All Products
Search

This Product

    Cloud Firewall:Use Cloud Firewall to prevent critical system information leaks

    Document Center

    Cloud Firewall:Use Cloud Firewall to prevent critical system information leaks

    Last Updated:Feb 28, 2026

    Linux system files such as /etc/passwd and /etc/shadow store sensitive user and authentication data. If an attacker exploits a web vulnerability on your server, commands such as cat, head, and tail can read these files and expose the data in outbound responses.

    Cloud Firewall intrusion prevention system (IPS) rules detect when system file contents appear in outbound traffic. By default, these rules run in Monitor mode. Switch them to Block mode to stop the data from leaving your server.

    Risks of system information leaks

    Leaked system file contents enable two categories of attack:

    • Remote command execution and follow-on attacks -- Attackers who exploit web vulnerabilities such as remote command execution can read critical system files from your server. With this information, they can launch further attacks, including remote logons and remote control of the compromised host.

    • Lateral movement by worms and trojans -- Worms and trojans that have infected a host can harvest system information and use it to spread laterally across your internal network, compromising additional servers.

    Prerequisites

    Before you begin, make sure that you have:

    Block system information leaks

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Prevention Configuration > IPS Configuration.

    3. In the Basic Protection section, switch the search field to Rule Name and search for Key System information leakage.

    4. Change the mode of some or all related rules from Monitor to Block.

      In Monitor mode, Cloud Firewall logs matching traffic but does not block it. In Block mode, Cloud Firewall drops matching traffic to prevent system information from reaching the attacker.

    Verify the result

    After you switch the rules to Block mode:

    1. On the IPS Configuration page, verify that the updated rules show a status of Block Custom.

    2. In the left-side navigation pane, choose Detection and Response > IPS. On the IPS page, check for recent alerts related to system information leakage to confirm that the IPS rules are inspecting traffic as expected.