Security treasure Architecture Technical speculation and advanced network security defense

The times are changing, and people are changing. Today, we are "smart" and lazy! Think back to that day and night for system security, website security, website speed, server put there, and want to white head, make a chair ..... In fact, we don't have to fight for each other. All the security personnel are working together to combine all technologies and resources to form a security alliance to solve all the security problems at one time, what injection, ddos, overflow is a float cloud...

I have been busy with website development recently and haven't written any articles for a long time. But I recently saw the cooperation between dnspod and amquanbao in China. I am very happy that a free security alliance has finally emerged... In fact, if you have a large family of resources, bandwidth, and machines, you can set up a small security circle, separate security personnel and developers, and manage them in a unified manner, the following are the technical guesses about the architecture of quickshield. It supports quickshield and the Open Source world. Long live linux/bsd and long live nginx !!

The above is a simple defense model. The following describes various functions:

1. The core scheduling node of the Headquarters is responsible for modifying the DNS server records, and adding real ip addresses to the website based on different IP addresses and different background cdn security nodes, and synchronize the final settings to the nginx of each local node.

 

2. The local node nginx is responsible for the direction proxy of the website (multiple IPupstream can time out haship in 10 seconds), nginx cache, And the naxsi open-source Learning web Protection Wall (used to deal with SQL injection, cc, xss attacks and other application-layer web Protection) and the recently released nginx_pagespeed module intelligently optimizes and compresses webpages...

 

3. Firewalls are used for the most basic network ddos defense. iptables defends against ipset timeout block control, concurrency, and tcpflags Status control.

 

To sum up: for normal users, it is estimated that only the nginx open-source nginx_waf naxsi Protection Wall netfilter protection wall is used, or the purchased ciso Huawei professional firewall nginx cache cdn and the pagespeed module for nginx which is still in the testing stage... It's easy, but it's enough to deal with common hackers!

 

Okay. Are we safe with the above defenses? Far away !!

 

1. It is estimated that the advanced overflow defense system is not enabled for the cnd security node of the original server and the Security Group.

 

2. The website data integrity security and backup functions are not available, or the backup is not encrypted

 

3. Are you sure you can defend against SQL injection... No fundamental defense measures were taken

 

4. Basically, the website is only protected. Our ssh, who is responsible for system security?

 

5. Who is responsible for managing the xen and kvm environments of the server? If there is a source code that requires confidentiality, cp will produce an xen image, which will be mounted on other systems, with no secrets !!!!

 

6. hacker intrusion behavior analysis is blank. Security Bao cannot help us enable MAC mandatory access security.

 

7. There is no network intrusion detection system monitoring, and network intrusion can only be passively prevented. Do we need to monitor our website 24 hours a day !!

 

8. Our original server security treasure was not optimized for us...

 

What should I do !!!!!!!!!!

 

1. On the cdn node (if the cdn is not secure, you can directly modify the cache in cnd !! Our website is not lying down and shot.) The original server opened the advanced security defense system grsecurity and added the pax anti-overflow reinforcement patch. The paxctl-PEMXSR was used to reinforce nginx apache sshd, prevent unknown vulnerabilities, or use openbsd to compile libraries from the source code libc to prevent overflow. Generally, the xen kvm site does not require such high performance, and the bandwidth can be 10 MB. Thank God!

 

2. Customize the md5 sha1 file signature for the website or the server the day after tomorrow, or use ade Tripwire. Colleagues regularly back up all important data

 

3. Do not use the msql postgresql database. Use the NOSql architecture directly. redis completely defends against SQL injection. The province's php filters this filter, and the php character performance is low! Abandon apache, fully research through nginx if allow dengy lua security application, build more strict access control than nasix, free application layer firewall Oh, more convenient than iptables-l7lay, etc, do you need to study and compile features? mygod !! What traffic control, p2p, and thunder? It's been around for years !!

 

4. Check the selection and differences of the highest security defense policy of the server, hierarchical and in-depth defense, and all hacker intrusions are articles such as cloud float to perform basic camouflage reinforcement on the system.

 

5. Enable the lvm encrypted volume or ecrypt File System to Encrypt Key Data Storage partitions. This is very necessary!

 

6. There is no need to use the debian/ubuntu system. You can customize all the MAC security and Kernel on a large scale. grsecurty tomoyo apparom is a MAC that is easier to learn than selinux, although it is said that the base and file path are insecure, who can ensure that the selinux tag will not be changed !! It is also important to disable all useless drivers and modules to control the kernel within 1.8M!

 

7. If a dedicated server exists, enable colai's network-wide analysis and monitoring, or the old generation IDS/IPS such as suricata snort.

At least you need to enable portsentry monitoring .. Let's see who is hacking you, so we can take appropriate defense measures.

 

8. The sysctl optimization and compilation optimization of the system will not be discussed...

 

9. Note that a kernel version should be 2 + 1 in the original release version instead of a kernel version during kernel customization, to prevent the exception: 3.2.44 in the stable version and 3.9 in the latest version, prevents major kernel vulnerabilities and switches to use them !!

 

Finally, we have tested the system. Please use all web security testing software, attack software, 360, and so on... At least 10 attacks intrude your website! (Be careful when using DDOS. Do not kill others by mistake.) Well, there is no technical limit, and there is an end to your life. I hope you can communicate and make common progress.