UNIX-based Web server Security Guide

Source: Internet
Author: User
Tags eval ftp iis net version website server domain domain name
UNIX-based Web server Security Guide

One. Security vulnerabilities

Vulnerabilities on Web servers can be considered in the following ways:

1. Secret files, directories, or important data that you do not have access to on a Web server.

2. When sending information to the server from a remote user, especially when something like a credit card, it is illegally intercepted by outlaws.

The 3.WEB server itself has some vulnerabilities that allow some people to hack into the host system, destroying some important data, and even causing the system to collapse.

4.CGI security vulnerabilities are:

(1) Intentionally or unintentionally omit bugs in the host system to create conditions for illegal hackers.

(2) A program written with a CGI script that involves a remote user entering a form from a browser, and retrieving (search index), or form-mail, or so on a host, may pose a risk to the web host system.

5. There are also some simple Web servers to download from the Internet, not too much to take into account some security factors, can not be used for commercial applications.

Therefore, whether you are configuring the server or writing a CGI program, you should pay attention to the security of the system. Try to plug any existing loopholes and create a safe environment.

Two. Improve system security and stability

Web Server security Precautions:

1. Limit the opening of accounts on the Web server and periodically delete some users who have broken the process.

2. For accounts opened on the Web server, make requests for password length and periodic changes to prevent misappropriation.

3. Try to make FTP, mail and other servers and separate, remove Ftp,sendmail,tftp,nis, nfs,finger,netstat and other unrelated applications.

4. Remove some absolutely unused interpreters on the Web server, such as the shell, when Perl is not used in your CGI program, try to remove Perl from the system interpreter.

5. Periodically review the log logs files in the server to analyze all suspicious events. When records such as RM, login,/bin/perl,/bin/sh, etc. appear in the errorlog, your server may have been invaded by some illegal users.

6. Set the permissions and properties of the system files on the Web server, assign a common group to accessible documents, such as WWW, and assign only the right to read only. The Web Administrator manages the WWW group by attributing all HTML files to the WWW group. The configuration file for the web only has write rights to the Web Administrator.

7. Some Web servers refer to the Web's document directory with the FTP directory in the same directory, should be careful not to the FTP directory and cgi-bin specified under a directory. This is to prevent some users through FTP upload some programs such as Perl or SH, and use Web Cgi-bin to execute, causing undesirable consequences.

8. Access User IP or DNS by restricting permission, as in access.conf in NCSA:


"Limit Get POST"

Order Mutual-failure

Deny from all

Allow from 168.160.142. abc.net.cn



This can only be accessed by a client with a domain name of abc.net.cn or IP belonging to 168.160.142.

For a CERN or a consortium server this can be added to the httpd.conf:

Protection Local-users {

Getmask @ (*.capricorn.com, *.zoo.org,


protect/relative/path/to/directory/* local-users

9.WINDOWS Lower httpd

(1) Netscape Communications Server for NT

Vulnerabilities in the Perl interpreter:

The extensions and their application relationships under Cgi-bin are not recognized in Netscape Communications server, such as. pl files are interpreted files that are invoked automatically by Perl code programs, even if the Perl.exe files are now only stored under the Cgi-bin directory. Execution such as:/cgi-bin/perl.exe? &my_script.pl. But this gives anyone the possibility of executing Perl, when some people add/cgi-bin/perl.exe to the URL of their browser. -E Unlink "*" may cause the removal of the server in the current directory of the file risk. However, other such as: o′reilly website or purveyor do not exist this loophole.

CGI Executing a batch file vulnerability:

The contents of document Test.bat are as follows:

@echo off

Echo Content-type:text/plain


Echo Hello world!

If the URL for the client's browser is:/cgi-bin/test.bat? &dir, the call command interpreter is executed to complete the dir list. This allows the visitor to execute other command possibilities.

(2) o′reilly WebSite server for Windows nt/95

Using a batch file in a previous version of website1.1b has the same vulnerability as Netscape, but the new version closes. BAT's role in CGI. Support for Perl, the new version of VB and C as a CGI development tool.

(3) microsoft′s IIS Web Server

IIS before March 5, 1996 is a serious bug in NT, and you can use command commands arbitrarily. But after the vulnerability has been patched, you can check the date your executable was created. IIS3.0 also has some security bugs, mainly cgi-bin under the right to be covered. In addition, many Web servers themselves have some security vulnerabilities, are constantly updated in the version upgrade process, this is not listed.

Three. Consider security from a CGI programming perspective

1. It is safer to use a compiled language than to interpret the language, and the CGI program should be placed under Cgi-bin independent of the HTML repository, in order to prevent some illegal visitors from obtaining the original code of an interpreted language from the browser and looking for a loophole.

2. Use Popen (), System (), all shell commands involving/bin/sh, and commands such as exec or eval, such as System (), EXEC (), open (), eval (), in Perl, when writing CGI programs in C.

Do not call functions such as system () directly when the user-filled form is returned to CGI.

In addition, for data encryption and transmission, there are currently SSL, Shttp, Shen and other protocols for everyone to study.

Four. Firewall (Firewall)

1. The concept of firewalls

A firewall (Firewall) is a combination of software or software and hardware equipment, between the enterprise or network group of computers and the outside channel (the Internet), restricting the access of external users to the internal network and the management of internal users access to the external network permissions.

2. Measures of the firewall

(1) agent (proxy) host

"Internal Network-proxy gateway"--internet "

This approach is that the internal network does not communicate directly with the Internet. is the internal network of computer users and proxy gateway using a means of communication, that is, the provision of Internal network protocol (Netbios, TCP/IP, etc.), and between the gateway and the Internet is a standard TCP/IP network communication protocol. This makes the network packet not directly between the internal and external network. Internal computers must access the Internet through a proxy gateway, which makes it easy to restrict access to external computers on the proxy server for internal network computers. In addition, due to the use of different protocol standards at both ends of the proxy server can directly prevent the outside of illegal intrusion. Also, the proxy server's gateway can verify the data packet and confirm the password for security control. In this way, can better control the user at both ends of the management, play a firewall role.

Because this kind of firewall measure uses through the proxy server to carry on, on the on-line user, the efficiency must be affected, the proxy server heavy burden, therefore many accesses the Internet the client software may not have the normal access to the Internet in the internal network computer.

(2) router plus filter complete

"Internal Network-filter (filter)--Router (Router)--internet"

This structure is used by routers and filters to complete the restriction of access to the internal network from an IP address or domain name to an external computer, or to specify or restrict the internal network's access to the Internet. Routers route only the data traffic on a specific port on the host, and filters perform filtering, filtering, validation, and security monitoring, which can largely cut off the abnormal access logins between the internal and external networks.

With the increasing popularity of computer network today, computers security not only requires preventing and controlling computer viruses, but also to improve the system's ability to resist hacking, and to improve the confidentiality of remote data transmission, so as to avoid being illegally stolen in transit. This article only discusses some of the situations that may occur when constructing a Web server, hoping to attract attention.

Related Article

Beyond APAC's No.1 Cloud

19.6% IaaS Market Share in Asia Pacific - Gartner IT Service report, 2018

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.