Experts teach you how to build a secure server environment

Source: Internet
Author: User
Tags sql query sql injection sql injection attack sql parameterized query access site hosted
"Website Hacker", "Olympic hackers, seems to have recently become a hot topic of internet security, from Google to search for" Olympic hackers "the word, has reached more than 646,000 items, can be seen by the high degree of attention, and ordinary Web site has been frequently spread by hackers attack the news, According to the relevant data show: This January-May, the country has more than 30,000 sites were "hackers" intrusion! Due to the lack of professional protection capabilities, small and medium-sized government websites, corporate websites have become the biggest victims of "hacker" intrusion.


  
Small and medium Web site security issues
  
Expert ideas: Build a secure server environment to prevent the first lock
  
According to a Shaanxi Seismological bureau responsible for website maintenance technicians told reporters that the Shaanxi earthquake network was attacked by hackers, the home page shows the "site major security vulnerabilities" of the information is a hacker published false information, and the current Web site is safe to run, there is no technical loopholes. We condemn the "earthquake hackers" at the same time, also thinking about another problem, how to protect our website safe operation? On this issue, the reporter visited the domestic small and medium Web site security issues experts.
  
According to the introduction: to build a secure server environment, building a hacker attack the first chain. But building a secure server environment to protect against "hacker" attacks, it covers a wide range, but in terms of small and medium Web sites, can be roughly from three aspects: (i): Technical aspects: The use of hardware and software firewalls, anti-virus software, page tamper-proof system to build a better structure of the Web server environment; (ii): Services , the network topology analysis, the establishment of the Central computer room management system, the establishment of the operating system and anti-virus software to upgrade the mechanism of regular updates to the key server access log backup, through these services to enhance the network's anti-jamming; (iii): Support, request service providers to provide troubleshooting services to improve the reliability of the network.
  
But at present, most of the small and medium-sized sites are hosted in the form of a virtual host, to improve the security of the site, reduce the risk of hacker attacks, webmasters should be timely to their own web site procedures to play the latest patches, in the development of the time should strengthen security awareness, pay attention to prevent injection loopholes, At the same time, the site hosted in the technical strength, high safety factor, can take the initiative to help customers solve the security of the service provider, to ensure the safety of the site safe operation Environment.
  
Expert weapon Two: Pay attention to website system security, dispatched second lock
  
Building a secure server environment, just from the periphery of the attack "hacker", but more importantly to protect the Web site system security, to prevent hackers exploit system vulnerabilities to attack, thereby threatening the site security.
  
According to the company's network security experts introduced: according to the 2007 OWASP organization published the WEB Application vulnerability 10 rankings of the results show that cross-site scripting, injection vulnerabilities, cross-station request forgery, information disclosure and other aspects of the problem is still the current hacker popular attack mode, In particular, SQL injection attacks and Cross-site scripting attacks, the so-called SQL injection attack is the use of programmers in the code when the user input data does not judge the legality, resulting in the intruder can insert and execute malicious SQL commands, access to data read and modify permissions While a cross-site scripting attack is by adding malicious code to a Web page, when a visitor browses to a Web page, the malicious code is executed or the administrator is enticed to browse by sending information to the administrator, thereby gaining administrator privileges and controlling the entire site.
  
So, there is no effective way to attack the hacker's security measures? It is reported that in Sitefactory? In the development of the content management system, the corresponding complete defense scheme is developed for all kinds of attack methods, and with the help of ASP.net's features and functions, it can effectively resist the attack of the malicious users on the website and improve the security of the website, but for the current SQL injection attack and the Cross station script attack, What is the more effective means of interdiction? To this end, we have to the easy network security experts to understand, he introduced us to some security measures:
  
(i) for SQL injection attacks: The dynamic system uses the query parameters in the SQL query statement to filter; using type-safe SQL Parameterized Query method, the problem of SQL injection is fundamentally solved; URL parameter type, quantity, scope limit function, solve the problem that malicious user attacks through address bar maliciously, These methods are controlled by SQL injection, and include other filtering processes, and other validation of user input data to prevent SQL injection attacks.
  
(ii): for cross-site scripting attacks: In the context of HTML-less content directly to implement the method of coding, to fundamentally solve the problem of cross-station. And for HTML-enabled content, we have a special filtering function that will handle the data securely (based on the attack instances of the XSS attack library), although this method is currently secure, but does not necessarily mean that it will be safe in the future, because the means of attack are constantly being refurbished and our filtering function libraries are constantly being updated.
  
In addition to the external station access and direct access we have also made judgments, to a certain extent can also avoid cross-station attacks. Even if there is a cross station attack, we will reduce the impact of the attack to the minimum: first, for some of the background will display HTML content, through the frame of the security properties security= "restricted" to prevent the script running (ie effective); Use the HttpOnly property of cookies to prevent cookies from being compromised by scripting (IE6 SP1 above, Firefox 3); The authentication ticket is encrypted; four, it is recommended to use a higher version of IE or FF.
  
User three: Call webmaster and the Government concerned about the safety of the site, mobilize the third lock
  
April 29, 2008, the State Council issued the "Council on the implementation of the People's Republic of China Government Information disclosure regulations," the views of several issues (institutes (2008)36), the text fully embodies the determination of public affairs, The government-open group wants information channels that are traditional paper media and governmental websites, but according to CNCERT/CC, the total number of doctored sites in China has accumulated 61,228, up 1.5 times times from last year. The number of government websites in mainland China has been tampered with up to 3,407. In 2007, the Chinese government website was tampered with a total of 4,234 per month.
  
A series of figures and facts have proved that we have a serious hidden dangers in the site security, and the webmaster and the government in security plays an important role, on the one hand, we call webmasters to pay attention to site security, building site security basic protection capabilities, reduce the risk of being "hacker" attack, On the other hand, we call on the government to pay attention to the crime of cyber-hacking, strengthen the legislation of Internet crime, and safeguard the safety of the website from system.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.