Using-barricade

Security Rating System

Our security rating system is made to be simple by design, so that anyone can understand what is happening on their infrastructure regardless of their level of security knowledge or position.

Ratings

https://docs.barricade.io/src/img/using-barricade/ranking.png

We have split security threats into Events, Attacks and Incidents. We track events, flag attacks, monitor their progress and alert you when they become incidents.

  Event Someone tried and failed to attack your app 
  Attack Someone makes multiple failed attack attempts 
  Incident An attacker succeeds in their attack - your system is breached

Adding Team Members

You can invite colleagues to join your Barricade team account, granting access to your Agents and their findings from your servers.

You’ll find the Team controls in the Settings > Team > Members page.

Team Permissions

Teams are comprised of a single Admin user (the person who originally created the account) and Members, who have most of the same permissions - except when it comes to billing and being able to remove other users from the account.

Here’s a breakdown of the permissions per role:

 AdminMember
Install Agents:    
Edit Agents:    
View Cases:    
Mark Cases as Resolved:    
Invite Team Members:    
Remove Team Members:    
Manage Team Notifcations:    
Manage Team Integrations:    
View & Edit Billing Details:     

Your Team

The team profile page allows you to edit your team name. Only the admin can change the name of a team.

https://docs.barricade.io/src/img/using-barricade/11-team-01.png

How to Invite Members

The invitations page lets you add new members via email address: 

https://docs.barricade.io/src/img/using-barricade/11-team-02.gif

  1. Enter the email address and click the Invite button.
  2. The page will show that an email invite has been issued. You can revoke any unaccepted invitations by clicking the ‘X’ on the right:

    https://docs.barricade.io/src/img/using-barricade/11-team-03.png

  3. The new member will receive a confirmation email with an activation link:

    https://docs.barricade.io/src/img/using-barricade/11-team-04.png

  4. Once activated, they can login and will have read-access to information from your Agents

How to Remove Members

https://docs.barricade.io/src/img/using-barricade/11-team-05.gif

  1. To remove members you must be logged in as the Team Admin
  2. Visit the app Team page 
  3. Click the ‘X’ icon to the right of the member name 
  4. Confirm removal of that member

Slack Integration

https://docs.barricade.io/src/img/using-barricade/13-slack-logo.png

Slack is a real-time messaging app for teams that allows you to communicate quickly and easily. We use Slack everyday at Barricade; to communicate and to share security notifications. 

You can integrate Slack with Barricade to notify your team when serious security incidents occur:

https://docs.barricade.io/src/img/using-barricade/13-slack-message.png

Setting up the Integration

  1. Login to Barricade and go to the Settings > Notifications > Slack Notifications
  2. Click on the switch to Enable the integration:

    https://docs.barricade.io/src/img/using-barricade/13-slack-enable.gif

  3. Follow the Integration Instructions that appear onscreen.

  4. Click the link to create a new Incoming Webhook on slack.com

  5. Set a channel for Barricade to post to:

    https://docs.barricade.io/src/img/using-barricade/13-slack-select-channel.png

    Click the Add button.

  6. Copy the Webhook URL that appears under ‘Setup Instructions’
    It will look like this:

    https://hooks.slack.com/services/A01BCDE23/A01B2CDEF/aB0c1DefGH23iJKl45M6nO7P
    
  7. Return to the Slack integration page in the Barricade app.

  8. Paste the Webhook URL into the form:

    https://docs.barricade.io/src/img/using-barricade/13-slack-paste.gif

    Click Save Integration

  9. You can customize the integration to choose what items get posted to Slack, by checking the boxes on the right to activate more notifications.

By default, only Incidents (our most serious classification) are sent as notifications.

Hipchat Integration

HipChat is team chat that’s actually built for business - a centralized place for group and private chat, file sharing, and integrations.

You can integrate HipChat with Barricade to share security notifications with your team:

https://docs.barricade.io/src/img/using-barricade/14-hipchat-01.png

Setting up the Integration

  1. Login to Barricade and go to the Settings > Notifications > HipChat Notifications
  2. Click on the switch to Enable the integration:

    https://docs.barricade.io/src/img/using-barricade/14-hipchat-enable.gif

  3. Follow the Integration Instructions that appear onscreen -

  4. Open your Hipchat window, and navigate to the channel you want to send notifications to. We recommend creating a new room named Barricade.

  5. Open the Room options and select Integrations. https://docs.barricade.io/src/img/using-barricade/14-hipchat-select.png

  6. From the Integrations page click on Tokens in the menu on the right, and you’ll see a Create new token form appear at the bottom of the page:

    https://docs.barricade.io/src/img/using-barricade/14-hipchat-set-label.png

    Set a descriptive label in the text field at the bottom of the page. In the second field, select Send Notification and click Create.

    https://docs.barricade.io/src/img/using-barricade/14-tokens.gif

  7. The page will display a Room Notification Token, a string that looks something like this: 9KFell1q8yZpcZTIWwUaDohs4gNfw7C2LHCyHWCT

    https://docs.barricade.io/src/img/using-barricade/14-hipchat-copy-token.png
    Copy the Token, and return to the HipChat page in the Barricade app.

  8. Paste the token into the form, under the Instructions, and add a label for the HipChat channel you wish to post notifications to:

    https://docs.barricade.io/src/img/using-barricade/14-hipchat-save.gif

  9. Click Save Integration.

  10. You can customize the integration to choose what items get posted to HipChat, by checking the boxes on the right to activate more notifications.

By default, only Incidents (our most serious classification) are sent as notifications.

Troubleshooting: Integrations isn’t available in HipChat

https://docs.barricade.io/src/img/using-barricade/14-hipchat-no-integration.png

In HipChat, accounts can be configured to restrict access to Integration and Token settings. If Integrations appears as a greyed-out, disabled option; you’ll need to contact theHipChat account owner.

Installing Agents

During the account signup process, you will install your first monitoring Agent. Once that process is completed, you can repeat the original steps to install additional Agents at any time, allowing Barricade to watch over entire clusters of servers.

How to Install

Inside the Barricade app, you’ll see a New Agent button in the top-right-hand corner:

https://docs.barricade.io/src/img/getting-started/drawer-opening.gif

Instructions:

  1. Click the New Agent button to open the installer section
  2. Copy the install command
  3. Connect to your server and run the command (see our SSH guide)
  4. When the install command is finished, the new Agent will be detected automatically 

https://docs.barricade.io/src/img/getting-started/drawer-detection.gif

Once detected, you can close the panel by clicking the ‘X’ icon in the top-right corner, or choose to Install Another.

Amazon WAF Integration

https://docs.barricade.io/src/img/using-barricade/15-awswaf.png

AWS Web Application Firewall (WAF) helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. You can integrate AWS WAF with Barricade to make an intelligent and learning firewall.

Gotchas

To use WAF; you must be using Amazon Web Services EC2 and CloudFront.

AWS WAF is not available on an individual-instance basis but is available if you are using Elastic Load Balancers (ELBs).

Make sure that you read the AWS WAF pricing thoroughly.

Barricade does not charge you for using AWS WAF, but rules you add through the Barricade integration will incurr charges on your AWS account.

Setting up the Integration

  1. Login to Barricade and go to the Settings > Integrations > Amazon AWS WAF Integration

  2. Click on the switch to Enable the integration

  3. Follow the Security Group and Integration Instructions that appear onscreen for the AWS Console.

  4. Once you’ve created the required security groups as described below, copy the access id and secret key which have been created with very limited access and enter them Click Save Integration

    After saving the integration, a new WAF will be created in your AWS account with the name BARRICADE-WAF. This is where we will add behaviours to block attackers from within Barricade. Added behaviours will incurr costs on your AWS account - see their pricing. _

  5. Once you’ve enabled the WAF, you will need to go to your CloudFront distribution settings, and set the AWS WAF Web ACL to BARRICADE-WAF like such:

    https://docs.barricade.io/src/img/using-barricade/15-awswaf-02.png

Giving Barricade Access (Security Groups)

We don’t want access to your servers. In fact, we want as little access as possible to your account. We’ve broken down the steps you’ll need to follow in Amazon IAM to give us minimum access so we can manage your firewall, but nothing else.

  1. From the Amazon IAM section of your Amazon account, you will need to create a new user for Barricade. Follow this create a new user link - it’ll bring you right there.

  2. Create a new user named barricade-waf and make sure to check the “Generate an access key for each user”

    https://docs.barricade.io/src/img/using-barricade/15-awswaf-03.png

  3. On the next step, after the user is created, copy the access id and secret key that’s presented to you under Show User Security Credentials:

    https://docs.barricade.io/src/img/using-barricade/15-awswaf-04.png

  4. You will now need to create a Policy. We’ll give you the policy, don’t worry.

  5. Go to the AWS policy page, and click on Create Policy, then Create Your Own Policy:

    https://docs.barricade.io/src/img/using-barricade/15-awswaf-05.png  

  6. The next steps are tricky but we’ll give them to you here. You will need to name your policy, give it a description and set the policy. 

    The Name is pretty straightforward, we like descriptive names so we recommend: barricade-waf-integration

    The Description is up to you. We use a textual description so that in 6 months when new employees learn the platform they understand what this does.

    The Policy Document now is slightly tricker. Just copy the following into the textarea and click on the “Create Policy” button at the bottom right:

    {
       "Version":"2012-10-17",
       "Statement": [
          {
             "Action": [
                "waf:*",
                "cloudfront:GetDistribution",
                "cloudfront:GetDistributionConfig",
                "cloudfront:UpdateDistribution",
                "cloudfront:ListDistributions"
             ],
             "Effect": "Allow",
             "Resource": "*"
          }
       ]
    }
    
  7. Almost there! The last step is to assign this policy to your newly created user - barricade-waf.

  8. On the new user’s IAM page you will see an Attach Policy button, click it and select the barricade-waf-integration policy you created in Step 6. 

That’s it. Now we can add firewall rules, but we don’t have to have access to your servers!

Linking CloudFront to AWS WAF

The only way to currently use the Amazon AWS WAF is by connecting a created WAF to a CloudFront distribution. 

You will only have to do this once (with Barricade)

  1. First, go to your CloudFront page.

  2. Select the distribution you are interested in linking the AWS WAF to.

  3. Once you are on your CloudFront Distribution’s page, click on the Edit button. Then look for the AWS WAF Web ACL option - yes, it’s quite the mouthful!

    https://docs.barricade.io/src/img/using-barricade/15-awswaf-06.png

  4. Select the BARRICADE-WAF in the dropdown:

    https://docs.barricade.io/src/img/using-barricade/15-awswaf-07.png

  5. Click on Yes, Edit confirmation button and wait until the Distribution Status says Deployed

That’s it, you now have a fully integrated detection system that learns from behaviour and can tell your firewall about new threats to block.

Adding Rules

Once the Integration is enabled, you can block a query with one click:

https://docs.barricade.io/src/img/using-barricade/15-awswaf-08.png

Go to the overview page in the Barricade app, and open a security case - you should see ‘AWS Firewall’ as an option in cases where blocking an attacker IP address is part of the recommendation.

Note: this option will only appear when the Agent has been identified as running on AWS EC2. For non AWS servers, only the default iptables option will be visible.

Removing Rules

At the current time, you will need delete the rules and firewall from your AWS account directly, via their console. We are planning on adding much more evolved AWS WAF integration and management after having measured the interest.

Check out our blog post Introducing Our New Amazon Web Application Firewall Integration for more background on this feature.

CloudFlare Integration

https://docs.barricade.io/src/img/changelog/31-cloudflare.png

CloudFlare makes DNS secure, fast and simple, as well as providing some really great DDoS protection and security features. You can integrate CloudFlare with Barricade to make an intelligent, learning firewall that can protect your infrastructure from things like DDoS and brute force attacks.

Gotchas

You’ll need to be using both Barricade and CloudFlare in order to integrate them - if you don’t already have a Barricade account, you can sign up for free here.

Setting up the Integration

  1. Login to Barricade and go to the Settings > Integrations > CloudFlare Firewall

  2. Click on the switch to Enable the integration.

  3. Login to CloudFlare.com and open the My Account page. You’ll need to retrieve your Global API key:

    https://docs.barricade.io/src/img/using-barricade/16-cloudflare-api.gif

    Just so you know, we encrypt your key, it is not stored in plaintext for security reasons.

  4. Copy and paste your API key and your email address into the form on the CloudFlare Integration page in the Barricade app. Click the ‘Enable’ button.

That’s it - now you can quickly utilize the CloudFlare firewall from within Barricade.

Using the Integration

You’ll see a new ‘Add To Firewall’ button alongside attack details, allowing you simple one-click blocking of attackers:

https://docs.barricade.io/src/img/using-barricade/16-cloudflare-button.gif

Read our blog announcement for more background on this super useful integration!

C.I. Security Tests

Continuous Integration Security Testing can be used alongside other test suites as you are developing - to better understand which parts of your application network might be at risk.

We’re big believers in continuous security, and want to help you incorporate security into the development lifecycle. 

https://docs.barricade.io/src/img/using-barricade/16-sectests.png

What do Security Tests check for?

The test will check your application network for a series of common vulnerabilities, based on the Wapiti scanner:

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Htaccess Bypass
  • Backup File
  • File Disclosure
  • Potentially Dangerous File
  • CRLF Injection
  • File Handling 
  • Commands Execution

Note: These checks are to help you identify any security bugs in your app, before they are shipped - but they do not guarantee that your app is fully secure from potential attacks.

Security Tests with Webhooks

 https://docs.barricade.io/src/img/using-barricade/16-sectest-settings.gif

Enabling the Integration:

  1. Visit the Settings > Integrations > C.I. Security Testing page.
  2. Slide the switch to enable the integration.
  3. Copy the webhook url that is generated.

Submitting Tests:

To submit a report, you’ll need to make a HTTP post request to the webhook URL. Webhooks are user-defined HTTP callbacks - triggered by some an, such as pushing code to a repository.

Currently, we support Wapiti test results in JSON format.
The request body may contain:

type: 'wapiti', // required, reporting type
data: 'test result', // required, rtest result in text
commit_id: '171fdce', // commit Id
commit_username: 'sakaenakajima', // username
commit_organization: 'Barricade', // organization
commit_repository: 'webapp', // repository name
commit_branch: 'feature-ci-sec', // branch name
commit_compare_url: 'https://github.com/barricadeio/internal-admin/compare/81c1235767ee...171fdce6f3b0', // compare URL
build_number: '1660', // build number
build_link: 'https://circleci.com/gh/barricadeio/webapp/1660' // build URL

Example Request

The following example reads a test result from wapiti.json, builds a request body and submits it to the webhook.

jq -r '{type:"wapiti", "data": tostring}' wapiti.json | curl -X POST -H "Content-Type: application/json" -d @- https://app.barricade.io/services/56294f3ef8f68d452e3ce561/csi/dee1aa08-bc80-48ba-844b-1c8c71f0ccdf
{
  "vulnerabilities":{
    "Cross Site Scripting":[
      {
        "info":"XSS vulnerability found via injection in the parameter name",
        "http_request":"GET /page?name=%3Cscript%3Ealert%28%27w2e6ijy9jc%27%29%3C%2Fscript%3E HTTP/1.1\nHost: 172.17.42.1:80\n",
        "level":"1",
        "curl_command":"curl \"http://172.17.42.1:80/page?name=%3Cscript%3Ealert%28%27w2e6ijy9jc%27%29%3C%2Fscript%3E\"",
        "path":"/page",
        "parameter":"name",
        "method":"GET"
      }
    ],
    "Htaccess Bypass":[
    ],
    "Backup file":[
    ],
    "SQL Injection":[
    ],
    "Blind SQL Injection":[
    ],
    "File Handling":[
    ],
    "Potentially dangerous file":[
    ],
    "CRLF Injection":[
    ],
    "Commands execution":[
    ]
  },
  "infos":{
    "date":"Mon, 28 Sep 2015 14:26:00 +0000",
    "scope":"folder",
    "version":"Wapiti 2.3.0",
    "target":"http://172.17.42.1:80"
  },
  "classifications":{
    "Resource consumption":{
      "ref":{
        "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')":"http://cwe.mitre.org/data/definitions/400.html",
        "http://www.owasp.org/index.php/Asymmetric_resource_consumption_(amplification)":"http://www.owasp.org/index.php/Asymmetric_resource_consumption_(amplification)"
      },
      "sol":"The involved script is maybe using the server resources (CPU, memory, network, file access...) in a non-efficient way",
      "desc":"Resource consumption description"
    },
    "Internal Server Error":{
      "ref":{
        "Wikipedia article for 5xx HTTP error codes":"https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#5xx_Server_Error"
      },
      "sol":"More information about the error should be found in the server logs.",
      "desc":"Internal server error description"
    },
    "Cross Site Scripting":{
      "ref":{
        "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')":"http://cwe.mitre.org/data/definitions/79.html",
        "http://en.wikipedia.org/wiki/Cross-site_scripting":"http://en.wikipedia.org/wiki/Cross-site_scripting",
        "VulneraNET wiki: Cross Site Scripting Flaw article":"http://lab.gsi.dit.upm.es/semanticwiki/index.php/Cross_Site_Scripting_Flaw",
        "http://www.owasp.org/index.php/Cross_Site_Scripting":"http://www.owasp.org/index.php/Cross_Site_Scripting"
      },
      "sol":"The best way to protect a web application from XSS attacks is ensure that the application performs validation of all headers, cookies, query strings, form fields, and hidden fields. Encoding user supplied output in the server side can also defeat XSS vulnerabilities by preventing inserted scripts from being transmitted to users in an executable form. Applications can gain significant protection from javascript based attacks by converting the following characters in all generated output to the appropriate HTML entity encoding: <, >, &, ", ', (, ), #, %, ; , +, -.",
      "desc":"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts."
    },
    "Htaccess Bypass":{
      "ref":{
        "http://blog.teusink.net/2009/07/common-apache-htaccess-misconfiguration.html":"http://blog.teusink.net/2009/07/common-apache-htaccess-misconfiguration.html",
        "CWE-538: File and Directory Information Exposure":"http://cwe.mitre.org/data/definitions/538.html"
      },
      "sol":"Make sure every HTTP method is forbidden if the credentials are bad.",
      "desc":"htaccess files are used to restrict access to some files or HTTP method. In some case it may be possible to bypass this restriction and access the files."
    },
    "Backup file":{
      "ref":{
        "Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)":"http://www.owasp.org/index.php/Testing_for_Old,_Backup_and_Unreferenced_Files_(OWASP-CM-006)",
        "CWE-530: Exposure of Backup File to an Unauthorized Control Sphere":"http://cwe.mitre.org/data/definitions/530.html"
      },
      "sol":"The webadmin must manually delete the backup files or remove it from the web root. He should also reconfigure its editor to deactivate automatic backups.",
      "desc":"It may be possible to find backup files of scripts on the webserver that the web-admin put here to save a previous version or backup files that are automaticallygenerated by the software editor used (like for example Emacs). These copies may reveal interesting informations like source code or credentials"
    },
    "SQL Injection":{
      "ref":{
        "http://www.owasp.org/index.php/SQL_Injection":"http://www.owasp.org/index.php/SQL_Injection",
        "http://en.wikipedia.org/wiki/SQL_injection":"http://en.wikipedia.org/wiki/SQL_injection",
        "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":"http://cwe.mitre.org/data/definitions/89.html"
      },
      "sol":"To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, user input must be escaped or filtered or parameterized statements must be used.",
      "desc":"SQL injection vulnerabilities allow an attacker to alter the queries executed on the backend database. An attacker may then be able to extract or modify informations stored in the database or even escalate his privileges on the system."
    },
    "Blind SQL Injection":{
      "ref":{
        "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')":"http://cwe.mitre.org/data/definitions/89.html",
        "http://www.imperva.com/resources/adc/blind_sql_server_injection.html":"http://www.imperva.com/resources/adc/blind_sql_server_injection.html",
        "http://www.owasp.org/index.php/Blind_SQL_Injection":"http://www.owasp.org/index.php/Blind_SQL_Injection"
      },
      "sol":"To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, user input must be escaped or filtered or parameterized statements must be used.",
      "desc":"Blind SQL injection is a technique that exploits a vulnerability occurring in the database of an application. This kind of vulnerability is harder to detect than basic SQL injections because no error message will be displayed on the webpage."
    },
    "File Handling":{
      "ref":{
        "http://www.owasp.org/index.php/Path_Traversal":"http://www.owasp.org/index.php/Path_Traversal",
        "http://www.acunetix.com/websitesecurity/directory-traversal.htm":"http://www.acunetix.com/websitesecurity/directory-traversal.htm",
        "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')":"http://cwe.mitre.org/data/definitions/22.html"
      },
      "sol":"Prefer working without user input when using file system calls. Use indexes rather than actual portions of file names when templating or using language files (eg: value 5 from the user submission = Czechoslovakian, rather than expecting the user to return 'Czechoslovakian'). Ensure the user cannot supply all parts of the path - surround it with your path code. Validate the user's input by only accepting known good - do not sanitize the data. Use chrooted jails and code access policies to restrict where the files can be obtained or saved to.",
      "desc":"This attack is also known as Path or Directory Traversal, its aim is the access to files and directories that are stored outside the web root folder. The attacker tries to explore the directories stored in the web server. The attacker uses some techniques, for instance, the manipulation of variables that reference files with 'dot-dot-slash (../)' sequences and its variations to move up to root directory to navigate through the file system."
    },
    "Potentially dangerous file":{
      "ref":{
        "The Open Source Vulnerability Database":"http://osvdb.org/"
      },
      "sol":"Make sure the script is up-to-date and restrict access to it if possible",
      "desc":"A file with potential vulnerabilities has been found on the website."
    },
    "CRLF Injection":{
      "ref":{
        "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')":"http://cwe.mitre.org/data/definitions/93.html",
        "http://www.owasp.org/index.php/CRLF_Injection":"http://www.owasp.org/index.php/CRLF_Injection",
        "http://www.acunetix.com/websitesecurity/crlf-injection.htm":"http://www.acunetix.com/websitesecurity/crlf-injection.htm",
        "VulneraNET wiki: CRLF Injection article":"http://lab.gsi.dit.upm.es/semanticwiki/index.php/CRLF_Injection"
      },
      "sol":"Check the submitted parameters and do not allow CRLF to be injected by filtering CRLF",
      "desc":"The term CRLF refers to Carriage Return (ASCII 13, \\r) Line Feed (ASCII 10, \\n). They're used to note the termination of a line, however, dealt with differently in today's popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. This combination of CR and LR is used for example when pressing 'Enter' on the keyboard. Depending on the application being used, pressing 'Enter' generally instructs the application to start a new line, or to send a command."
    },
    "Commands execution":{
      "ref":{
        "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')":"http://cwe.mitre.org/data/definitions/78.html",
        "http://www.owasp.org/index.php/Command_Injection":"http://www.owasp.org/index.php/Command_Injection"
      },
      "sol":"Prefer working without user input when using file system calls",
      "desc":"This attack consists in executing system commands on the server. The attacker tries to inject this commands in the request parameters"
    }
  },
  "anomalies":{
    "Resource consumption":[
    ],
    "Internal Server Error":[
    ]
  }
}

Troubleshooting C.I. Test Webhooks

If you’re experiencing issues submitting a test, try generating a new webhook URL on the settings page:

https://docs.barricade.io/src/img/using-barricade/16-regen.gif

Updating Agents

Agents are designed with strict constraints for security and performance reasons; to send but not to receive. This means that Barricade can never modify an agent running on your server - and neither can anybody else.

From time to time, we will notify you of updates and improvements, prompting you to run an Agent update to ensure you are running the latest version. You maintain full control over the Agent - we can’t push code to your server.

How to Update an Agent

To apply an update, re-run the install command:

https://docs.barricade.io/src/img/getting-started/drawer-opening.gif

Instructions:

  1. Click the New Agent button to open the installer section
  2. Copy the install command
  3. Connect to your server and run the command (see our SSH guide)
  4. When the install command is finished, the new Agent will be detected automatically 

https://docs.barricade.io/src/img/getting-started/drawer-detection.gif

Finding Out About Updates

You can find details of Product Changes and Agent updates here.

Agent Controls

The Agents section of the app interface provides a breakdown of the Agents you have running:

  • state of the Agent (active/inactive)
  • how much data they’re using in the monitoring process
  • cost of each Agent in terms of GB
  • ability to pause and retire Agents

Stopping & Removing Agents

If you wish to stop monitoring a server, you can pause or retire the Agent via the controls on this page:

https://docs.barricade.io/src/img/changelog/24-controls.gif

Agents that are paused can be restarted later - whereas you cannot ‘undo’ a retired Agent through the web interface - a reinstall would be required to restore the Agent.

Pausing Agents

Older Agent versions do not support pausing and restarting. You should update the Agent to the latest version.

Retiring and Removing Agents

Retiring an Agent will stop the tranmission of data from your server, but it doesn’t remove the Agent files. If you want to fully remove all traces of the Agent, you will need to manually do so by running a command on your server:

To remove from an Ubuntu server: dpkg -r barricade

To remove from a CentOS server: rpm -e barricade

One-way Agents

Clicking ‘pause’ or retire’ will prompt Barricade to signal a change in behavior to the Agent through the status API - it can’t directly write to or alter the Agent directly (by design).

When the Agent communicates with the Barricade API it will check for any status changes in the API and respond accordingly.

Stopping & Removing Agents

If you wish to stop monitoring a server, you can pause or retire the Agent via the controls on this page:

https://docs.barricade.io/src/img/changelog/24-controls.gif

Agents that are paused can be restarted later - whereas you cannot ‘undo’ a retired Agent through the web interface - a reinstall would be required to restore the Agent.

Pausing Agents

Older Agent versions do not support pausing and restarting. You should update the Agent to the latest version.

Retiring and Removing Agents

Retiring an Agent will stop the tranmission of data from your server, but it doesn’t remove the Agent files. If you want to fully remove all traces of the Agent, you will need to manually do so by running a command on your server:

To remove from an Ubuntu server: dpkg -r barricade

To remove from a CentOS server: rpm -e barricade

One-way Agents

Clicking ‘pause’ or retire’ will prompt Barricade to signal a change in behavior to the Agent through the status API - it can’t directly write to or alter the Agent directly (by design).

When the Agent communicates with the Barricade API it will check for any status changes in the API and respond accordingly.

Tagging & Filtering

If you are running multiple Barricade Agents, you’ll see data pooled in the dashboard from different servers. Filters help you narrow your view to see results from specific servers.

Where to find Filters

You can filter Case data in the app by accessing the Filter option at the top of the Dashboard -> Overview navigation:

https://docs.barricade.io/src/img/using-barricade/28-tagging-01.png

When you have active Filters, the menu will look like this:

https://docs.barricade.io/src/img/using-barricade/28-tagging-02.png

Using Filters

  1. Click the Filter button in the top right of the Overview screen.
  2. A new panel will appear from the right, displaying a list of Agent Tags
  3. Remove the check marks from any Agent tags you wish to filter out. The form auto-saves your selection.
  4. To close the Filter panel, click to the left outside of the panel.

Example:

https://docs.barricade.io/src/img/using-barricade/28-filters.gif

Editing Agent Tags

An agent’s tag can be edited in two ways. Either through the Dashboard -> Agents page which can be found on the left-hand side menu, or through an automated configuration file described below the animation.

https://docs.barricade.io/src/img/using-barricade/28-Agent-Tags-Edit.gif

You can change the Tags associated with your Agents in the configuration file, located on your server at /service/barricade/barricade.cfg 

By default, all Agents start out with one tag: production. See Configuring Agents for more information.

Configuring Agents

By default, Agents are optimized to handle heavy traffic without impacting on the performance of your server - but you can always change the configuration to suit your needs.

Configuration File

Config settings can be found and modified in this file on your server: 

/etc/barricade/barricade.cfg

Once updated, a restart is required for any changes to take effect:

sudo restart barricade

Configuration Options:

tag
Tag is an arbitrary config value which can be used to identify and organize your Agents - particularly useful for Filtering Agents. The default value is production.

You can e.g. to denote development, staging, production environments, “commit” versions, for example: tag=staging,development,beta

spooler_memory
This is the specific amount of memory (in MB) to use for buffering packets in high traffic. By default, the Agent uses available system memory to calculate a reasonable default.

Example: spooler_memory=10000

After this, the Agent will begin dropping older packets to prioritize the newest information, and emit a warning to this effect in the logs (/var/log/barricade.log on most systems, in journalctl for systemd based systems).

flush_frequency
Default value is 0.01 seconds.

log_level
The default value is warning.

ssl_check_hostname
Allows you to enable or disable SSL hostname verification. By default value is enabled.

Barricade.cfg Troubleshooting

Some options do not appear in my barricade.cfg file.
Your Agent may not be up to date - ensure you have updated to the latest version.

I’m not sure how to access the file on a server.
You’ll need connect to the server via SSH to run the command - see our guide here.

Automating with Ansible

If you automate your infrastructure with Ansible, you can use our Barricade Ansible Role to automate the setup of Agents when you spin up servers.

Installation

To install the ansible-barricade role via the ansible-galaxy command:

$ ansible-galaxy install https://github.com/barricadeio/ansible-barricade

Usage

Agent Installation

You’ll need your Barricade Automation Key. This can be retrieved by visiting your Team page.

Create an ansible playbook barricade.yml:

---
- name: Install Barricade Agent
  hosts: all
  sudo: yes
  roles:
    - role: ansible-barricade
      barricade_automation_key: <Barricade Automation Key>

Run the above playbook and it should setup the barricade-agent:

$ ansible-playbook barricade.yml

Agent Removal

To remove Barricade, you can set the barricade_state attribute to absent:

---
- name: Remove Barricade Agent
  hosts: all
  sudo: yes
  roles:
    - role: ansible-barricade
      barricade_state: absent

Agent Configuration

You can completely instrument agent configuration via variables defined in defaults/main.yml.

Automating with Chef

If you automate your infrastructure with Chef, you can use our Barricade cookbook to automate the setup of Agents when you spin up servers.

Visit github.com/barricadeio/chef-barricade for the cookbook.

Gotchas:
To use the cookbook, you’ll need to be familiar with Chef and comfortable with installing and using cookbooks - learn.chef.io is a good resource if you’re getting started.

Adding a Key:
To use the cookbook, you’ll need to add your barricade_key.

Open and edit the barricade_key attribute in the attributes/default.rb file, adding in the automation key from your dashboard (found here).

Filtering Agent Traffic

Some servers see a lot of inbound and outbound traffic - be it database activity, connections to external services or the serving of large media files.

By design, the Barricade Agent observes everything - all traffic is carefully examined for unusual or malicious behaviour. However, should you want to narrow its scope to omit certain types of traffic, you can do so by activating port filters in the Agent configuration.

https://docs.barricade.io/src/img/using-barricade/agent-data.png

Be Careful

Filtering traffic is risky - by choosing to exclude data, you could be turning a blind eye to possible points of attack. Please tread carefully - we’re happy to guide you through the process if you’d like to discuss things with us.

Traffic Ports

You can see a breakdown of the data being transferred in and out of your server via the app’s Traffic Report.

Filtering allows you to exclude certain ports - the traffic report presents server usage by port so you can easily identify different types of connections.

https://docs.barricade.io/src/img/using-barricade/traffic.png

The Agent Configuration file

To filter and exclude traffic from the Barricade Agent, you’ll need to edit the config file on your server. You’ll need to SSH into the server and navigate to the file at:

/etc/barricade/barricade.cfg


How to Add Filters

By default, no filters are set. You can add port numbers in the barricade.cfg file like so:

filter=

Example:

filter=port not 22 and port not 53

This would prevent the agent from capturing network traffic on SSH (22) and DNS (53) ports, limiting what the Agent has access to.

Once updated, a restart is required for any changes to take effect:

sudo restart barricade

See here for other possible Agent configuration options.

Re-registering Agents

We recommend re-registering an Agent if any of the following issues arise during the installation process:

  • Agent is not registered after installation
  • Agent was registered, but has stopped connecting / sending data

Run this command on your server to re-register the agent:

$ sudo su
$ PATH=$PATH:/opt/barricade/embedded/; /opt/barricade/embedded/bin/barricade-register

Closing an Account

If you’re looking to stop using Barricade entirely, you can close your account through this page. Only admin users can close an account, for security reasons.

We’re sorry to see you go - if there’s any feedback you’d like to leave for us, please do submit a comment.