Security suggestions for SOHO users to ensure the upload server security

Source: Internet
Author: User

In the age of network technology, SOHO (Small Office Home Office) or Tele-office (Tele-Office) has been gradually accepted by some companies and individuals as a new way of working and living. With the help of the ubiquitous network, many people stay in their own space to work. This is a more free and environmentally friendly life. SOHO allows employees to avoid heavy traffic during commuting, on the other hand, it also reduces the company's expensive office rental expenses and gives employees more free space to stimulate their creativity, therefore, many large enterprise organizations have begun to allow and encourage employees to become "sohohs ". Sohoans upload or download files on the company's FTP server over the network, and communicate with colleagues, leaders, and business partners via QQ and Email, what security issues should I pay attention to when I use IE to search for various materials on the Internet? The company's FTP server serves as a bridge to communicate with employees. How can administrators ensure their security?
Today, we will talk about how to ensure the security of the uploaded FTP. In the next installment, we will talk about how to ensure the security of the local machine.

The company's FTP server, as an employee uploads and downloads files, must be connected to the Internet and must have a public IP address to facilitate normal access. It is this fixed IP address that makes it easy for hackers to wander around the network all day long. They are always looking for attack targets, even if such attacks and damages are of no benefit to them, however, these people are still happy to show off how many machines they attack as a standard to show off their hacker skills. What types of attacks may the FTP server face?

1. Possible FTP server attacks

Although Windows operating system servers are easy to operate and easy to configure, Microsoft operating system vulnerabilities are emerging. If Windows is used as the operating system, administrators will never be idle, keep an eye on whether Microsoft has released any new patches, released any new vulnerabilities, and installed patches in the shortest time to detect vulnerabilities. There are also a lot of hacker tools for Windows on the Internet, people with a little knowledge about computers can operate on these servers. To ensure the security of these servers, administrators are no longer willing to use Windows systems, but Unix servers. Unix operating systems are much more complex than Windows operating systems. They can at least block those who only use Windows systems, and their security is much higher. It is relatively difficult to attack unix servers, but this does not mean that there is no attack. For such servers, they may be attacked by the following two types.

1. DoS Attacks

Denial of Service (DoS) is a network attack that uses a reasonable amount of Service resources to prevent legal users from receiving Service responses. A Typical DoS attack is resource depletion and resource overload. Therefore, when a reasonable request to a resource exceeds the resource's payment capability, legal visitors cannot enjoy reasonable services.

When a DoS attack occurs, a large number of service requests are sent to the service daemon process of the same server, which will overload the service. These requests are sent in various ways, and many of them are intentional. In the time-sharing mechanism, the computer needs to process these requests in the flood, so busy that many new requests will be discarded if it cannot process conventional tasks. If the target is a TCP-based service, these requests will be resent, further increasing the network burden.

Generally, there are the following types of attacks:

(1) message stream

Message flow occurs when a user sends a large number of data packets to the target host in the network. Message flow slows down the processing speed of the target host and makes it difficult to process tasks normally. These requests are constantly routed to the target host in the form of a file service request, a login request, or a response request, increasing the processor load of the target host and consuming a large amount of resources to respond to these requests. In extreme cases, a message stream can cause the target host to crash due to no memory space for buffering or other errors.

(2) "Sticky" Attacks

In Unix systems, TCP connections establish a connection through three handshakes. If the attacker sends multiple connection requests and initially establishes a connection, but does not complete the subsequent connection steps, the receiver will keep many of these semi-connections, occupying a lot of resources. Generally, these connection requests use a forged source address, and the system cannot track the connection. The system only waits for the connection to be released due to timeout.

(3) SYN-Flooding Attack

Attackers use disguised addresses to send as many requests as possible to the target computer to occupy the resources of the target computer. When the target computer receives such a request, it uses system resources to provide services for the new connection, and then replies with a positive SYN-ACK. Since the SYN-ACK is returned to a disguised address, there is no response, so the target computer will continue to try to send SYN-ACK. Some systems have default replies and time-out periods. Resources occupied are released only when replies are received or times out. After each resend, the wait time doubles, eventually, system resources are exhausted and services cannot be provided for new connections. Although hackers who launch such attacks cannot gain any access to the system, they can slow the server's access to other services or even accept other services.

2. Weak Password Vulnerability attacks

Because Unix operating systems have very few vulnerabilities and are not easy to exploit, many hackers have to make up their minds on accounts and passwords to intrude into the system. The user's ID is easily obtained through some existing scanners, so the password becomes the first and only defensive line. However, for convenience, some administrators use easy-to-guess passwords for some accounts on some servers, and even some accounts do not have passwords at all, which is undoubtedly a false cover for hackers. In addition, many systems have built-in or default accounts and do not change passwords. These give hackers a lot of opportunities. attackers usually look for these accounts. The attacker can access the target computer as long as he or she can determine an account name and password.

2. Preventing denial-of-service attacks

1. Reinforce the Operating System

Reinforce the operating system, that is, to configure operating system parameters to enhance system stability, re-compile or set some parameters in the operating system kernel such as BSD, and improve the system's anti-attack capability. For example, SYN Flood, a typical type of DoS attacks, uses the TCP/IP protocol vulnerability to send a large number of forged TCP connection requests, causing the network to be unable to connect to user services or paralyze the operating system. This attack involves some system parameters: the number of links to the data packets that can be waited and the length of time for the data packets that have timed out. You can change the number of links of data packets from the default value 128 or 512 to 2048 or greater, increasing the length of the data packet queue processed each time to mitigate and digest attacks of more data packets. In addition, you can also set a short timeout period to ensure normal data packet connection and shield illegal attack packets. However, the attack protection capabilities of these methods are usually very limited.

2. Add a firewall

We can add a firewall between the company's network server and the external network to prevent unpredictable and potentially destructive intrusions. The firewall uses a group of software or hardware that forms a firewall "wall brick" to separate the external network from the internal network, which can protect the internal network from unauthorized access from the external network, therefore, using the firewall to prevent DoS attacks can effectively protect internal servers. We can place the FTP server in the DMZ area of the firewall so that it can accept access from the Internet and be protected by the firewall. For SYN Flood, firewalls usually have three protection methods: SYN gateway, passive SYN gateway, and SYN relay.

(1) SYN Gateway

When the firewall receives the SYN packet from the client, it forwards it directly to the server. After the firewall receives the SYN/ACK packet from the server, it forwards the SYN/ACK packet to the client, on the other hand, an ACK packet is sent back to the server in the name of the client to complete the TCP three-way handshake, and the server enters the connection status from the semi-connection status. When the real ACK package arrives on the client, data is forwarded to the server; otherwise, the package is discarded. Because the server can withstand a much higher connection status than the semi-connection status, this method can effectively reduce attacks on the server.

(2) passive SYN Gateway

Set the SYN request timeout parameter of the firewall so that it is far earlier than the timeout period of the server. The firewall is responsible for forwarding the SYN packets sent from the client to the server, the SYN/ACK packets sent from the server to the client, and the ACK packets sent from the client to the server. In this way, if the client does not send an ACK packet when the firewall timer expires, the firewall sends an RST packet to the server so that the server deletes the semi-connection from the queue. Because the firewall timeout parameter is much smaller than the server timeout period, this can effectively prevent SYN Flood attacks.

(3) SYN Relay

After receiving the SYN packet from the client, the firewall records the status information instead of forwarding it to the server. Then, it actively sends the SYN/ACK packet back to the client. If it receives the ACK packet from the client, it indicates that the access is normal, the firewall sends a SYN packet to the server and completes three handshakes. In this way, the firewall acts as a proxy to achieve the connection between the client and the server, you can completely filter out the unavailability of the connection to the server.

When selecting a firewall, each enterprise must choose based on the above protection methods and determine the performance of the selected Firewall Based on the business volume of the enterprise. The better the performance, of course, the higher the price, and the firewall performance and resource occupation are related, the higher the performance, the more resources occupied, the higher the proportion of bandwidth occupied. In addition, if enterprises do not want to invest too much in security products, they will require the firewall to have both intrusion detection, VPN and other functions, and even anti-virus functions. There are a wide variety of firewalls at home and abroad. enterprises can choose a cost-effective product based on their own needs.

The network administrator should note that the firewall is not once and for all. The default settings of the firewall are suitable for the requirements of most enterprises, but may not be secure because the services provided by enterprises are different, therefore, administrators need to set their security policies based on the possible attacks on the services provided by their enterprises. In addition, new vulnerability attacks are constantly emerging, and administrators need to update the vulnerability code of the firewall at any time, to prevent possible new vulnerability attacks.

3. added a dedicated anti-dos product-Black Hole

Although firewalls can block many types of attacks, DoS attacks can only block a limited number of attacks. So in recent years, a combination of multiple algorithms and a variety of network device functions (such as routing and firewall technologies) A new technology product to prevent large-volume DoS attacks or multiple types of DoS attacks-the "black hole" produced by Zoomlion is gradually applied to various large portal websites. Although there are similar products in foreign countries, it has not been introduced into China.

The "black hole" uses a new algorithm called reverse detection and fingerprint recognition to efficiently resist DoS attacks such as SYN Flood, UDP Flood, ICMP Flood, and Stream Flood. This algorithm is unique in that it can efficiently detect the authenticity of the sent data packets. On the one hand, it is determined whether to discard a data packet by judging whether it comes from an existing host on the network. On the other hand, it is determined by the specific "fingerprint" carried by the attack message (all non-members discard it ). In order not to affect normal network traffic and consume system resources, part of the algorithm is implemented through hardware chip technology, which greatly increases the computing rate and breaks down attack traffic to a certain extent, the network load is also balanced.

<

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.