Active Defense Measures for Enterprise Web Server Security

Part 1: active defense measures for enterprise web server security

Web server has now become the disaster area of virus and Trojan horse. Not only the enterprise's portal website has been tampered with and stolen, but also become the disseminator of virus and Trojan horse. Some web administrators take some measures to ensure that the home page of the portal website will not be tampered with, but it is difficult to avoid their own websites being treated as broilers to spread viruses, malicious plug-ins, Trojans and so on. The author thinks that a large part of the reason is that administrators are too passive in web security protection. They're just passive defenses. In order to completely improve the security of web server, the author thinks that web security should take the initiative. Specifically, the following points need to be done.

1、 When the code is written, vulnerability testing should be carried out

Now the enterprise website to do more and more complex, function more and more strong. But these are not out of thin air, they are accumulated through code. If this code is only for internal use of the enterprise, it will not bring much security risks. However, if it is used on the Internet, the code to achieve specific functions may become the target of attackers. The author gives a simple example. SQL code can be embedded in web pages. The attacker can use the SQL code to launch an attack to obtain the password of the administrator and other destructive actions. Sometimes you need to have specific controls to access certain websites. When users install these controls, they may actually be installing a Trojan horse (which may not be realized by both visitors and visitors).
Therefore, when you write code for a specific function of the website, you should take the initiative. From the design of coding to writing, to testing, we need to realize whether there are security vulnerabilities. In the daily process, the author puts forward high requirements for employees in this respect. Each employee must be responsible for the functions they develop. At least now known viruses, Trojans can not be developed in your plug-in opportunities. Through these layers of checks, we can improve the security of code writing.

2、 Continuous monitoring of web servers

Rome wasn't built in a day. It's like being sick. There's a process. Virus, Trojan horse and so on when attacking web server, also need a process. Or, before the attack succeeds, they will make some tentative moves. For example, for a web server that has taken certain security measures, it will take at least half a day from the beginning of the attack to the achievement of results. If the web administrator monitors the server around the clock. In the discovery of abnormal behavior, early measures should be taken to block viruses and Trojans outside the portal. This active way can greatly improve the security of web server.
The author now maintains dozens of web servers. There is now a dedicated team to monitor server access around the clock. On average, some exploratory attacks can be detected every minute. More than 99% of the attacks failed because the server has taken corresponding security measures. However, there are still some attacks every day. These attacks may be aimed at new vulnerabilities or adopt new attack methods. No corresponding security measures were taken on the server. If this kind of behavior is not found in time, then they are likely to eventually achieve their illegal purpose. On the contrary, if we find out their attack means as soon as possible, we can close the door on the server and fill the loophole before they take any further action.
The author also suggests that when choosing the Internet web server provider, enterprise users should not only consider the factors such as performance, but also evaluate whether the service provider can provide 24-hour monitoring mechanism. Attack actively on Web security to find the attacker's attack behavior in time. Before they take further attack measures, they are eliminated in the bud.

3、 Set up the honeypot to direct the attacker in the wrong direction

In the army, sometimes soldiers will be given some "camouflage", so that the enemy can not tell the true from the false. In fact, when dealing with viruses and Trojans, it is a war without gunpowder. Therefore, taking some disguise for the web server can also lead the attacker to the wrong direction. When the provider finds his target error, the administrator has locked the attacker, so that he can take corresponding measures as soon as possible. The author sometimes calls this kind of active attack the honeypot effect. In short, it is to set up two servers. One is a real server, the other is a honeypot. What needs to be done now is how to disguise the real server and push the honeypot to the public. Let the attacker think that the honeypot server is the real server. To achieve this, we may need to start from the following aspects.
First, it is difficult to distinguish the true from the false. If you want to hide the attacker's eyes, then the honeypot server can't be too fake. When I do honeypot server, more than 80% of the content is the same as the real server. Only some relatively confidential information is not prevented on the honeypot server. And the honeypot server takes the same security measures as the real server. This can not only improve the authenticity of the honeypot server, but also can be used to evaluate the security of the real server. Kill two birds with one stone.
Second, it needs to be intentional or unintentional