Article Title: Application: Unix-based Web server security guide. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Today, with the increasing popularity of computer networks, computer security not only requires the prevention of computer viruses, but also increases the system's ability to resist illegal hacker intrusion and the confidentiality of remote data transmission, prevents unauthorized theft during transmission. This article only discusses some situations that may occur when constructing Web servers, hoping to attract more attention.
I. Security Vulnerabilities
Vulnerabilities on Web servers can be considered in the following aspects:
1. Secret files, directories, or important data that you do not access on the Web server.
2. When a remote user sends a message to the server, especially a credit card or something, it is intercepted by criminals.
3. The Web server itself has some vulnerabilities that allow some people to intrude into the host system, damage some important data, and even cause system paralysis.
4. CGI security vulnerabilities:
(1) intentionally or unintentionally missing buckets in the host system to create conditions for illegal hackers.
(2) When a program written in CGI script involves a remote user entering a Form in a browser and performing Search index ), or form-mail or other commands on the host may cause danger to the Web host system.
5. There are some simple Web servers downloaded from the Internet, which do not take into account many security factors and cannot be used as commercial applications.
Therefore, you must pay attention to system security when configuring servers or compiling CGI programs. Try to block any existing vulnerabilities and create a secure environment.
2. Improve system security and stability
Web server security prevention measures:
1. restrict opening accounts on Web servers and regularly delete users with broken processes.
2. Make requirements on password length and regular changes for accounts opened on Web servers to prevent theft.
3. Try to separate FTP, MAIL, and other servers. Remove unrelated applications such as ftp, sendmail, tftp, NIS, NFS, finger, and netstat.
4. remove some unneeded interpreters such as SHELL on the Web server, that is, when PERL is not used in your CGI program, try to delete PERL from the system interpreter.
5. Regularly view log logs files on the server and analyze all suspicious events. When rm, login,/bin/perl,/bin/sh and other records appear in errorlog, your server may have been infiltrated by some illegal users.
6. Set the system file permissions and attributes on the Web server, assign a public group for accessible documents, such as WWW, and assign only read-only rights to them. All HTML files belong to the WWW group, and the Web Administrator manages the WWW group. Only the Web administrator has the right to write the Web configuration file.
7. When some Web servers place the Web document directory and the FTP directory in the same directory, be sure not to place the FTP directory and the CGI-BIN under a directory. This is to prevent some users from uploading programs such as PERL or SH over FTP and executing them with the Web CGI-BIN, causing adverse consequences.
8. access the user's IP address or DNS by limiting the permission, such as adding the following to access. conf in NCSA:
Directory/full/path/to/directory
Limit GET POST
Order mutual-failure
Deny from all
Allow from 168.160.142. abc.net.cn
/Limit
/Directory
In this way, you can only access the Web server with the domain name abc.net.cn or the IP address 168.160.142.
For CERN or W3C servers, add the following in httpd. conf:
Protection LOCAL-USERS {
GetMask @ (* .capricorn.com, * .zoo.org, 18.157.0.5)
}
Protect/relative/path/to/directory/* LOCAL-USERS
9. HTTPD in WINDOWS
(1) Netscape Communications Server for NT
PERL interpreter vulnerability:
The Netscape Communications history file is stored under the CGI-BIN directory. Run:/cgi-bin/perl.exe? & My_script.pl. But this gives anyone the possibility to execute PERL. When some people Add the following in their browser URL:/cgi-bin/perl.exe? -E unlink <*> may cause the danger of deleting files in the current directory of the server. However, other vulnerabilities such as o'reilly WebSite or Purveyor do not exist.
CGI:
The content of the test. bat file is as follows:
@ Echo off
Echo Content-type: text/plain
Echo
Echo Hello World!
If the client browser URL is/cgi-bin/test. bat? & Dir, execute the command interpreter to complete the DIR list. This allows visitors to execute other commands.
(2) O 'Reilly WebSite server for Windows NT/95
In versions earlier than WebSite1.1B, using batch files has the same vulnerability as Netscape. However, the new version disables the role of. bat in CGI. Supports PERL. The new version uses VB and C as CGI development tools.
(3) Microsoft's IIS Web Server
The BUG of IIS in NT was serious before January 26, March 5, 1996. You can use the command as needed. However, this vulnerability has been fixed. You can check the creation date of your executable file. IIS3.0 also has some security bugs, mainly under the CGI-BIN to the right. In addition, many Web servers have some security vulnerabilities, which are constantly updated during the version upgrade process and will not be listed here.
[1] [2] Next page