Web security technology and firewall (1)

1. Overview

Computer security has always been one of the main topics discussed by people. Computer Security focuses on computer virus prevention and system security. Today, with the increasing expansion and popularization of computer networks, computer security has higher requirements and wider scope. It not only requires prevention of viruses, but also increases the system's ability to resist external illegal hacker intrusion, but also improves the confidentiality of remote data transmission to avoid illegal theft during transmission.

In terms of prevention and control of network viruses, HTML files during http transmission are not vulnerable to viruses. The danger is that you should pay special attention to downloading executable software such as. zip. exe. arj. Z. Both have the possibility of latent viruses.

For the security of the system itself, the stability and health of the server are mainly taken into account, so as to enhance the defense capability of the server itself, eliminate all channels that may allow hacker intrusion, and avoid threats to the system. Firewall and data encryption technologies must be added to protect important commercial applications.

In terms of data encryption, it is more important to constantly improve and improve the data encryption technology, making it difficult for criminals to gain access.

Of course, computer system security is a very large scope. This chapter only discusses some possible situations when constructing the web, hoping to attract more attention.

2. WEB Security Vulnerabilities vulnerabilities on WEB servers can be considered in the following aspects:

(1) confidential files, directories, or important data that you do not access on the web server.

(2) When a remote user sends a message to the server, especially a credit card or something, it is intercepted by criminals.

(3) Some vulnerabilities in web servers allow some people to intrude into the host system and destroy some important data, or even cause system paralysis.

(4) CGI security vulnerabilities:

1) intentionally or unintentionally missing (bugs) in the host system to create conditions for illegal hackers.

2) When a program written in CGI script involves a remote user entering a form from a browser and performing Search index) or form-mail or other commands on the host may cause danger to the web host system.

Therefore, from the CGI perspective, WEB security should be considered in detail when programming. Avoid CGI program vulnerabilities as much as possible.

Analyze from the web server version:

In March 1995, it was found that HTTPD of NCSA1.3 or earlier versions had a security vulnerability, that is, the customer's computer could execute commands on the server at will, which is very dangerous. However, the server of NCSA1.4 or later versions has completed the vulnerability. There are also some simple WEB servers downloaded from the Internet, which do not take into account many security factors and cannot be used as commercial applications.

Therefore, you must pay attention to system security when configuring servers or compiling CGI programs. Try to block any existing vulnerabilities and create a secure environment. Note the following when setting up the cgi program on the server:

Manage servers

1) do not use any tool or software downloaded from other networks. Do not use the root account to register and execute the software without further details. To prevent some programmers from setting traps in the program, such as adding one or two lines of "rm-rf/" or "mail username </etc/passwd" in the program.

2) When selecting a web server, different servers have different security requirements. Some simple web servers do not consider some security factors and cannot use them as commercial applications. Only for personal outlets.

3) when using. htpass in the WEB to manage and verify user passwords, there is no limit on the number of password verification and user name verification.

3. How to improve system security and stability on the WEB

Web server security prevention measures:

[1] Restrict accounts on web servers and regularly delete users with broken processes.

[2] requests for password length and regular changes to accounts opened on web servers to prevent theft.

[3] Try to separate ftp, mail, and other servers. Remove unrelated applications such as ftp, sendmail, tftp, NIS, NFS, finger, and netstat.

[4] remove some unneeded shell and other interpreters on the web server, that is, when perl is not used in your cgi program, try to delete perl from the system interpreter.

[5] regularly view log logs files on the server to analyze all suspicious events. When rm, login,/bin/perl,/bin/sh and other records appear in errorlog, your server may be attacked by some illegal users.

[6] set the permissions and attributes of system files on the web server, assign a public group such as www to accessible documents, and assign only read-only rights to them. All HTML files belong to the WWW group, and the WEB Administrator manages the WWW group. Only the WEB administrator has the right to write the WEB configuration file.

[7] Some WEB servers refer to the same directory as the FTP directory for the WEB documentation, be careful not to designate the FTP directory and the CGI-BIN under a directory. This is to prevent some users from using FTP to execute programs, such as PERL or SH, with a WEB CGI-BIN, causing adverse consequences.

[8] access the user's IP address or DNS through restrictions such:

Add the following to access. conf in NCSA:

<Directory/full/path/to/directory>

<Limit get post>

Order mutual-failure

Deny from all

Allow from 168.160.142. abc.net.cn

</Limit>

</Directory>