Web site security system and server security management

Windows server, FreeBSD are two common types of servers. The first is Microsoft's products, convenient and easy to use, but you have to constantly patch it. FreeBSD is an elegant operating system that is moved by its simplicity of the kernel and its superior performance. With regard to the security of these operating systems, you can write a book for each of them. I'm not going to describe them in detail here, just some system initialization security configuration.




Initial security configuration for
Windows2000 server




When a server
windows is running, it opens some ports, such as 135, 139, 445, and so on. These ports are used for the functional needs of Windows itself, and a reckless shutdown can affect the functionality of Windows. However, it is the presence of these ports that poses a lot of security risks to Windows servers. Remote attackers can take advantage of these open ports to collect target host information extensively, this includes the operating system version, domain SID, domain user name, host SID, host user name, account information, network share information, network time information, NetBIOS name, network interface information, and so on, and can be used to enumerate account numbers and passwords. In August and September of this year, Microsoft issued two security bulletins based on 135-port rpcdcom vulnerabilities, namely, ms03-026 and MS03-039, which are high risk levels that attackers can use to gain system privileges. and similar vulnerabilities are common in Microsoft's operating system.





the common way to solve this type of problem is patching, Microsoft has a good habit of keeping user patches updated, and its windows2000sp4 can be windowsupdate to automatically upgrade system patches after installation. In addition, it would be wise to explicitly block access to 135-139 and 445 and 593 ports from the internet on the fire wall.





Microsoft's SQL Server database service is also vulnerable to attacks, and the SQL worm, which prevailed in March this year, has been heavily damaged by many companies, so if Microsoft's SQL Server is installed, it is necessary to do so: 1 Update Database Patches 2 Changes the default service port (1433) of the database, 3 shields the database service port on the firewall, and 4 guarantees that the SA password is not empty.





In addition, the installation of anti-virus software on Windows Server is absolutely necessary, and to constantly update the virus library, regularly run anti-virus software killing virus.





Do not run unnecessary services, especially IIS, and do not install them if you do not need them. There are a number of problems with IIS, some of which are worth noting when configured: 1 OS patch version must not be less than sp3;2) do not run the Web on the default path (default is C:inetpubwwwroot); 3 The following ISAPI application extensions can be deleted:. IDA.IDQ.IDC. shtm. shtml. Printer.




Initial security configuration for
FreeBSD





FreeBSD considered security at the beginning of the design, and after the initial installation, it basically opened only the (SSH) and the (Sendmail) ports, but even Sendmail should shut it down (because there are many security issues in the history Sendmail). The way is to edit the/etc/rc.conf file, change and add the following four sentences:





sendmail_enable= "NO"





sendmail_submit_enable= "NO"





sendmail_outbound_enable= "NO"





sendmail_msp_queue_enable= "NO"





This disables the SendMail function, unless your server is in a secure intranet (for example, after a firewall and no other company hosts in the network segment), do not open the sendmail.





Prohibit blog: The following lines are guaranteed in/etc/rc.conf:





syslogd_flags= "-ss"





This prevents logging from the remote host and closes Port 514, but still allows logging of the machine log.





Prohibit NFS services: In/etc/rc.conf, there are several lines:





nfs_server_enable= "NO"





Nfs_client_enable= "NO"





portmap_enable= "NO"





in some cases the NFS service is needed, for example, the directory where users upload images is often shared for use by several Web servers, and NFS is used. Similarly, to turn on NFS, you must ensure that your server is in a secure intranet, and if NFS servers can be accessed by others, there is a greater risk to the system. Ensure that all services in the/etc/inetd.conf file are logged out, unlike other systems, do not run any services by inetd. Add the following statement to/etc/rc.conf:





inetd_enable= "NO"





all changes to the/etc/rc.conf file should reboot the system after execution.





If you want to run Apache, edit the httpd.conf file and modify the following options to improve security or performance:





1) Timeout 300>timeout 120





2) maxkeepaliverequests 256





3) serversignature on>serversignature off





4 options Indexesfollowsymlinks Line indexes deleted (options for the directory do not have the index option)





5 Changes the users and groups that are running Apache to nobody





6) maxclients 150-->maxclients 1500





(if you want to use Apache, the kernel must be recompiled, otherwise it won't pass the Apache stress test, see my other article about how to configure and manage a Web server)





If you want to run the FTP service, install PROFTPD, which is more secure. Do not open anonymous FTP on any server.





Windows FreeBSD Server and the security configuration of two kinds of servers to everyone, I hope you have mastered.