Absrtact: 360 The newly released "2013 Chinese university website Safety Test Report" said that each of China's university websites were hacked 113 times a day (including scanning and other acts), of which the maximum number of attacks on the site up to tens of thousands of times. It is understood that the report data
360 the latest "2013 Chinese University web site safety Test Report" said that each of China's university websites were hacked 113 times a day (including scanning and other acts), of which the maximum number of attacks on the site up to tens of thousands of times. It is understood that the report data samples from January 1, 2013 to May 30, 2013 360 Web site security testing and 360 site Guardian product database of the university web site security data, a total of 30 provinces of the country about 50,000 university websites.
Nowadays, with the above university website is black For example, the website is hacked and invaded is not new feeling, small to the county government website, big to the national website is often invaded. But this kind of government website is attacked to invade all is the result which the hacker paid the high price, but now more enterprise website is makes the low-level mistake, causes the website to be hanged code, is invaded, or cannot open. The following is a deep Web network that teaches you how to make your site more difficult to invade.
Three major impacts on Web site security
First, the website procedure question
The website program is a big problem, if the procedure chooses wrong, the opportunity that invades is very big. Many websites are downloading some free open source source to do the website, this kind of website has 2 kinds of situation.
(1) Download a no-known free source code, this kind of free source code is more than 99 of the possibility of intrusion, because of free, less users, developers will not be able to improve the loopholes, but will not go to upgrade, resulting in such sites will gradually appear loopholes, so, even if you want to choose Open Source free program, Be sure to choose a higher profile.
(2) Download the well-known construction station CMS, such as: Dedecms phpwing easy cms Ecshop and other free programs, such programs are more users, developers will often update vulnerabilities and upgrades, but the same, because the user is more, hackers prefer to find this type of Web site to carry out the flaw of the horse, Therefore, this type of Web site requires timely update vulnerabilities and upgrades, as well as according to security prompts to change folder permissions.
Second, the site's space/server
Many sites are buying relatively inexpensive space, such a site's security can be the worst, if the people who sell space is very low profit, more talk about helping you maintain server security performance. More do not talk about what stability, so very easy to be invaded, if the purchase is a stand-alone server or VPS, should be equipped with a professional technical maintenance personnel, to configure the security of the server, set the server file permissions, if the site owners can not recruit professionals, should be outsourced to technical personnel, Because a folder permissions error can cause the entire server to be paralyzed and invaded.
Third, the background path and account password
The author today to help customers maintain a website, his background path is Admin account is the ADMIN password is admin123, such sites if not invaded, it is strange things. Even if the site program and site space configuration how good, the background of the path should not be popular background path, account and password is also the most general, if the hacker with the server to sweep or try to login backstage, it is easy to let them succeed, the invasion is easy thing. So everyone backstage path to set up, account as far as possible do not use admin, password also do not use commonly used. Try to have a combination of uppercase and lowercase letters!
Additional knowledge to improve security performance
1. Anti-copy:
When you are browsing bank silver, you often find that you have no way to use the right mouse button in the bank's silver interface. This prevents the client from using the right key to see the source code of the site, so that it can effectively prevent the site client code (such as: HTML,JS,CSS,IMG) is copied.
2. Filter the content of user input:
Most Web site security issues are entered by the client through a text input box.
The website server needs to filter the contents of the client input, such as: the client input of the code filter out. This will be relatively effective against client injection attacks and XSS attacks.
3. Using parameterized Queries:
Sometimes it is not enough to match the input of the client to prevent SQL injection, and the use of parameterized queries can eliminate the root cause of SQL injection.
4. Use URL pseudo static:
Web site often with parameters, dynamic parameters will often expose the link between the Web page, increase the security. If the dynamic parameters are rewritten as pseudo static, the dynamic parameters can be hidden, thus improving the security of the website.
5. Use the Verification code:
Register in the forum or comments, the Administrator log on the page, often need to enter the verification code before continuing the next step. The principle of the verification code is very simple, that is, in the server to generate a session to store the text generated in the verification code, and the text of the validation code is often distorted by twisting the gradient and other strings. Safe and complex verification code can be effective to prevent the registration of the Forum, the machine also has a number of password brute force cracking devices such as the site has a harmful tool.
6. System log:
including server logs and SQL logs, webmasters can view the behavior of clients accessing the current Web site through the content recorded in the log, and find some destructive behavior that can be done next.
7. Filter the user's IP:
This method can filter out the IP addresses of some unfriendly visitors, effectively preventing denial of service attacks, etc.
8. Use Secure encryption technology:
When the user or administrator registers the login, the server will encrypt the password of the user or the administrator, that is, encrypt the plaintext password into a string of encrypted strings, and transmit it to the database server for storage or match through the unsecured network. Commonly used encryption technology has MD5 encryption, SSL encryption and so on.