pro v\u00e1s p\u0159ipravovali IDS\/IPS ochranu. V b\u0159eznu jsme j\u00ed spustili do ostr\u00e9ho provozu. Dnes v\u00e1m j\u00ed p\u0159edstav\u00edme.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p><em>\u00davodem bychom se cht\u011bli omluvit za komplikace v posledn\u00edch t\u00fddnech, kter\u00e9 jsme mohli n\u011bkter\u00fdm klient\u016fm zp\u016fsobit. Jako vysv\u011btlen\u00ed pos\u00edl\u00e1me n\u00e1sleduj\u00edc\u00ed \u010dl\u00e1nek.&nbsp;<\/em><\/p>\n\n\n\n<p>Kdy\u017e jsme byli v druh\u00e9 polovin\u011b roku 2014 c\u00edlem siln\u00fdch DDoS \u00fatok\u016f (v des\u00edtk\u00e1ch Gbps), bylo jedin\u00fdm \u0159e\u0161en\u00edm vybudovat vlastn\u00ed ochranu anebo se spolehnout na na\u0161e dodavatele konektivity. Nikdo z dodavatel\u016f nem\u011bl zku\u0161enosti s tak siln\u00fdmi \u00fatoky a tak jsme m\u011bli pouze mo\u017enost ud\u011blat v\u0161e vlastn\u00edmi silami. Rozhodli jsme zmobilizovat na\u0161e s\u00edly, investovat miliony do p\u0159estavby s\u00ed\u0165ov\u00e9 infrastruktury a zakoupen\u00ed nov\u00fdch prvk\u016f. Za\u010d\u00e1tkem roku 2015 u\u017e jsme v\u011bd\u011bli, \u017ee jsme ud\u011blali dob\u0159e.<\/p>\n\n\n\n<p>Tis\u00edce hodin pr\u00e1ce a milionov\u00e9 investice se vyplatily. I kdy\u017e DDoS \u00fatoky zes\u00edlily do takov\u00e9 m\u00edry, \u017ee na\u0161i dodavatel\u00e9 konektivity by u\u017e n\u00e1m nepomohli, na\u0161e ochrana dok\u00e1\u017ee v\u0161e zastavit. Samoz\u0159ejm\u011b trvalo je\u0161t\u011b dlouh\u00e9 m\u011bs\u00edce, ne\u017e jsme j\u00ed odladili do stavu jako je dnes. Jin\u00fdmi slovy \u00fatoky pod 10 Gbps u\u017e bedliv\u011b nesledujeme na monitoringu, jen se pod\u00edv\u00e1me na z\u00e1znam v logu. Ve v\u011bt\u0161in\u011b p\u0159\u00edpad\u016f se toti\u017e \u017e\u00e1dn\u00fd neobvykl\u00fd provoz nedostane k na\u0161im server\u016fm a nijak neohroz\u00ed slu\u017eby.<\/p>\n\n\n\n<p>Jen pro p\u0159edstavu uvedeme to, \u017ee jsme od konce \u0159\u00edjna 2014 m\u011bli ji\u017e p\u0159es 210.000 DDoS \u00fatok\u016f. To je za 17 m\u011bs\u00edc\u016f pr\u016fm\u011brn\u011b p\u0159es 12.000 \u00fatok\u016f m\u011bs\u00ed\u010dn\u011b, co\u017e je pr\u016fm\u011br p\u0159es 400 za den. Ka\u017ed\u00fd t\u00fdden tam nejdeme \u00fatoky p\u0159esahuj\u00edc\u00ed 10 Gbps a prakticky ka\u017ed\u00fd den \u00fatoky nad 5 Gbps.<\/p>\n\n\n\n<p>N\u00e1\u0161 obchodn\u00ed \u00fasp\u011bch a r\u016fst za\u010dal zaj\u00edmat (krom\u011b \u00fato\u010dn\u00edk\u016f) i r\u016fzn\u00e9 dodavatele. Vzhledem k mno\u017estv\u00ed hostovan\u00fdch webov\u00fdch str\u00e1nek jsme velmi zaj\u00edmav\u00fdm z\u00e1kazn\u00edkem i pro bezpe\u010dnostn\u00ed firmy z cel\u00e9ho sv\u011bta, kter\u00e9 n\u00e1s za\u010daly oslovovat s nab\u00eddkou r\u016fzn\u00e9 spolupr\u00e1ce. N\u011bkomu jde o sb\u011br dat, n\u011bkomu jde o prodej vlastn\u00edho \u0159e\u0161en\u00ed a n\u011bkomu o oboj\u00ed. P\u0159estavba a zdokonalen\u00ed s\u00ed\u0165ov\u00e9 infrastruktury, testov\u00e1n\u00ed exkluzivn\u00edho software i hardware n\u00e1m otev\u0159ely nov\u00e9 mo\u017enosti. Uv\u011bdomili jsme si, \u017ee v dne\u0161n\u00ed dob\u011b m\u016f\u017eeme nab\u00eddnout na\u0161im z\u00e1kazn\u00edk\u016fm daleko v\u00edce. Tu nejmodern\u011bj\u0161\u00ed ochranu jakou lze nab\u00eddnout \u2013 IDS\/IPS.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co je IDS\/IPS ochrana<\/h2>\n\n\n\n<p>IPS (Intrusion Prevention Systems) a IDS (Intrusion Detection Systems) je ochrana, kter\u00e1 hl\u00edd\u00e1 naprosto v\u0161echen provoz mezi serverem a klientem. V re\u00e1ln\u00e9m \u010dase jej dok\u00e1\u017ee monitorovat, kompletn\u011b vyhodnocovat a v p\u0159\u00edpad\u011b pot\u0159eby i cokoliv online blokovat. Samoz\u0159ejm\u011b obousm\u011brn\u011b. Dok\u00e1\u017ee tak \u00fatoky zjistit, zabr\u00e1nit jim, ale funguje i jako prevence. Rozsah a mo\u017enosti IDS\/IPS jsou velice obs\u00e1hl\u00e9. Um\u00ed nap\u0159\u00edklad smazat zavirovan\u00fd email, zablokovat p\u0159et\u011b\u017eov\u00e1n\u00ed va\u0161eho webu, ale tak\u00e9 zastavit pokus o zneu\u017eit\u00ed zranitelnosti nult\u00e9ho dne (zero-day exploit) a to dokonce pokud je\u0161t\u011b ani nebyla nik\u00fdm nahl\u00e1\u0161ena. Hled\u00e1 toti\u017e specifick\u00e9 \u0159et\u011bzce pro r\u016fzn\u00e9 typy \u00fatok\u016f, kter\u00e9 se v norm\u00e1ln\u00edm provozu nevyskytuj\u00ed. Pokud je detekuje, tak okam\u017eit\u011b jedn\u00e1.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d j\u00ed v\u0161ichni pot\u0159ebujeme<\/h2>\n\n\n\n<p>V dne\u0161n\u00ed dob\u011b v\u00fdrazn\u011b narostl po\u010det open source redak\u010dn\u00edch syst\u00e9m\u016f a eshop\u016f. Sta\u010d\u00ed vyu\u017e\u00edt n\u00e1\u0161 instal\u00e1tor aplikac\u00ed a na dv\u011b kliknut\u00ed m\u00e1te vlastn\u00ed magaz\u00edn, diskuzn\u00ed f\u00f3rum anebo eshop. Nemus\u00edte m\u00edt \u017e\u00e1dn\u00e9 znalosti program\u00e1tora. Nepot\u0159ebujete ani webmastera, kter\u00fd by se v\u00e1m o v\u0161echno staral. A tady nast\u00e1v\u00e1 probl\u00e9m. V\u0161echny tyto open source \u0159e\u0161en\u00ed pot\u0159ebuj\u00ed pravidelnou \u00fadr\u017ebu, zvl\u00e1\u0161t\u011b aktualizaci. \u00dato\u010dn\u00edci toti\u017e hledaj\u00ed jakoukoliv skulinku, aby dostali \u0161kodliv\u00fd k\u00f3d na va\u0161e str\u00e1nky. Ned\u011blaj\u00ed to lid\u00e9, ale jejich roboti, kte\u0159\u00ed zvl\u00e1daj\u00ed proj\u00edt stovky str\u00e1nek za vte\u0159inu.<\/p>\n\n\n\n<p>V ka\u017ed\u00e9m open source \u0159e\u0161en\u00ed se nav\u00edc jednou za \u010das objev\u00ed z\u00e1va\u017en\u00e1 chyba. Na aktualizaci \u010dasto m\u00e1te jen jeden den v hor\u0161\u00edm p\u0159\u00edpad\u011b n\u011bkolik hodin. Pokud to nestihnete v\u010das, v\u00e1\u0161 web nav\u0161t\u00edv\u00ed robot, kter\u00fd bezpe\u010dnostn\u00ed d\u00edru zneu\u017eije a nahraje v\u00e1m n\u011bkam nen\u00e1padn\u00fd backdoor, p\u0159es kter\u00fd m\u016f\u017ee \u00fato\u010dn\u00edk web ovl\u00e1dat. Ani po aktualizaci pak u\u017e nejste v bezpe\u010d\u00ed.<\/p>\n\n\n\n<p>Sta\u010d\u00ed tedy odjet n\u011bkam na dovolenou na p\u00e1r dn\u016f a m\u016f\u017eete m\u00edt napaden\u00fd web. Takov\u00e9 p\u0159\u00edpady \u0159e\u0161\u00edme pravideln\u011b.<\/p>\n\n\n\n<p>Nemus\u00ed se v\u0161ak jednat jen o open source \u0159e\u0161en\u00ed. S neo\u0161et\u0159en\u00fdmi vstupy se mus\u00ed vypo\u0159\u00e1dat ka\u017ed\u00fd program\u00e1tor. Ohl\u00eddat si v\u0161e nen\u00ed nic jednoduch\u00e9ho.<\/p>\n\n\n\n<p>Na\u0161e nov\u00e1 IDS\/IPS ochrana m\u00e1 za \u00fakol ochr\u00e1nit v\u00e1s v\u0161echny. Neum\u00ed v\u0161e, ale v\u011bt\u0161inu zn\u00e1m\u00fdch bezpe\u010dnostn\u00edch chyb \u0159e\u0161\u00ed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co na\u0161e IDS\/IPS ochrana zat\u00edm um\u00ed<\/h2>\n\n\n\n<p>V sou\u010dasn\u00e9 dob\u011b IDS\/IPS ochranu lad\u00edme. Nen\u00ed to nic snadn\u00e9ho, ale v\u011b\u0159\u00edme \u017ee velk\u00e1 (finan\u010dn\u00ed a \u010dasov\u00e1) investice se vyplat\u00ed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Moment\u00e1ln\u011b chr\u00e1n\u00ed va\u0161e slu\u017eby p\u0159ed:<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>P\u0159irozen\u011b vypadaj\u00edc\u00edmi DoS, kter\u00e9 na\u0161e DDoS ochrana nem\u016f\u017ee detekovat (nap\u0159\u00edklad zneu\u017eit\u00ed XML-RPC).<\/li><li>SQLi \u00fatoky<\/li><li>Brute force \u00fatoky na p\u0159ihla\u0161ovac\u00ed formul\u00e1\u0159e.<\/li><li>Roboty, kte\u0159\u00ed schv\u00e1ln\u011b p\u0159et\u011b\u017euj\u00ed va\u0161e str\u00e1nky.<\/li><li>Roboty, kte\u0159\u00ed vkl\u00e1daj\u00ed do koment\u00e1\u0159\u016f \u0161kodliv\u00fd k\u00f3d (XSS)<\/li><li>Viry v emailech a i b\u011b\u017en\u00e9m HTML (FTP) provozu (ale zat\u00edm lad\u00edme vhodn\u00fd model provozu).<\/li><li>Zranitelnostmi ve zn\u00e1m\u00fdch open source CMS a eshopech.<\/li><li>\u00datoky zneu\u017e\u00edvaj\u00edc\u00ed zero-day exploit (zn\u00e1m\u00e9 i potenci\u00e1ln\u00ed).<\/li><li>R\u016fzn\u00fdm skenov\u00e1n\u00edm aplikac\u00ed.<\/li><\/ul>\n\n\n\n<p>Z\u00e1rove\u0148 jsou na\u0161e servery chr\u00e1n\u011bn\u00e9 p\u0159ed zneu\u017eit\u00edm r\u016fzn\u00fdch chyb v redak\u010dn\u00edch syst\u00e9mech, kter\u00e9 mohou m\u00edt za n\u00e1sledek p\u0159et\u00ed\u017een\u00ed serveru nebo nap\u0159\u00edklad vy\u010derp\u00e1n\u00ed RAM anebo v\u00fdkonu CPU.<\/p>\n\n\n\n<p>Mimo p\u0159\u00edchoz\u00edch \u00fatok\u016f monitoruje a blokuje i odchoz\u00ed. Dok\u00e1\u017eeme tak v p\u0159\u00edpad\u011b napaden\u00ed webu, zablokovat odchoz\u00ed \u00fatoky a minimalizovat p\u0159\u00edpadn\u00e9 \u0161kody. V\u011bt\u0161inou k tomu dojde automaticky tak, \u017ee IDS\/IPS ochrana spojen\u00ed mezi \u00fato\u010dn\u00edkem a c\u00edlem automaticky blokuje (resetuje prob\u00edhaj\u00edc\u00ed spojen\u00ed).<\/p>\n\n\n\n<p>M\u00e1me tak\u00e9 detailn\u011bj\u0161\u00ed p\u0159ehled o tom, co se v s\u00edti d\u011bje, co\u017e n\u00e1m do budoucna otev\u00edr\u00e1 cestu ke zlep\u0161en\u00ed na\u0161ich slu\u017eeb. Nap\u0159\u00edklad monitoring slu\u017eeb pro v\u00e1s, nad \u00farovn\u00ed serveru.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IDS\/IPS ochrana je pro klienty zdarma a nic pro jej\u00ed aktivaci nemus\u00edte d\u011blat<\/h2>\n\n\n\n<p>Veden\u00ed WEDOS Internet, a.s. prozat\u00edm rozhodlo, \u017ee nov\u00e1 ochrana IDS\/IPS je pro v\u0161echny na\u0161e z\u00e1kazn\u00edky se slu\u017ebou webhosting NoLimit zdarma. Je aktivovan\u00e1 automaticky nad \u00farovn\u00ed fyzick\u00e9ho serveru, tak\u017ee se o nic nemus\u00edte starat. V\u011b\u0159\u00edme, \u017ee poslou\u017e\u00ed ke zlep\u0161en\u00ed na\u0161ich slu\u017eeb a hlavn\u011b v\u00e1m u\u0161et\u0159\u00ed spousty starost\u00ed. Neust\u00e1le pracujeme na zlep\u0161ov\u00e1n\u00ed na\u0161ich slu\u017eeb a v\u011b\u0159\u00edme, \u017ee IDS\/IPS ochrana je dal\u0161\u00edm velk\u00fdm krokem kup\u0159edu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IDS\/IPS ochrana u WEDOS<\/h2>\n\n\n\n<p>Aktu\u00e1ln\u011b m\u00e1me nastaven\u00e9 a pou\u017eit\u00e9 komer\u010dn\u00ed \u0159e\u0161en\u00ed, kter\u00e9 chceme doplnit o open source. Celkov\u00e9 n\u00e1klady na nasazen\u00ed odhadujeme na n\u011bkolik jednotek milion\u016f korun.<\/p>\n\n\n\n<p>Proces testov\u00e1n\u00ed prob\u00edhal od konce l\u00e9ta 2015. P\u0159\u00edpravy pro nasazen\u00ed jsme pr\u016fb\u011b\u017en\u011b d\u011blali ledna a\u017e b\u0159ezna leto\u0161n\u00edho roku. Nebylo to nic jednoduch\u00e9ho a obn\u00e1\u0161elo to hodn\u011b \u00faprav v topologii na\u0161\u00ed s\u00edt\u011b. Je\u0161t\u011b n\u011bjak\u00e9 \u00fapravy ud\u011bl\u00e1me v dubnu (a n\u011bkter\u00e9 z\u0159ejm\u011b dokon\u010d\u00edme a\u017e v kv\u011btnu). Do ostr\u00e9ho provozu jsme v\u0161e spustili v b\u0159eznu. O tom v\u0161em, co jsme museli \u0159e\u0161it p\u0159i implementaci, nap\u00ed\u0161eme p\u0159\u00ed\u0161t\u011b.<\/p>\n\n\n\n<p>V dal\u0161\u00edm \u010dl\u00e1nku uvedeme jak u n\u00e1s nasazen\u00ed IDS\/IPS prob\u00edhalo. Nebylo to jednoduch\u00e9 ani snadn\u00e9. V n\u011bkter\u00fdch p\u0159\u00edpadech to p\u0159ineslo i men\u0161\u00ed komplikace na\u0161im klient\u016fm. Za tyto komplikace se je\u0161t\u011b jednou omlouv\u00e1me, ale v\u011b\u0159\u00edme, \u017ee p\u0159\u00ednos IDS\/IPS ochrany bude tak velk\u00fd, \u017ee se to vyplat\u00ed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">N\u011bkolik z\u00e1kladn\u00edch \u010d\u00edsel<\/h2>\n\n\n\n<p>V na\u0161\u00ed s\u00edti hostuje nejv\u00edce web\u016f v \u010cesk\u00e9 republice. Z\u00e1rove\u0148 hostujeme nejv\u00edce virtu\u00e1ln\u00edch server\u016f a to v\u0161e p\u0159in\u00e1\u0161\u00ed n\u00e1por na bezpe\u010dnost na\u0161\u00ed s\u00edt\u011b a aplikac\u00ed v na\u0161\u00ed s\u00edti. Kdy\u017e jsme za\u010dali s IDS\/IPS \u201ekoketovat\u201c a za\u010dali jsem prvn\u00ed testy, tak jsme zjistili a\u017e neuv\u011b\u0159iteln\u00e9 skute\u010dnosti.<\/p>\n\n\n\n<p>Do na\u0161\u00ed s\u00edt\u011b sm\u011brovalo&nbsp;<strong>ka\u017edou hodinu<\/strong>&nbsp;nap\u0159\u00edklad:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>pr\u016fm\u011brn\u011b p\u0159es 37.000 \u00fatok\u016f na prolomen\u00ed hesla ve WordPressu, co\u017e je p\u0159es 10 pokus\u016f za sekundu<\/li><li>zhruba stejn\u00fd po\u010det pokus\u016f byl o prolomen\u00ed dal\u0161\u00edch hesel (maily nebo jin\u00e9 redak\u010dn\u00ed syst\u00e9my)<\/li><li>pr\u016fm\u011brn\u011b p\u0159es 1.000.000 r\u016fzn\u00fdch bezpe\u010dnostn\u00edch probl\u00e9m\u016f, co\u017e je p\u0159es 279 pokus\u016f za sekundu<\/li><li>z toho p\u0159es 183.000 m\u011blo kritickou \u00farove\u0148, tj. ne\u0161lo o varov\u00e1n\u00ed nebo n\u00edzkou \u00farove\u0148, co\u017e je cca 51 pokus\u016f za sekundu, kter\u00e9 jsou nebezpe\u010dn\u00e9 pro klienty<\/li><li>ze zhruba 100 IP rozsah\u016f z cel\u00e9ho sv\u011bta p\u0159ich\u00e1zelo cca 73% z\u00e1vadn\u00e9ho provozu a tak po omezen\u00ed a zp\u0159\u00edsn\u011bn\u00ed kontroly v\u016f\u010di t\u011bmto rozsah\u016fm jsme po\u010dty \u00fatok\u016f sn\u00ed\u017eili na zhruba \u010dtvrtinu<\/li><\/ul>\n\n\n\n<p>Dal\u0161\u00ed \u010d\u00edsla uvedeme p\u0159\u00ed\u0161t\u011b.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro zaj\u00edmavost ze z\u00e1kulis\u00ed<\/h2>\n\n\n\n<p>N\u011bkter\u00e9 na\u0161e webservery byly pod neust\u00e1l\u00fdm (nebo \u010dasto se opakuj\u00edc\u00edm) \u00fatokem, jeho\u017e c\u00edlem bylo p\u0159et\u00ed\u017eit konkr\u00e9tn\u00ed webserver. Jak takov\u00fd \u00fatok prob\u00edhal? Z r\u016fzn\u00fdch IP adres byly na konkr\u00e9tn\u00edch serverech vol\u00e1ny postupn\u011b v\u0161echny mo\u017en\u00e9 dom\u00e9ny hostovan\u00e9 na konkr\u00e9tn\u00edm serveru (podle c\u00edlov\u00e9 IP) a na nich byly vol\u00e1ny ur\u010dit\u00e9 necachovan\u00e9 URL zn\u00e1m\u00fdch redak\u010dn\u00edch syst\u00e9m\u016f (r\u016fzn\u00e9 administrace, xmrpc2 apod.).<\/p>\n\n\n\n<p>\u00datok prob\u00edhal z r\u016fzn\u00fdch IP adres a rozsah\u016f, p\u0159i\u010dem\u017e z ka\u017ed\u00e9 IP adresy tak, aby nebyl po\u010det p\u0159\u00edstup\u016f z jedn\u00e9 IP (nebo jednoho rozsahu) n\u011bjak n\u00e1padn\u00fd. Nav\u00edc se nejednalo o p\u0159\u00edstupy na jednu dom\u00e9nu, ale na r\u016fzn\u00e9 dom\u00e9ny. Tak\u017ee v\u0161e bylo rozlo\u017een\u00e9 v \u010dase a z r\u016fzn\u00fdch zdroj\u016f a na r\u016fzn\u00e9 c\u00edle tak, \u017ee to nevzbuzovalo \u017e\u00e1dnou pozornost. V\u00fdsledkem bylo to, \u017ee na n\u011bkter\u00fdch webov\u00fdch serverech jsme m\u011bli i p\u0159es 50 p\u0159\u00edstup\u016f za sekundu, kter\u00e9 byly na necachovan\u00e9 str\u00e1nky a m\u011bly p\u0159\u00edstup (a z\u00e1pis) do datab\u00e1ze.<\/p>\n\n\n\n<p>Nejednalo se tedy o klasick\u00fd DDoS \u00fatok, ale o nov\u011bj\u0161\u00ed a m\u00e9n\u011b n\u00e1padnou a h\u016f\u0159e zachytitelnou formu \u00fatok\u016f, kdy tato zbyte\u010dn\u00e1 z\u00e1t\u011b\u017e zp\u016fsobovala komplikace na serverech a zpomalen\u00ed b\u011bhu n\u011bkter\u00fdch web\u016f. IDS\/IPS ochrana pomohla tuto (pro n\u00e1s novou) formu \u00fatok\u016f odhalit a filtrovat.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co d\u00e1le s IDS\/IPS<\/h2>\n\n\n\n<p>Aktu\u00e1ln\u011b m\u00e1me IDS\/IPS ochranu nasazenou na v\u0161echny webhostingy. Chceme ji roz\u0161\u00ed\u0159it o dal\u0161\u00ed vylep\u0161en\u00ed a n\u011bkter\u00e9 v\u00fdstupy (statistiky) chceme p\u0159idat do z\u00e1kaznick\u00e9 administrace. Tohle v\u0161ak z\u0159ejm\u011b budou slu\u017eby za p\u0159\u00edplatek. Jedn\u00e1 se toti\u017e o logov\u00e1n\u00ed velk\u00e9ho mno\u017estv\u00ed dat.<\/p>\n\n\n\n<p>Pokud IDS\/IPS ochranu ochranu zkombinujeme s DDoS ochranou, tak budou va\u0161e weby i weby va\u0161ich klient\u016f u n\u00e1s velmi dob\u0159e chr\u00e1n\u011bn\u00e9.<\/p>\n\n\n\n<p>O nasazen\u00ed IDS\/IPS u VPS teprve diskutujeme a nev\u00edme, zda ji budeme nab\u00edzet nebo ne a pokud ano, tak za jak\u00fdch podm\u00ednek. U VPS je to tak, \u017ee \u010d\u00e1st klient\u016f o tuto ochranu nem\u00e1 z\u00e1jem a \u010d\u00e1st naopak ano. Uvid\u00edme jak to vymysl\u00edme technicky a obchodn\u011b. M\u016f\u017eete n\u00e1m napsat v\u00e1\u0161 n\u00e1zor do diskuze pod t\u00edmto \u010dl\u00e1nkem. Budeme jen r\u00e1di.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">A na co se m\u016f\u017eete t\u011b\u0161it p\u0159\u00ed\u0161t\u011b?<\/h2>\n\n\n\n<p>P\u0159\u00ed\u0161t\u011b nap\u00ed\u0161eme o tom, co jsme museli \u0159e\u0161it za komplikace p\u0159i nasazov\u00e1n\u00ed. A nakonec mo\u017en\u00e1 prozrad\u00edme, jak m\u00e1me v\u0161e zapojen\u00e9 a na \u010dem v\u0161em to jede.<\/p>\n\n\n\n<p>Abychom V\u00e1s nal\u00e1kali, tak mus\u00edme napsat tak\u00e9 informace o tom, jak prob\u00edh\u00e1 stavba na\u0161eho nov\u00e9ho (druh\u00e9ho) datacentra, kter\u00e9 bude mimo\u0159\u00e1dn\u00e9 nejen fyzickou bezpe\u010dnostn\u00ed, ale tak\u00e9 ekologick\u00fdm a \u00fasporn\u00fdm provozem, proto\u017ee servery budou chlazen\u00e9 v olejov\u00e9 l\u00e1zni. Jakmile druh\u00e9 datacentrum spust\u00edme, tak chceme nab\u00edzet slu\u017eby s garanc\u00ed vysok\u00e9 dostupnosti, kdy bude mo\u017en\u00e9 m\u00edt data sou\u010dasn\u011b v obou datacentrech, na obou m\u00edstech chr\u00e1n\u011bn\u00e9 pomoc\u00ed DDoS ochrany a IDS\/IPS. V p\u0159\u00edpad\u011b v\u00fdpadku jedn\u00e9 lokality by v\u00e1\u0161 web jel automaticky a bez v\u00fdpadku z druh\u00e9 lokality. O tom v\u0161em a\u017e p\u0159\u00ed\u0161t\u011b. V\u00fdvoj v\u0161ech novinek a stavba druh\u00e9ho datacentra n\u00e1s nyn\u00ed zam\u011bstn\u00e1vaj\u00ed natolik, \u017ee m\u00e1lo p\u00ed\u0161eme o tom, co se u n\u00e1s d\u011bje.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>N\u011bkolik m\u011bs\u00edc\u016f jsme pro v\u00e1s p\u0159ipravovali IDS\/IPS ochranu. V b\u0159eznu jsme j\u00ed spustili do ostr\u00e9ho provozu. Dnes v\u00e1m j\u00ed p\u0159edstav\u00edme.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-55100","post","type-post","status-publish","format-standard","hentry","category-spolecnost"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/55100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=55100"}],"version-history":[{"count":1,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/55100\/revisions"}],"predecessor-version":[{"id":55106,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/55100\/revisions\/55106"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=55100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=55100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=55100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}