How to solve security faults in open-source Web Devices

Source: Internet
Author: User
Tags ftp access strong password wordpress database

Some may think that online security is changing in a worse direction. As Web devices become popular in enterprises, they have also become the darling of hackers.

As more and more corporate websites run open-source devices such as Drupal and use enterprise blogs supported by WordPress technology, there are more and more victims of attacks and high-cost exploitation. 960 the grid system and Learning jQuery have struggled to learn this lesson. Before these companies take the open source platform seriously, embarrassing and costly attacks have caused great damage. Other companies that have not taken appropriate pre-approval measures to isolate these threats will face the same fate.

If you have already considered open-source devices as part of your enterprise, we will list some security faults caused by open-source Web devices and propose solutions.

Common Faults in open-source Web Devices

Like you, hackers like open-source devices that are free and easy to access given "open" source code. For example, if a hacker can deploy a script to steal information or control Web devices on a single hardware, it is easy to replicate these destructive results to influence users or share multiple websites in the same code library. The following are the reasons:

Many open-source devices rely on older scripting languages that are easy to use. The module for inserting open-source devices must be kept separate from the total project. Because no repair is available, these modules may cause problems for the entire device.

Small open-source projects are usually unpatched for a long time. This extended window puts your files at a high risk of exploitation.

Hackers create botnets that cause device failures. When the tireless "worker" army tried to penetrate the password day and night, it was easy to use it.

Locking management-level privileges is a common negligence that allows network thieves to easily harm code. XML-RPC and other program calls are frequently used, cross-site scripting attacks and SQL injection attacks often bring trouble to open-source platforms.

Lock open source Web Devices

Half of the success is achieved. There are many strategies to lock open-source Web devices. Proper protection is important to achieve success in your online business and gain the trust of end users.

Let's use two company examples as a background to discuss common open source damages and what we can do to achieve better protection levels.

When Textpattern CMS is run, the 960 grid system experienced an attack that harms the operating system. Damage provides complete server and FTP access to these bad guys. Once hackers enter, they upload malicious and embarrassing images to the website, in order to cause bad search engine optimization benefits. This type of attacks is hard to find, because the website runs properly on the surface for public visitors. When running open-source Web devices, there are a lot of techniques to protect 960 grid systems from these problems:

Device solidification includes the operating system and database ). Install the operating system and database carefully. Avoid default settings and keep strict license control. Rename the file extension to mask the device type and remove all unnecessary features and features to disable as many virtual "vulnerabilities as possible ". Patch, patch, and then patch. Especially in open-source environments, successful updates prevent harm. The same rules are also applied to scripting languages, which may be used on servers. The server is fixed. Remove information such as the answer title), which may help botnets or attacks identify the version and type of the device running on the server. Manual checks that frequently patch and execute server logs can help identify unusual situations.

Strong Password and access control. Use a password that contains numbers, uppercase/lowercase letters, and special characters. Do not use dictionary terms. In addition, reset them regularly. Control access to the management password and grant the database certificate only as needed. Do not use the SA or root account of the database user, restrict all public and port access to set the Administrator region, and prohibit opening the server to any port except 80/443, these are required when each web page passes through HTTP/HTTPS.

System log monitoring. Keep a close eye on your system logs and ensure that no illegal logon is successful. Run a fault audit and regularly view your device at least once a quarter) to quickly help identify threats, damages, and suspicious activities.

Learning jQuery is a FireHost customer who experienced a completely different type of attack: SQL injection, which exploits open-source security faults at the WordPress database layer. WordPress and other content management system CMS) vendors have been making unremitting efforts for failures ahead of SQL injection, and they are proactively identifying faults through patching. Unfortunately, the Learning jQuery website is an early victim of this issue.

Cyclically, hackers are innovating and adapting While CMS providers are still striving to stay ahead. WAF helps narrow the gap between hacker innovation and CMS vendor patches. WAF checks Web traffic before it can get code and prevent suspicious visitors from getting services. When WAF works with intrusion protection, detection systems, and other network-level barriers, the ability to block attacks increases exponentially. If this type of network layer protection is already in place, the websites of Learning jQuery may not be attacked by malicious attacks.

Avoid damage to open-source Web Devices

The growth and popularization of open-source content management systems have changed the security situation and made this process more dangerous. However, some developers or technical engineers have experience in ensuring the security of Web devices and their hosting environments. With their help, you can implement these methods and prevent the intrusion of network thieves. If you have proper preventive measures, pay attention to the details, and ensure the maintenance of open-source websites, the company's open-source Web devices will surely be used successfully and effectively.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.