Solving JSP Trojan security threats

When talking about Trojans, more than 70% of the server administrators talk about changing horse colors. There should be few administrators who have not been harassed by Trojans. However, as a server-side program trojan that is accessed through port 80, it makes the server administrator a headache. In particular, the security of virtual hosts is more serious. The ASP virtual host is the most serious, and many virtual hosts have to make up for it. If the security of the. Net host is poor, the powerful. Net Trojan is stunned. Not only in asp or asp.net, jsp also has Trojans, but also has powerful functions. The default running permission of several JSP application servers is ROOT, which is SYSTEM in the window environment. JSP Trojans are powerful to programs that are incomparable to Web backdoors on servers. Not only java. io. *, java. util. *, but also the java.net. * package provides powerful functions and supports the default permissions. How does JSP Trojan prevent me from shaking on GOOGLE for a long time? I didn't find a good solution. I found the Java sandbox security mechanism. The configuration of java. policy cannot be done by ordinary people, and different applications require different configurations. I read some java. security. acl package applications, which are big and troublesome. Since it is applied to the window environment, why not try to use Windows ACL for this article? Take the Resin server as an example:

1. Create user group A and user name
2. Register Resin as the window service and start it automatically
3. Edit the resin service attribute to change the user to.
4. Edit the Security Attribute of the Resin server folder to be fully controlled by group A. You can also set it according to different situations.
5. Grant the created website directory to user a to read, write, and delete security permissions.
6. If you want to get rid of the everyone permission in other folders of all drives, it is best to deny group A access and read? No.

Start the Resin service to see if the JSP Trojan cannot run? No permission! Several JSP trojans on the network are basically suspended here. It's impossible to jump out of this circle.

The security configuration is worth noting:

• The resin Application Server Directory Name is more complicated. You 'd better not remember it yourself.
• The root file name of the website is better and more complicated. If you want to forget it, it is better (many people have a rich imagination, so you can't care about it)
• It is best to grant the write permission under the website directory according to your needs. If you do not grant the write permission, you cannot give it or give it more.
• In the special directory, you can even use the filter in the Servlet for filtering. Don't forget that the global filter function is very powerful (this is what the server administrator said, the server environment variables can be completely blocked here)

Through some of the above configuration, it is unlikely that JSP webshells can be uploaded through Web programs. Even if it is uploaded, it can only be left in its own directory, as long as it cannot jump out of the Directory, in addition, it doesn't matter what he does if he runs with low permissions. Of course, security is relative. First of all, we should ensure the security of the Windows (linux) server. In this way, the jsp server is safe globally.

Note: Please indicate the source for reprinting, THX