Webmaster must pay attention to the six-point server security problem

Problem | webmaster | server security

Webmaster time to do long, encountered a lot of trouble, it is estimated that the most annoying to the number of Web site was black hung horse it, I also calculate a vegetable vegetable stationmaster, do the station three months not to, dare not say and everybody share what my experience, but originally before doing the station to is dry two years of small black, commonly known as the script Kid, hangs the tool every day to sweep, Do not kill, playing pigeons, hanging horse, haha, can be said to be happy, not merry (eh?) then do stand, feel, those people really hateful. However, there are still a lot of small black will give you the webmaster to remind. (This is called Professional ethics), and we share a little black to webmaster after some of the site security awareness, here is also opinion, my level is limited, and what the problem, but also please correct.

First, in terms of security, it is better to find a good server. (How come there is a hiss?) Sounds a nonsense. But it's really important, especially if you can't afford a server, can only buy virtual space friends, because even if your site is safe, if your server and other sites are rotten and server permissions settings are not very good, or provide a lot of opportunities for hackers to mention power, your station is also very dangerous. In general, the side note that we are talking about is such a truth. Recommendations are: Pick the server is, first query under the server some what other stations, and then sweep the server opened those ports, such as SERVU Port 43958 even if a high risk port, of course, is not usually some can not use, there are conditions, you can try to ask the right of difficulty.

Second, for its own website, the most dangerous two vulnerabilities to the number: injection Vulnerabilities and upload vulnerabilities

First of all, we talk about injection vulnerabilities: Injection vulnerabilities are usually due to the introduction of the parameters of the filter is not strict, hackers can construct SQL statements to query the database, such as the administrator account, and even for the database such as MSSQL, can execute system commands, upload files and so on, is a great harm, To prevent such vulnerabilities, it is mostly to filter out dangerous SQL code such as and select, and often to judge Isint when the parameter is a number. Filter off when the parameter is a character. Of course it's not that simple, but it's enough for a station that doesn't have high safety requirements. For the upload vulnerability, it is better to solve, if it is their own program, in general, will not be too big problem, remember to limit the file format can be. For the procedures on the market we'll talk about it later.

Talk about the default account name or the default database problem

A lot of rookie webmaster, start will not do station, get a free program, directly upload up to use, this is very dangerous, such as hackers often say, the default account name is never outdated loopholes. Because security awareness is not enough, everyone get the program, or their own program, if the security is not very familiar, it is best to change the database default address, do not use the default account, the best background address to change. Like me will be backstage changed even I almost don't remember, oh, do not use admin,manager,houtai such as the path, we guess all first guess this, also do not use the site domain name.

Iv. Questions about passwords

Now most passwords are MD5 encrypted, so even if your station is injected, hackers get the password is a ciphertext, need to decrypt. Since MD5 is an irreversible encryption algorithm, so only violent break, is a try, or set up a large database to check the above this is not advertising, I used this, because its database is very large, so recommend the webmaster to protect their password a good way to add their own password first secret, In the station to see if it can be cracked, if it is, it is better to change a complex point.

Five, on the issue of cross-site vulnerability, this vulnerability should be said for the station is not a forum, the main hazard site is the message version, to prevent the method even if the risk of filtering out the HTML code like a script iframe, etc., like PHP provides a special function can be <> and other code conversion.

Vi. issues relating to the use of well-known procedures

You know, the more famous The program, the more people who studied him, such as the Dynamic Network forum at that time, almost always a loophole, became a hole network forum, for what? isn't the program written well? So why do so many people use, of course, ASP is part of the reason (ASP is really very dangerous in other languages), The bigger reason is that he is too famous and has too many people to study. Therefore, in this case, it is best to pay attention to the official patch, once there is a patch, play, do not lazy. Or it's going to get pretty soon.