A5 security Group Jack Server and website security lectures

Source: Internet
Author: User

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Now on the server and Web site security issues, we can not ignore, this is from the webmaster recently a problem, but also one of the biggest problem, in a timely manner to prevent, will be more secure. Deliberately sorted out what Jack said this afternoon about server security.

Let's start with the lecture, and I think it's more appropriate to talk about the experience.

﹍jack.! 14:31:00

Hello everyone, I am A5 security group Jack, today to communicate with you about Web server security related issues.

﹍jack.! 14:31:41

In fact, in terms of server and site security settings, although I have some experience, but there is no research, so I do this lecture today when the heart is very uncomfortable, always afraid to say wrong will be mistaken for other people's things, there are wrong places also please point out, today is all about the exchange. Perhaps you have a security master or a master of destruction to see what I said would be ridiculed or secretly pleased, but I think my experience is still there are many right place, there are tens of thousands of people than I know or need someone to provide these experience and information. Oh

﹍jack.! 14:32:18

Now almost a part of the webmaster have their own servers, some people also use a virtual host or a rental server. For now in the use of virtual hosting and rental of some of the webmaster may be in the server security considerations are relatively few, because there is a strong IDC technology in support, as long as the use of their own web site procedures to understand a little more, pay more attention to the official release of the program news and vulnerability patches hint, Timely upgrade procedures to hit the latest patch on the security has been 80%, the official patch is released to us free of charge, if the bug patch can not be hit in time, then the site was black the possibility of almost 80%, so that the program must be timely hit the patch. The second is the virtual Host Management account password and FTP account password, background landing path address and administrator account password settings, this may be a lot of people sometimes easy to ignore, but because the negligence of the password set is too simple or did not change the default account password, background path caused by the site is black or a small number of webmaster.

Now there are a lot of fool-like hacker tools, a person who knows a little computer technology can get started, for some FTP account password and Web site background password Simple site can be a lot of access to the account password, direct landing ftp or backstage to get Webshell, So generally in the FTP account password to be timely after the modification as far as possible more complex the better. Site in the installation after the timely deletion of installation files to modify the background path and login password is necessary to do, do not bother, perhaps your small operation will give you a great site security, negligence, lucky psychology will only bring great security risks to the site, because an intrusion to find Is that you are neglected to drill holes that you don't notice.

﹍jack.! 14:33:25

All right, okay. For Web site security using a virtual host I'll talk about this a little bit, and let's focus on the security settings for standalone Web servers.

Recently met several stationmaster to ask me for help, looked at the situation are almost, because the early only to get the Web site, the security of the server awareness and technical prevention is not enough so that the entire server has been hacker control, the server on all sites are hung horse, are good tens of thousands of flow of the site, this consequence is very serious. In the server configuration site and environment when the security is not taken into account, just in order to allow their own site to access the normal, so the entire server's permissions are almost everyone permissions in operation. Such a server can not be black purely accidental. Below we to the current mainstream server system WIN2003 to give you some relevant security configuration and prevention of information, I hope to help you. I'll write it in a few chunks.

﹍jack.! 14:35:07

General server and Web site is black The basic reasons summed up for a few points:

1. Still using FAT32 disk format server

2. There are no independent users for each IIS site

3. The hard drive is full of everyone control

4. Never install Windows Update

The above 4 solution is not to say, if even this do not understand, then good to http://bbs.admin5.com/forum-281-1.html study, hehe.

﹍jack.! 14:35:43

Below I will explain some of the necessary big points.

﹍jack.! 14:36:29

Question 1. Weak password

Many administrators do not have the habit of setting complex passwords, which is quite dangerous because any scanning software can be very light

Easy to find what your remote port is, and then find a brute-force software, if the password is simple, one night can be,

Break so this is the basic work, do not for remote landing convenient and less easy to set a simple password, you need to set at least 12-digit secret

Code don't be afraid your password will be too long because 2003 supports a 128-bit password.

﹍jack.! 14:37:49

Question 2. Default Share

It is often said that the $IPC loophole, in fact, is not a loophole, this is one of the 2003 powerful features of the embodiment.

The basic idea is to use NET command and server to establish a connection (of course, before the establishment of the administrator password, so weak password machine

will be easy to recruit), and then you can execute any program on the server.

No matter how weak your password is, I'm sure you won't manage your server this way, so the complete solution is to remove the share, such as

How to delete the default share, the Internet seems to introduce a lot of this, there is a best and easiest way is to disable the Server service.

The associated Computer Browser and distributed File system are also banned, and you can't use them anyway.

﹍jack.! 14:39:00

Question 3. Hazardous components

﹍jack.! 14:39:14

The following 5 components are from windows, but because they are too powerful, a little carelessness can create vulnerabilities

FSO, XML, W.shell, Shell.Application, w.network

As a virtual host, FSO and XML are definitely used, or your virtual host even a forum can not put, estimated your space is sure

Will not sell out hehe. If you have a stand-alone host, you're sure you won't be able to use these 2 components, then unload him, especially the FSO component.

How to uninstall the FSO component: regsvr32/u C:\winnt\system32\scrrun.dll

W.shell, Shell.Application, w.network These 3 are almost not used, the main harm is through ASP can

To run EXE files and modify the registry, almost all ASP trojans use these components, and normal ASP programs are not used,

So simply delete it, but W.shell will be part of the host management program used, but also some packaging program will be used,

You'd better confirm it before you delete it.

﹍jack.! 14:39:57

Method:

Uninstalling W.shell and W.network components: regsvr32/u c:\winnt\system32\wshom.ocx

Uninstall the Shell.Application component: regsvr32/u C:\winnt\system32\shell32.dll

﹍jack.! 14:40:26

Execute these commands directly in DOS.

﹍jack.! 14:41:01

By the way, for the component associated with the DLL file, if you want to have some users, just set the corresponding DLL file separately

Permissions. For example, you just want to give a few users only FSO, so as long as a separate set of Scrrun.dll permissions, to

The person to be read and run.

﹍jack.! 14:41:51

Question 4. Default Windows Permissions

﹍jack.! 14:42:22

This is a complex issue, but it is true that the security settings for the default Windows directory are a bit too large, as the following simple changes.

HT Technology/Hypertension 14:42:44

﹍jack.! 14:42:53

C-Packing directory Only Administrators and system completely

C:\Program Files\Common Files Administrators and system complete, everyone read and run

C:\Program files\ Other directories only Administrators and system complete

If you have an ASP component installed in this directory, then the component directory also requires everyone to read and run

c:\winnt\ All files (files in the directory, excluding subdirectories) only administrators and system completely

C:\winnt\system32\dllhost.exe administrators and System complete, everyone read and run

c:\winnt\system32\ other EXE and COM files (files in the directory, excluding subdirectories) only administrators and system completely

﹍jack.! 14:44:26

The above permissions can be set very fine, or even accurate to each file, but generally this setting is OK.

If you are not a virtual host server, installed other software, I suggest you confirm good later, may lead to other software running problems, c disk each authority although set up very troublesome, but directly affect the normal operation of your server stability and security so must be paid attention to. The default permissions run will only bring you the risk of hacking Trojan.

﹍jack.! 14:48:24

For those of you who have no technical basis, I am very practical. You can move in the past and do what you say, so I might be more mechanized in terms of the regulations. ,

﹍jack.! 14:49:10

The next question about SQL

﹍jack.! 14:49:36

SQL is too powerful, the default SA account is omnipotent, but the name of the SA account cannot be modified, so regardless of the SA's password a

Be strong enough to use all the available characters.

In addition, it is also recommended that the SQL normal user's backup authority to cancel, or SQL Cmdshell will also be out of trouble.

﹍jack.! 14:49:49

Specific defense MS SQL methods are as follows:

﹍jack.! 14:50:09

MS SQL SERVER2000

Log in to Query Analyzer with System account

Run the following script

Use master

exec sp_dropextendedproc ' xp_cmdshell '

exec sp_dropextendedproc ' xp_enumgroups '

exec sp_dropextendedproc ' xp_loginconfig '

exec sp_dropextendedproc ' xp_enumerrorlogs '

exec sp_dropextendedproc ' xp_getfiledetails '

exec sp_dropextendedproc ' sp_OACreate '

exec sp_dropextendedproc ' sp_OADestroy '

exec sp_dropextendedproc ' sp_OAGetErrorInfo '

exec sp_dropextendedproc ' sp_OAGetProperty '

exec sp_dropextendedproc ' sp_OAMethod '

exec sp_dropextendedproc ' sp_OASetProperty '

exec sp_dropextendedproc ' sp_oastop '

exec sp_dropextendedproc ' xp_regaddmultistring '

exec sp_dropextendedproc ' Xp_regdeletekey '

exec sp_dropextendedproc ' Xp_regdeletevalue '

exec sp_dropextendedproc ' xp_regenumvalues '

exec sp_dropextendedproc ' xp_regremovemultistring '

exec sp_dropextendedproc ' xp_regwrite '

drop procedure Sp_makewebtask

Go

﹍jack.! 14:50:54

Executing the above SQL statement is tantamount to unloading some SQL unsafe components that are easily exploited by hackers

﹍jack.! 14:53:06

My SQL If you install a strong password, and the most important thing is that you do not use root to do your site connected to the database account password. Because everyone knows that the root in the SA and my SQL inside MS sql is superuser. This highest privilege, once exploited by a hacker, can almost get access to the entire server. So remember.

﹍jack.! 14:54:10

Let's talk below serv.

﹍jack.! 14:55:21

It is estimated that a bit of experience webmaster webmaster know serv is often used by hackers to webshell the right tool often this thing is also easily forgotten a corner but also fatal.

﹍jack.! 14:56:51

How to prevent serv the right to mention.

It's really simple.

1. Do not install Serv by default when installing to C disk. This is important, if you install to C disk and C disk does not have the right to set up, then through the Webshell has the Serv file read and Write permissions to modify the serv of an INI configuration file can add users.

﹍jack.! 14:57:39

2. Give Serv the tool itself to set up a strong running password. It is also very necessary that this trick can almost block the 80% serv claim.

﹍jack.! 14:59:02

3. With UltraEdit open ServUDaemon.exe find Ascii:localadministrator, and #l@ $ak #.lk;0@p, modified to its

He wanted to wait for the other length of the characters on it, ServUAdmin.exe also handled.

﹍jack.! 14:59:31

Ultraedit This tool in Baidu search under a lot of cracked version of the download.

﹍jack.! 15:00:04

Maybe everyone feels very troublesome and feels nothing.

But after the server was hacked to the horse you regretted that it was too late.

﹍jack.! 15:01:03

If there's no other reason, it's best to serv download the latest version of the new version almost all make up a lot.

﹍jack.! 15:04:58

A lot of people asked me what the server installed firewall good.

In fact, the server really does not need to install other firewalls in fact, the Microsoft system with the firewall is very good.

﹍jack.! 15:06:19

Open the default firewall to add the usual ports 80 1433 3306 21 3389, and the special port you use frequently. If conditions permit, you can restrict the remote port to allow only the specified IP connection 3389 but dynamic IP certainly not

﹍jack.! 15:06:54

This is the so-called 3389 to do the next springboard, in addition to the IP you allow the 3389 of the other can not even

﹍jack.! 15:10:52

When you configure the IIS station.

Remove system Disk \inetpub directory

﹍jack.! 15:11:44

Because many people in this folder are configured C disk security is easy to ignore but his permission is the default is relatively large. Easy to transfer the Trojan right here.

﹍jack.! 15:11:52

especially DLL file

﹍jack.! 15:14:45

The least right, the greatest security!

Most of the time don't be afraid of trouble or carelessness.

﹍jack.! 15:15:11

In fact, when we set the password more than set a number of hackers may be cracked to increase the difficulty of n times.

﹍jack.! 15:17:00

Because whether to take the shell or the right will want to upload some files to the server file these Trojan files as long as not to kill do very cow words will generally be anti-virus software block.

﹍jack.! 15:17:09

Install anti-virus software, such as McAfee and Norton, but do not recommend domestic anti-virus software, poor results, accounting for resources, and foreign first-class software is indeed no way than

Excellent anti-virus software with access to scan function is generally very useful, he can run

﹍jack.! 15:17:31

My advice is that Norton +360 is a good combination of these two.

﹍jack.! 15:19:59

Well, you know, when you're working on the server, there are times when something doesn't make sure you're doing the right thing. Do not operate the server do not want to PC machine everyone knows that the remote live dead.

Crazy 15:20:07

Make a system patch. There is also a program patch. I don't usually get in.

﹍jack.! 15:20:52

En system patches and program patches are sure to play even if this does not hit the words really black can only blame himself.

﹍jack.! 15:21:05

These are free to provide us with the vulnerability information we should actively play,

﹍jack.! 15:22:23

Everything is the first precaution and so on to solve a little late will cause a certain loss will also leave behind hidden dangers now some can be inserted in the picture of a Trojan horse is really very difficult to check.

Crazy 15:22:27

Not to kill the special.

﹍jack.! 15:23:37

Prevention + permissions + daily Careful maintenance I think this should greatly reduce the security risks.

﹍jack.! 15:24:50

All right, let's talk about it today. Maybe a little messy, may be sitting there are a lot of experts in this area, if there are wrong places also please do not hesitate to point out thank you, I hope we have a lot of exchanges.

Thousands of miles of snow 15:25:06

ALEX, 15:25:07.

Crazy 15:25:23

Very practical

===========================

After reading, for webmaster, Jack said, are some of the most easy to ignore, the most basic problem, at the same time very practical. A5 Recommended Server service: http://safe.admin5.com

Thanks, Admin5.

Thank you, Jack.

www.9haowan.com, thank you.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.