A5 security Team, Jack, server security lectures, all records.

Source: Internet
Author: User

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Hi, I'm A5 security group Jack, I'm going to talk to you today about Web server security related issues.

In fact, in terms of server and site security settings, although I have some experience, but there is no research, so I do this lecture today when the heart is very uncomfortable, always afraid to say wrong will be mistaken for other people's things, there are wrong places also please point out, today is all about the exchange. Perhaps you have a security master or a master of destruction to see what I said would be ridiculed or secretly pleased, but I think my experience is still there are many right place, there are tens of thousands of people than I know or need someone to provide these experience and information. Oh

Now almost a part of the webmaster have their own servers, some people also use a virtual host or a rental server. For now in the use of virtual hosting and rental of some of the webmaster may be in the server security considerations are relatively few, because there is a strong IDC technology in support, as long as the use of their own web site procedures to understand a little more, pay more attention to the official release of the program news and vulnerability patches hint, Timely upgrade procedures to hit the latest patch on the security has been 80%, the official patch is released to us free of charge, if the bug patch can not be hit in time, then the site was black the possibility of almost 80%, so that the program must be timely hit the patch. The second is the virtual Host Management account password and FTP account password, background landing path address and administrator account password settings, this may be a lot of people sometimes easy to ignore, but because the negligence of the password set is too simple or did not change the default account password, background path caused by the site is black or a small number of webmaster. Now there are a lot of fool-like hacker tools, a person who knows a little computer technology can get started, for some FTP account password and Web site background password Simple site can be a lot of access to the account password, direct landing ftp or backstage to get Webshell, So generally in the FTP account password to be timely after the modification as far as possible more complex the better. Site in the installation after the timely deletion of installation files to modify the background path and login password is necessary to do, do not bother, perhaps your small operation will give you a great site security, negligence, lucky psychology will only bring great security risks to the site, Because an intrusion is looking for a hole in your mind that you're ignoring.

All right, okay. For Web site security using a virtual host I'll talk about this a little bit, and let's focus on the security settings for standalone Web servers.

Recently met several stationmaster to ask me for help, looked at the situation are almost, because the early only to get the Web site, the security of the server awareness and technical prevention is not enough so that the entire server has been hacker control, the server on all sites are hung horse, are good tens of thousands of flow of the site, this consequence is very serious. In the server configuration site and environment when the security is not taken into account, just in order to allow their own site to access the normal, so the entire server's permissions are almost everyone permissions in operation. Such a server can not be black purely accidental. Below we to the current mainstream server system WIN2003 to give you some relevant security configuration and prevention of information, I hope to help you. I'll write it in a few chunks.

Operating system Configuration

1. Install the operating system (NTFS partition), installed anti-virus software, I chose is Kabbah.

2. Install system patches. (Microsoft released every patch must be played, because many Trojans are specific vulnerabilities can be performed) scan vulnerabilities comprehensive antivirus

3. Remove Windows Server 2003 default share

Start by writing a batch file with the following contents:

@echo off

NET share C $/del

NET share d$/del

NET share e$/del

NET share f$/del

NET share admin/del

The file name is Delshare.bat and is placed in the startup key, and the share is automatically deleted each time it is powered on.

4. Disable IPC connections

Open cmd and enter the following command to connect: NET use\\ip\ipc$ "password" supplied: "Usernqme". We can disable the IPC connection by modifying the registry. Open Registry Editor. Locate the RestrictAnonymous subkey in the following build HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, and change its value to 1 to disable the IPC connection.

5. Delete the protocols and services in the "network connection"

In "Network Connections", remove all unwanted protocols and services, only basic Internet Protocol (TCP/IP) is installed, and in Advanced TCP/IP settings-"NetBIOS" settings to disable NetBIOS (S) on TCP/IP.

6. Enable Windows Connection Firewall, open only Web service (80 port).

Note: In 2003 system, do not recommend using TCP/IP filter port filtering function, such as the use of FTP server, if only open 21 ports, due to the specificity of the FTP protocol, FTP transmission, due to FTP-specific port mode and passive mode, In the data transmission, the need to dynamically open the high-end port, so in the case of TCP/IP filtering, often the connection will not be able to list the directory and data transfer problems. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC.

7. Disk Permissions

System disk only gives Administrators and systems permissions

The system disk \documents and Settings directory only gives Administrators and system permissions;

The system disk \documents and Settings\All Users Directory only gives Administrators and system permissions;

The system disk \documents and Settings\All Users\Application Data Directories give only Administrators and system permissions;

system disk \ Windows directory only gives Administrators, system, and users permissions;

System disk \windows\system32\ directory: Net.exe;net1.exe;cmd.exe;command.exeftp.exe;netstat.exe;regedit.exe;at.exe; Attrib.exe;cacls.exe file only give Administrators permission (if feel useless to delete it, such as I deleted the Cmd.exe,command.exe, hey. );

Other disks, which are run by the installer (my SQL Server 2000 in D disk) give Administrators and SYSTEM permissions, not just Administrators permissions.

8. Local Security policy settings

Start Menu-> Administration Tools-> Local Security Policy

A, local policy--> Audit policy (optional)

Audit policy Change failed successfully

Audit logon event failed successfully

Audit object access failed

Audit process Tracking No audit

Audit directory service access failed

Audit privilege usage failed

Audit system Event failed successfully

Audit account logon event failed successfully

Audit account Management failed successfully

B, local policy--> user Rights Assignment

Shutdown system: Only Administrators group, all other delete.

Deny login via Terminal Services: Join guests, Users group

Allow login via Terminal Services: Only join Administrators group, all other delete

C, Local policy--> security options

Interactive login: Do not display last user name enabled

Network access: All shares that can be accessed anonymously are deleted

Network access: Named pipes that can be accessed anonymously delete all

Network access: Remote access to the registry path all deleted

Network access: Remotely accessible registry paths and subpath Delete all

Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable

Network access: Do not allow storage of credentials or. Net Passports for network authentication

Account: Rename guest account rename an account

(One of the following changes may cause SQL Server to be out of use)

Accounts: Renaming a system administrator account renaming an account

9. Closure of unnecessary hazardous services.

Right-click My Computer-> Manage-> service and application-> services

Locate Server Double-click Select Startup Type--> disable--> service status--> shutdown

Find TCP/IP NetBIOS Helper Double-click Select Startup Type--> disable--> service status--> shutdown

Find Workstation Double-click select startup Type--> disable--> service status--> shutdown

10. Open the default firewall

Open the default firewall to add the usual port 80 1433 3306 21 3389 ports and special ports you use frequently to determine.

11. Change the default 3389 remote port

Now there are a lot of gadgets that can be modified directly. But you can also directly in the registry to modify their own (this should be prudent, if the modification is wrong to fall remote)

First:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal

SERVER\WDS\RDPWD\TDS\TCP]

PortNumber value, the default is 3389, modified to a custom port, such as 6553

Second:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal

SERVER\WINSTATIONS\RDP-TCP]

PortNumber value, the default is 3389, modified to a custom port, such as 6553

Note: Both of the modification ports must be consistent.

Ii. IIS configuration (including the directory where the site resides)

1. Create your own web site (* Note: The permissions are set to none in the application settings, change in the desired directory), the directory is not on the system disk

Note: To support asp.net, copy the aspnet_client folder in the system disk \Inetpub\Wwwroot to the Web root and Add users permissions to the Web root directory.

2. Erase the system disk \inetpub directory

3. Remove Unused mappings

In application configuration, only the necessary scripts Execute permissions: ASP, ASPX.

4. Create a system user for a Web site

A. For example: The website is admin5.net, the new user admin5.net permission is guests. Then, in the Web site properties, the user name and password that set anonymous access to use the following Windows user accounts in the directory security---Authentication and access control use the Admin5.net information for this user. (Username: Host name \admin5.net)

B. Add user admin5.net to the disk directory where the Web site resides, giving only read and write permissions.

5. Set execution permissions for applications and subdirectories

A. "Properties-Application Settings--Execute Permissions" in the main application directory is set to plain script

B. In subdirectories that do not need to execute ASP, asp.net, such as uploading file directories, execute permissions are set to None

6. Application pool Settings

My site uses the default application pool. Set "Memory Recycle": The maximum virtual memory here is: 1000M, the maximum use of physical memory is 256M, such a setting is almost no limit to the performance of this site.

Recycle worker process (minutes): 1440

Recycle worker processes at the following times: 06:00

Iii. SQL Server 2000 configuration

Second, SQL Server 2000 security Configuration

1. Password setting

I programmed the program to use the SA user, the password settings are very complex (I do not remember, save in the phone, hey heh).

2. Delete dangerous extended stored procedures and associated. dll.

3.xp_cmdshell (This must be the first, needless to say), Xp_regaddmultistring, Xp_regdeletekey, Xp_regdeletevalue, Xp_regenumvalues, Xp_ RegRead, Xp_regwrite, xp_regremovemultistring

The vulnerability has been a lot of time ago my own server has a temporary storage process vulnerability extension of sql: Xp_dirtree stored procedures.

Beforehand: A vulnerability was recently found to be caused by SQL Server

Just a few days ago, there is nothing to use a SQL injection tool for the server to inject their own servers, accidentally found the use of MSSQL Web site can be used in the form of SQL injection of the entire server directory (my server security settings) can still be seen, Then a grab tool is installed on the server to grab the SQL Server, use the tool to connect SQL vulnerabilities Xp_dirtree read the directory, you can get the entire server directory, such as listing the C disk directory He will list all the directories under your C-disk, which is very unsafe, At present is only able to investigate the catalogue to wear things, we can imagine, if I arbitrarily modify a Boot.ini cover the C-disk boot.ini is a concept, OH first can cause service its paralysis, unable to read the system

Solution: Delete xp_dirtree, command is Sp_dropextendedproc ' Xp_dirtree '

Delete the above build you are using a D or any SQL injection tool is in vain

Once met, almost crazy, there is a friend of MSSQL, just try it and delete the following components. Of course, the premise is that you have to do your own database after the deletion, or the component removed many functions can not be used, in order to be safe, you have to sacrifice some features, of course, like me, I, in addition to the MSSQL import, Basically less than two times a year, so I will not hesitate to delete, hey.

First, delete the SQL procedure with security issues. More comprehensive. Everything for safety!

Delete the call shell, registry, COM component corrupted permissions

MS SQL SERVER2000

Log in to Query Analyzer with System account

Run the following script

Use master

exec sp_dropextendedproc ' xp_cmdshell '

exec sp_dropextendedproc ' xp_enumgroups '

exec sp_dropextendedproc ' xp_loginconfig '

exec sp_dropextendedproc ' xp_enumerrorlogs '

exec sp_dropextendedproc ' xp_getfiledetails '

exec sp_dropextendedproc ' sp_OACreate '

exec sp_dropextendedproc ' sp_OADestroy '

exec sp_dropextendedproc ' sp_OAGetErrorInfo '

exec sp_dropextendedproc ' sp_OAGetProperty '

exec sp_dropextendedproc ' sp_OAMethod '

exec sp_dropextendedproc ' sp_OASetProperty '

exec sp_dropextendedproc ' sp_oastop '

exec sp_dropextendedproc ' xp_regaddmultistring '

exec sp_dropextendedproc ' Xp_regdeletekey '

exec sp_dropextendedproc ' Xp_regdeletevalue '

exec sp_dropextendedproc ' xp_regenumvalues '

exec sp_dropextendedproc ' xp_regremovemultistring '

exec sp_dropextendedproc ' xp_regwrite '

drop procedure Sp_makewebtask

Go

Remove all dangerous extensions.

exec sp_dropextendedproc ' xp_cmdshell ' [will not be able to connect to the database remotely after this extension is removed]

The following 3 stored procedures are used when SQL Server restores a backup, not necessary do not delete

#exec sp_dropextendedproc ' xp_dirtree ' [delete this extension, you will not be able to create a new or additional database]

#exec sp_dropextendedproc ' xp_regread ' [restore database assist after removing this extension]

#exec sp_dropextendedproc ' xp_fixeddrives ' after you delete this extension, you will not be able to restore the database]

Recovery scripts

Use master

EXEC sp_addextendedproc xp_cmdshell, @dllname = ' Xplog70.dll '

EXEC sp_addextendedproc xp_enumgroups, @dllname = ' Xplog70.dll '

EXEC sp_addextendedproc xp_loginconfig, @dllname = ' Xplog70.dll '

EXEC sp_addextendedproc xp_enumerrorlogs, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_getfiledetails, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc sp_oacreate, @dllname = ' Odsole70.dll '

EXEC sp_addextendedproc sp_OADestroy, @dllname = ' Odsole70.dll '

EXEC sp_addextendedproc sp_OAGetErrorInfo, @dllname = ' Odsole70.dll '

EXEC sp_addextendedproc sp_oagetproperty, @dllname = ' Odsole70.dll '

EXEC sp_addextendedproc sp_OAMethod, @dllname = ' Odsole70.dll '

EXEC sp_addextendedproc sp_OASetProperty, @dllname = ' Odsole70.dll '

EXEC sp_addextendedproc sp_oastop, @dllname = ' Odsole70.dll '

EXEC sp_addextendedproc xp_regaddmultistring, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_regdeletekey, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_regdeletevalue, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_regenumvalues, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_regremovemultistring, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_regwrite, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_dirtree, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_regread, @dllname = ' Xpstar.dll '

EXEC sp_addextendedproc xp_fixeddrives, @dllname = ' Xpstar.dll '

Go

Copy all to SQL Query Analyzer

Clicking on the menu-"Query"-"execute" will remove the SQL process with security issues

Here also to provide you with some other SQL dangerous storage process

Suggested deletion

[Note: All operations that delete SQL stored procedures must operate in the MSSQL Query Analyzer, which is preceded by the name of the stored procedure and the command to delete the stored procedure]

First, list the dangerous built-in stored procedures:

xp_cmdshell sp_dropextendedproc ' xp_cmdshell '

Xp_regaddmultistring sp_dropextendedproc ' xp_regaddmultistring '

Xp_regdeletekey sp_dropextendedproc ' Xp_regdeletekey '

Xp_regdeletevalue sp_dropextendedproc ' Xp_regdeletevalue '

Xp_regenumkeys sp_dropextendedproc ' Xp_regenumkeys '

Xp_regenumvalues sp_dropextendedproc ' xp_regenumvalues '

Xp_regread sp_dropextendedproc ' Xp_regread '

Xp_regremovemultistring sp_dropextendedproc ' xp_regremovemultistring '

Xp_regwrite sp_dropextendedproc ' xp_regwrite '

ActiveX Scripts:

sp_OACreate sp_dropextendedproc ' sp_OACreate '

sp_OADestroy sp_dropextendedproc ' sp_OADestroy '

sp_OAMethod sp_dropextendedproc ' sp_OAMethod '

sp_OAGetProperty sp_dropextendedproc ' sp_OAGetProperty '

sp_OAGetErrorInfo sp_dropextendedproc ' sp_OAGetErrorInfo '

sp_OAStop sp_dropextendedproc ' sp_OAStop '

Iv. Other settings (optional, I am not responsible)

1. Any user password must be complex, unwanted users---deleted.

2. Prevent SYN flood attack

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

New DWORD value, named SynAttackProtect, with value 2

3. Prohibit responding to ICMP routing notification messages

Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface

New DWORD value, named PerformRouterDiscovery value 0

4. Prevent ICMP redirect packets from attacking

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Set the Enableicmpredirects value to 0

5. IGMP protocol not supported

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

New DWORD value, named IGMPLevel value 0

6. Disable DCOM:

Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder.

For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.

Clear the Enable distributed COM on this computer check box.

7. Uninstall unsafe components.

Regsvr32/u C:\Windows\System32\wshom.ocx

Regsvr32/u C:\Windows\System32\shell32.dll executes the above two orders under CMD.

Five. Prevent Serv privilege elevation

In fact, after the shell component is logged off, the intruder is less likely to run the lifting tool, but Prel and other scripting languages also have shell capabilities, in case, or set it up for good.

With UltraEdit open ServUDaemon.exe find Ascii:localadministrator, and #l@ $ak #.lk;0@p, modified to equal length of other characters on it, ServUAdmin.exe the same treatment.

Also note that you set the permissions of the folder in which Serv is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file.

Common methods and precautions for exploiting ASP vulnerabilities

In general, hackers always aim at forums and other programs, because these programs have upload function, they can easily upload ASP trojan, even if set permissions, Trojan can also control the current site of all files. In addition, there is a Trojan horse and then upload the lifting tool to obtain higher privileges, we shut down the shell component is to a large extent to prevent the attacker to run the lifting tool.

If the Forum administrator turned off the upload function, the hacker will find a way to get the super tube password, for example, if you use the Dynamic Network forum and the database forgot to rename, people can directly download your database, and then distance to find the forum administrator password is not far away.

As an administrator, we first need to check our ASP program, do the necessary settings to prevent the site from being hacked into. The other is to prevent attackers from using a hacked web site to control the entire server, because if your server has a site for friends, you may not be sure that your friends will be able to put the forums he uploaded into the security settings. This is used to say that a lot of things, do those permissions settings and prevent the promotion, the hacker even entered a site, can not destroy the site outside of things.

All right, today's lecture on the first to here, and finally send you webmaster one word: the smallest authority, the greatest security! Do not bother not to careless, set the more careful security index higher, we set the password when more set a number may need to hackers more than n days to crack, are the same truth. If you do not understand or need my help please contact me I will be very enthusiastic for the service, thank you.

jack:qq:281792208 tel:13813483329 www.jackblog.com.cn

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.