Web Server Security Guide for Unix systems

Today, with the increasing popularity of computer networks, computer security not only requires the prevention of computer viruses, but also increases the system's ability to resist illegal hacker intrusion and the confidentiality of remote data transmission, prevents unauthorized theft during transmission. This article only discusses some situations that may occur when constructing Web servers, hoping to attract more attention.

I. Security Vulnerabilities

Vulnerabilities on Web servers can be considered in the following aspects:

1. Secret files, directories, or important data that you do not access on the Web server.

2. When a remote user sends a message to the server, especially a credit card or something, it is intercepted by criminals.

3. The Web server itself has some vulnerabilities that allow some people to intrude into the host system, damage some important data, and even cause system paralysis.

4. CGI security vulnerabilities:

(1) intentionally or unintentionally missing buckets in the host system to create conditions for illegal hackers.

(2) When a program written in CGI script involves a remote user entering a Form in a browser and performing Search index ), or form-mail or other commands on the host may cause danger to the Web host system.

5. There are some simple Web servers downloaded from the Internet, which do not take into account many security factors and cannot be used as commercial applications.

Therefore, you must pay attention to system security when configuring servers or compiling CGI programs. Try to block any existing vulnerabilities and create a secure environment.

2. Improve system security and stability

Web Server Security Prevention Measures:

1. restrict opening accounts on Web servers and regularly delete users with broken processes.

2. Make requirements on password length and regular changes for accounts opened on Web servers to prevent theft.

3. Try to separate FTP, MAIL, and other servers. Remove unrelated applications such as ftp, sendmail, tftp, NIS, NFS, finger, and netstat.

4. remove some unneeded interpreters such as SHELL on the Web server, that is, when PERL is not used in your CGI program, try to delete PERL from the system interpreter.

5. Regularly view log logs files on the server and analyze all suspicious events. When rm, login,/bin/perl,/bin/sh and other records appear in errorlog, your server may have been infiltrated by some illegal users.

6. Set the system file permissions and attributes on the Web server, assign a public group for accessible documents, such as WWW, and assign only read-only rights to them. All HTML files belong to the WWW group, and the Web Administrator manages the WWW group. Only the Web administrator has the right to write the Web configuration file.

7. When some Web servers place the Web document directory and the FTP directory in the same directory, be sure not to place the FTP directory and the CGI-BIN under a directory. This is to prevent some users from uploading programs such as PERL or SH over FTP and executing them with the Web CGI-BIN, causing adverse consequences.

8. access the user's IP address or DNS by limiting the permission, such as adding the following to access. conf in NCSA:

Directory/full/path/to/directory

Limit GET POST

Order mutual-failure

Deny from all

Allow from 168.160.142. abc.net.cn

/Limit

/Directory

In this way, you can only access the Web server with the domain name abc.net.cn or the IP address 168.160.142.

For CERN or W3C servers, add the following in httpd. conf:

Protection LOCAL-USERS {

GetMask @ (* .capricorn.com, * .zoo.org, 18.157.0.5)

}

Protect/relative/path/to/directory/* LOCAL-USERS

9. HTTPD in WINDOWS

(1) Netscape Communications Server for NT

PERL interpreter vulnerability:

The Netscape Communications history file is stored under the CGI-BIN directory. Run:/cgi-bin/perl.exe? & My_script.pl. However

It is possible for anyone to execute PERL. When some people Add the following in their browser URL:/cgi-bin/perl.exe? &-E + unlink + % 3C * % 3E may cause the danger of deleting files in the current directory of the server. However, other vulnerabilities such as o'reilly WebSite or Purveyor do not exist.

CGI:

The content of the test. bat file is as follows:

@ Echo off

Echo Content-type: text/plain

Echo

Echo Hello World!

If the client browser URL is/cgi-bin/test. bat? & Dir, execute the command interpreter to complete the DIR list. This allows visitors to execute other commands.

(2) O 'Reilly WebSite server for Windows NT/95

In versions earlier than WebSite1.1B, using batch files has the same vulnerability as Netscape. However, the new version disables the role of. bat in CGI. Supports PERL. The new version uses VB and C as CGI development tools.

(3) Microsoft's IIS Web Server

The BUG of IIS in NT was serious before January 26, March 5, 1996. You can use the command as needed. However, this vulnerability has been fixed. You can check the creation date of your executable file. IIS3.0 also has some security bugs, mainly under the CGI-BIN to the right. In addition, many Web servers have some security vulnerabilities, which are constantly updated during the version upgrade process and will not be listed here.

Iii. security considerations from the CGI programming perspective

1. compiling languages is safer than interpreting languages, and CGI programs should be placed in a CGI-BIN independent of HTML storage directories, this is to prevent some illegal visitors from obtaining the original code of the explanatory language from the browser.

2. use popen (), system (), all SHELL commands involving/bin/sh, and system () and exec (), open (), eval () and other commands such as exec or eval.

Do not directly call functions such as system () when the user-filled form returns CGI.

In addition, for data encryption and transmission, there are currently SSL, SHTTP, SHEN and other protocols for your research.

4. Firewall)

1. Concept of Firewall

A Firewall is a Firewall that is composed of software or software and hardware devices. It is located between an enterprise or a network group computer and an external channel (Internet, restrict external users to access the internal network and manage the permissions of internal users to access the external network.

2. Firewall measures

(1) Proxy host "internal network -- Proxy Gateway -- Internet"

In this way, the internal network and the Internet do not communicate directly. That is, the computer users in the internal network and the proxy gateway adopt a communication method, that is, the internal network protocol (Netbios, TCP/IP, etc.) is provided ), the standard TCP/IP network communication protocol is adopted between the gateway and the Internet. In this way, network packets cannot be directly transmitted between internal and external networks. The internal computer must access the Internet through the Proxy gateway, so that it is easy to restrict the access of the internal network computer to the external computer on the proxy server. In addition, the proxy server uses different protocol standards to directly prevent external illegal intrusion. In addition, the gateway of the proxy server can perform security control such as data packets verification and Password confirmation. In this way, users at both ends of the management can be better controlled to act as firewalls.

This firewall is implemented through the proxy server. When there are many online users, the efficiency will inevitably be affected and the burden on the proxy server will be heavy, therefore, many client software accessing the Internet may not be able to access the Internet normally on the internal network computer.

(2) The router is added with a filter.

"Internal network -- Filter -- Router -- Internet"

This structure allows routers and filters to restrict external computer access to the internal network from IP addresses or domain names. You can also specify or restrict internal network access to the Internet. The router only routes data communication on specific ports on the host, while the filter performs filtering, filtering, verification, and security monitoring, in this way, abnormal access and logon between internal and external networks can be disconnected to a large extent.