Analysis and Comparison of general and dedicated protection methods for website servers

I. general website protection methods

To address hacker threats, the network security administrator takes various measures to enhance server security and ensure normal operation of WWW services. The following methods can be used to protect WWW servers, like Email and ftp servers on the Internet:

Security Configuration

Disable unnecessary services. It is best to only provide the WWW Service, install the latest patches for the operating system, upgrade the WWW Service to the latest version, and install all patches, configure according to the security suggestions of the WWW Service Provider. These measures will greatly provide the security of the WWW server.

Firewall

Install necessary firewalls to prevent testing and information collection by various scanning tools, or even prevent machine connections from specific IP address ranges based on some security reports, and add a protection layer to the WWW server, at the same time, you need to adjust the network environment in the firewall to eliminate security risks in the internal network.

Vulnerability scan

Use commercial or free vulnerability scanning and Risk Assessment Tools to regularly scan servers to detect potential security problems, ensure that normal maintenance tasks such as upgrading or modifying configurations do not cause security problems.

Intrusion Detection System

The real-time monitoring capability of the intrusion detection system (IDS) is used to detect ongoing attack behaviors and test behaviors before the attack, and record the hacker's source and attack steps and methods.

These security measures will greatly provide WWW server security and reduce the possibility of attacks.

Ii. Special website protection methods

Despite the various security measures used to prevent many hackers from attacking, due to the continuous discovery of various operating system and server software vulnerabilities, the attack methods are endless, and skilled hackers can still break through layer-by-layer protection, attackers can obtain control permissions of the system to destroy the home page. In this case, some network security companies have released website-specific protection software to only protect the most important content of the website-web pages. Once it is detected that the protected file has changed {abnormal}, it will be restored. In general, the system first needs to back up normal page files, and then start the detection mechanism to check whether the files are modified. If the files are modified, they need to be restored. We analyze and compare the following technologies:

Monitoring Methods

Local and remote: the detection can be performed locally on a monitoring terminal or another host on the network. If it is local, the monitoring process requires sufficient permissions to read protected directories or files. If the monitoring end is at the remote end, the WWW server needs to open some services and grant corresponding permissions to the monitoring end. A common method is to directly use the open WWW Service of the server, use HTTP to monitor protected files and directories. You can also use other common protocols to detect and protect files and directories, such as FTP. The advantage of local detection is high efficiency, while remote detection is platform-independent, but it increases network traffic and other burdens.

Timing and trigger: the vast majority of protection software uses timed detection methods. both local and remote detection is based on the time set by the system, the protected web pages can also be divided into different levels, and the interval of high-level detection can be set to be shorter to achieve better real-time performance, the interval between website file detection with lower protection levels is long to reduce the burden on the system. The trigger method is to use some features provided by the operating system to get a notification when a file is created, modified, or deleted. This method has the advantage of high efficiency, but cannot implement remote detection.

Comparison Method

When determining whether a file is modified, the files in the protected directory are often compared with those in the backup database. The most common method is full-text comparison. The full text can be used to determine whether the file has been modified directly and accurately. However, the full text is inefficient when there are too many files. Some protection software compares the file attributes, such as the file size and creation and modification time. Although this method is simple and efficient, but there are also serious defects: {malicious intruders} can carefully construct and set the attributes of the replacement file to be exactly the same as that of the original file, {This prevents malicious files from being detected }. Another solution is to compare the digital signature of a file. The most common method is the MD5 Signature Algorithm. Because the digital signature cannot be forged, the digital signature can ensure the same file.

Recovery Method

The recovery method is directly related to the location where the backup stock is stored. If the backup inventory is stored locally, the recovery process must have the permission to write the protected directory or file. If you need to use file sharing or FTP remotely, you need a file sharing or FTP account, and this account has the write permission on the protected directory or file.

Backup database security

When hackers find that their homepages are quickly recovered, they often have a desire for further damage. At this time, the security of the backup database is particularly important. The security of web files is changed to the security of the backup database. One way to protect the backup database is to hide the file so that hackers cannot find the backup directory. Another method is to digitally sign the backup database. If a hacker modifies the content of the backup database, the protection software can discover through the signature to stop the WWW Service or use a default page.

Through the above analysis and comparison, we found that various technologies have their advantages and disadvantages. We need to select the most suitable technical solution based on the actual network environment.

Iii. Website protection Defects

Although website protection software can further improve system security, there are still some defects. First of all, these protection software is designed for static pages, and now dynamic pages occupy a larger and larger scope. Although local monitoring can detect script files, it is powerless to the databases used by script files.

In addition, some attacks are not targeted at page files. Recently, the flood of "Red Code" is to use a dynamic library of the IIS service to attack pages. On the other hand, the website protection software will increase the load on the WWW server. When the load on the WWW server is heavy, you must carefully plan the use plan.

Iv. Conclusion

This article discusses the common website protection methods, analyzes and compares the various technical implementations and advantages and disadvantages of the special website protection software, and points out its defects. Although security can be solved without using a tool or some tools, using these tools can help improve security and reduce security risks.