Use colored pens for alternative server security

Attack and Defense are opposite. Some people say that security reinforcement is more difficult than intrusion penetration, because as long as you use one of thousands of vulnerabilities, if this vulnerability exists in the system, you can successfully intrude into the system, but security reinforcement is not performed, and you want to achieve security, you need to know how to prevent these thousands of vulnerabilities, which is almost impossible. In fact, even if you do, you have to face many unknown vulnerabilities (Undisclosed 0-day vulnerabilities ), you cannot master all undisclosed vulnerabilities. Therefore, security is impossible-but we can try to make the system more secure :).

So the best security is Daniel. Well, it's really Daniel... So for these colored pens, we only know how to attack and do not know how to defend against them. Although we do not know a lot about security, we can use some "alternative" methods to reinforce our system-at least some bad guidance for intruders, which may make them overwhelmed.

[Align = center]/* I have limited capabilities, so I will only briefly discuss the WEB server security content in windows.

In addition, this article is only applicable to the color pen science level. Please ignore the high-level experts directly... */[/Align]

Majority of security risks exist in script programs.
I believe everyone has this feeling: if our goal is to grant the highest permissions to the server on the XX site, our thinking will first be put on the WEB program, instead of using overflow or other means to directly target the server. Yes, it is true that, for a WEB server, WEB programs are almost the most vulnerable. There are many reasons for this situation, so we will not discuss it here.
To ensure system security, the most basic thing to do is to ensure the security of WEB applications. However, we will not discuss much about how to ensure the security of WEB applications here. I believe that everyone has many ideas and very feasible methods.

Worker. 2 win? Linux? Unix?
I think you must step on the work before penetration? I want to know the operating system and website container of the target server. I don't know how you like to obtain this information, but I think their iconic difference between different operating systems and website containers is that the default 404 page, that is, enter a non-existent 404 page. If the default 404 page is used, you will know at a glance whether IIS or apache is used. If I use apache to customize a 404 page, which looks exactly the same as the default 404 page of IIS, then... Do you think too much during intrusion? So don't underestimate the default 404 page. In fact, it is very useful to modify the default 404 page. For example, this method still has a certain effect on hacker brute force scanning.

Take my blog as an example. When you scan the directory of my blog using the directory brute force method, you will find that the directory names in the dictionary will appear in the scan results: of course, these results are all transferred to the custom 404 page, so the software determines that these pages actually exist-so you cannot see which directory actually exists in these scan results. Open a scan result and you will find that this is a damn 404 ....

Of course, a 404 page alone cannot completely cheat intruders. There are still many ways to judge the server system and website container, for example, it is easy to get this information in the head information-of course, you can also do some tricks here to achieve the purpose of simple deception, in this regard, I will not take too much space to introduce it. If you are interested, you can find relevant information on the internet.

Forbidden. 3 strict directory permission control can greatly prevent hackers from penetrating a website on the server and then penetrating the entire server.

I think everyone has a deep understanding of this in privilege escalation.

In IIS of win, it runs under the permissions of the users user group by default. When we first started using IIS, we may encounter the following situation: the default site provided by IIS cannot be used, and 403 error occurs during access. Of course, as we all know, the error 403 means that you do not have sufficient permissions to access or execute. In fact, this means that you did not grant sufficient permissions to the users user group to your WEB directory, your WEB directory must have at least the read and execute permissions granted to the users user group. Some directories may need write permissions. The specific operation method is to select your WEB directory, right-click-properties-security, you may see the following situation:

There is no operation permission for the users user group. In this case, we need to add the users Group. Click "add", enter "users", and click "Check name". The full name of the users Group on the local machine is displayed, click "OK. For example, the default permissions of the users Group are as follows:

I have had this experience: after obtaining the webshell of a website, I found that this site does not need to be elevation of permission at all, because IIS is completely owned by users running the administrators group. You know, what does that mean. At the same time, I still have another webshell for my website. On this webshell, I can hardly do anything about Elevation of Privilege-the permission restriction is too dead, in addition to reading the site directory, nothing else can be done.

This is the gap. Strict permission restrictions are the first step to ensure security. For example, we often use the program directory and temp directory when raising the permission, or in this case, apart from granting the users group the corresponding permissions to the WEB directory, the users group in any other directory does not have the permission to perform any operations, even reading. In this way, even if a website on the server is intruded, intruders can only go through the WEB directory of the website. In addition, it is best to set strict permissions for other directories in the WEB directory. write permissions are granted only to directories that must use write permissions, grant the script execution permission only to the directory where the script must be executed. Think about it. When you use an upload vulnerability like a server to upload a shell file, assume that you pass it to the default upload directory (this directory stores uploaded image files ), if the administrator sets this permission to not allow script execution, isn't it in vain? Of course, you will want to upload it to other directories, But what if other directories do not have the write permission? Of course, a directory that requires both script execution and write permissions usually exists. Here is an example to illustrate that doing so will at least cause a lot of trouble for intruders.

Hacker. 3. The hacker may be overwhelmed by simple misleading information.

Now that you have the permission, you can add an account. What is the first thing you need to do? Net user hacker F4CK/add & net localgroup administrators hacker/add, is that true? What if I change the name of the administrators group? Name him... How about Guests? Yes. Guests is the default Guest user group. What should I do with the original Guests group? How do you think we should name him "administrators? Of course, we will not grant any permissions to the real Guests group. When we find that our "administrators" User Group has more users, we need to check the server for any problems, since intruders can add users, it should at least indicate that they have obtained high permissions. At this time, they should be very vigilant and immediately clear the intruders backdoor.

I didn't want to talk about the system patch here, but I thought about it later. It is very important to patch servers in a timely manner. Otherwise, even if you do well in security and do not have any patches, it is impossible to say that a remote overflow will cause you a tragedy...

Audit. 4 database security issues.

During the Penetration Process, everyone may have this experience: if there is an injection point with SA or root permissions, then this site is basically a tragedy. So it is very important that, if necessary, do not use high-Permission database users such as sa and root, because once the SQL injection vulnerability occurs, it will be fatal!

In fact, all kinds of excellent security software are worth using.

This is true. It is impossible for the Administrator to constantly refresh the server 24 hours a day, constantly monitor the status of the server, and the Administrator also needs to rest, but the machine is different, if you give him enough power, he will work for you-so, why not choose a good security software to run on your server? As for the choice of security software, I do not recommend such a product as 360, because at least he does not perform well on the server. I personally think that the performance of coffee EE on the server is still good, of course, there are many excellent security products for us to choose from.

In addition to these anti-virus products, I think it is necessary to install some real-time monitoring security products, such as XX dog and XX shield, especially for site or server security, it will save the Administrator a lot of energy.

Routing. 6 shut down unnecessary services-leave a safe port 80 for the intruders to turn around!

 

If you can do the above, your server can at least be regarded as a relatively safe server-I think at least I can't do anything like this.

Author: adwin QQ: 562474299 root@okadwin.com Blog: http://www.okadwin.com