Hackers teach you how to configure servers for security.
Source: Internet
Author: User
Hackers teach you how to configure servers for security-Linux Enterprise applications-Linux server application information. The following is a detailed description. Since our defense is from the perspective of intruders, we need to first know the intrusion methods of intruders. Currently, the most popular web intrusion methods are to obtain the website's webshell first by looking for program vulnerabilities, and then find the appropriate methods available to escalate permissions based on the server configuration, and then take the server permissions. Therefore, it is an effective method to prevent webshell from being configured with the server.
Prevent unauthorized database downloads
It should be said that a network security administrator will change the default database path of the website programs downloaded from the Internet. Of course, some administrators are very careless. They can directly install the program on their own servers, or even delete the instruction files, not to mention changing the database path. In this way, hackers can download the website Source Code directly from the source code site, and then find the default database in the local test, then, download the database and read the user information and data in it (usually encrypted by MD5). Find the Management Portal and log on to the webshell. Another case is that the path to the website database is exposed due to a program error. How can this problem be prevented? We can add the extended mdb ing of mdb. As shown in:
Open IIS and add an MDB ing so that mdb can be parsed into other files that cannot be downloaded: "IIS properties"-"main directory"-"configuration"-" ing"-"application extension" are added. For mdb file application parsing, you can select the file used to parse it as long as the database file cannot be accessed.
The advantage of doing so is: 1. If the database file in the mdb suffix format cannot be downloaded; 2, it works for all mdb files on the server and is very useful to the VM administrator.
Prevent upload
If MSSQL databases are used for the above configuration, you can still use the injection tool to guess the database as long as there is an injection point. If there is no authentication for the uploaded file, we can directly upload an asp Trojan to get the webshell of the server.
To deal with the upload, we can conclude that the directory that can be uploaded does not grant the execution permission, and the directory that can be executed does not grant the upload permission. The Web program runs through the IIS user. We only need to grant the IIS user the write permission to a specific upload directory, and then remove the script execution permission of this directory, this prevents intruders from obtaining webshells through upload. Configuration method: First, open the permission tab in the IIS web directory, read and list the directory permissions for IIS users only, and then enter the directory where the uploaded files are saved and stored in the database, add the write permission to the IIS user, and change "Pure script" to "NONE" in the "properties"-"execution permission" option of the two directories. See
Note that when you set the preceding permissions, you must note that the parent directory inheritance is set. Avoid wasting your time.
MSSQL Injection
For MSSQL database defense, we should first start from the database connection account. Do not use the SA account for the database. Using the SA account to connect to the database is a disaster for the server. Generally, you can use the DB_OWNER permission account to connect to the database. If the database runs normally, use the most secure public account. After dbo permission is set to connect to the database, intruders can only obtain webshell by guessing the user name and password or differential backup. For the former, we can encrypt and modify the default logon address of the management background to defend against attacks. For differential backup, we know that it requires the backup permission and the web directory. Searching for web directories is usually done by traversing the directory or directly reading the registry. Which of the two methods does not support xp_regread and xp_dirtree extended storage procedures? We only need to delete these two extended storage, of course, you can also delete the corresponding dll files.
However, if the web directory is exposed due to a program error, there is no way. Therefore, we need to lower the account permissions and fail to complete the backup operation. The specific operation is as follows: in this account's properties-database access options, you only need to select the corresponding database and grant its DBO permission. Do not operate on other databases. Next, you need to go to the database-Attribute-permission to remove the user's backup and backup log permissions, so that intruders cannot obtain webshell through differential backup.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.