The common protection method of website
For the hacker threat, the network Security administrator takes various means to enhance the security of the server and ensure the normal operation of the WWW service. Like email on the Internet, FTP and other servers, you can use the following methods to protect the WWW server:
Security Configuration
Turning off unnecessary services, preferably by providing only the WWW service, installing the latest patches for the operating system, upgrading the WWW service to the latest version and installing all patches, and configuring the security recommendations based on the WWW service provider, will greatly provide the security of the WWW server itself.
Firewall
Install the necessary firewall, prevent various scanning tools of the temptation and information collection, or even according to some security reports to block from certain specific IP address range of machine connections, to the WWW server to add a layer of protection, at the same time need to the firewall within the network environment to adjust to eliminate the internal network security risks.
Vulnerability Scans
Use commercial or free vulnerability scanning and risk assessment tools to scan servers regularly to identify potential security issues and to ensure that normal maintenance, such as upgrading or modifying configurations, does not create security issues.
Intrusion Detection System
The real-time monitoring ability of intrusion detection system (IDS) is used to detect the attacking behavior and the heuristic behavior before the attack, and to record the source of the hacker and the attacking steps and methods.
These security measures will greatly provide the security of the WWW server and reduce the likelihood of being attacked.
Second, the website's special protection method
Although the use of various security measures to prevent many hackers, however, due to a variety of operating systems and server software vulnerabilities continue to discover, the attack methods emerge, the technology of the hackers can break through layers of protection, access to the control of the system, so as to achieve the purpose of destroying the homepage. In this case, some network security companies launched a special protection software for the site, only the most important content of the site-the Web page. Once a protected file has been detected with {abnormal} changes, recovery is performed. In general, the system first needs to back up the normal paging file, and then start the detection mechanism to check whether the file has been modified, if it needs to be restored. We analyze and compare the following technologies:
Monitoring mode
Local and Remote: instrumentation can be run locally on a monitoring side, or on a different host on the network. If it is local, the monitoring-side process requires sufficient permissions to read the protected directory or file. If the monitoring end of the remote, the WWW server needs to open some services and to the monitoring side of the corresponding permissions, the more common way is to directly use the server's open WWW service, using the HTTP protocol to monitor the protected files and directories. Other common protocols can also be used to detect protected files and directories, such as FTP. The advantage of using local mode detection is high efficiency, while the remote way has platform independence, but it will increase the burden of network traffic.
Timing and triggering: most of the protection software is used in the way of timing detection, whether in the local or remote detection is based on the timing of the system set time detection, but also can be protected from the Web page divided into different grades, high levels of detection time interval can be set shorter to obtain better real-time, and to reduce the protection level of the Web page file detection time interval is longer, to alleviate the burden of the system. The trigger method is to use some of the functions provided by the operating system to be notified when a file is created, modified, or deleted, which has the advantage of being efficient, but not remote detection.
Comparison method
When deciding whether a file is modified, it is often compared with the files in the protected directory and the backup library, compared to the most common way of full-text comparisons. Using the full text comparison can directly and accurately determine whether the file has been modified. However, the full text comparison in the document larger than the efficiency is very low, some protection software to use file properties such as file size, create modified time, etc. compared, although this method is simple and efficient, but also has serious defects: {Malicious Intruder} can be carefully constructed, the replacement file properties set to the same as the original file, { So that the file that was maliciously changed cannot be detected}. Another scheme is to compare the digital signature of the file, the most common is the MD5 signature algorithm, because the digital signature is not counterfeit, digital signature can ensure the same file.
Recovery mode
The recovery method is directly related to the location where the backup inventory is placed. If the backup inventory is local, the recovery process must have permission to write protected directories or files. If you need to use file sharing or FTP on a remote basis, you need a file share or FTP account, and the account has write access to the protected directory or file.
Security for backup libraries
The security of the backup library is particularly important when hackers find that their replacement home page is quickly restored, often triggering a desire for further destruction. The security of the Web page file is converted to the security of the backup library. The protection of the backup library is done through file hiding, allowing the hacker to find the backup directory. Another approach is to digitally sign the backup library, and if the hacker modifies the contents of the backup library, the protection software can be found by signing, stopping the WWW service or using a default page.
Through the above analysis and comparison, we find that all kinds of technologies have their advantages and disadvantages, and need the actual network environment to select the most suitable technical solutions.
Third, the website protection flaw
Although website protection software can further improve the security of the system, there are still some defects. First of all, these protection software is designed for static pages, and now dynamic pages occupy a larger range, although the local monitoring method can detect script files, but the script files used in the database is powerless.
In addition, some attacks are not targeted at the paging file, and the "Red Code" that was soon overrun was the purpose of the attack page using a dynamic library that modifies the IIS service. Another aspect, the website protection software itself can increase the load of WWW server, in the case of the WWW server load itself already heavy, must be careful to plan the use plan well.
Iv. Conclusion
This paper discusses the protection methods commonly used in Web sites, analyzes and compares the various technology implementations and their advantages and disadvantages, and points out the defects of the Special website protection software in detail. Security is not possible with a tool or some tools, but using these tools can help improve security and reduce security risks.