On the configuration security of Web server under UNIX system

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Internet increasingly popular today, PC security not only requires the prevention of computer viruses, but also to improve the system to resist the hacker's ability to attack the illegal intrusion, and to improve the confidentiality of remote data transmission, to avoid illegal theft in transit. In this paper, we simply analyze some situations that may occur when constructing Web server, hoping to arouse attention.


Security Vulnerabilities

Vulnerabilities on
Web servers can be considered in the following ways:


1. A secret file, directory, or important data on a Web server that you do not have access to.


2. When sending information to the server from a remote user, especially when something like a credit card, it was illegally intercepted by outlaws.

The
3.Web server itself has some vulnerabilities that allow some people to hack into the host system, destroying important data, and even disabling the system.


4.CGI security vulnerabilities are:


(1) intentionally or unintentionally omits bugs in the host system to create conditions for illegal hackers.


(2) a program written with a CGI script may pose a danger to the web host system when it involves a remote user entering a form from a browser, and retrieving (search index), or form-mail, and so on, directly manipulating commands on the host.


5. There are also some simple Web servers to download from the Internet, not too much to take into account some security factors, can not be used for commercial applications.


Therefore, whether you are configuring the server or writing a CGI program, you should pay attention to the security of the system. Try to plug any existing loopholes and create a safe environment.


two. Improve system security and stability


Web server security precautions:


1. Limit the accounts to the Web server and periodically delete some users who have broken the process.


2. For accounts opened on the Web server, make requests for password length and periodic changes to prevent misappropriation.


3. Try to make FTP, mail and other servers and separate, remove Ftp,sendmail,tftp,nis, nfs,finger,netstat and other unrelated applications.


4. Remove some of the absolutely unused interpreters on the Web server, such as the shell, when Perl is not used in your CGI program, try to remove Perl from the system interpreter.


5. Periodically review the log logs files in the server to analyze all suspicious events. When records such as RM, login,/bin/perl,/bin/sh, etc. appear in errorlog, your server may have been invaded by some illegal users.


6. Set the permissions and properties of the system files on the Web server, assign a common group to accessible documents, such as WWW, and assign only the right to read only. All HTML text is attributed to the WWW group, which is managed by the Web Administrator. The Web configuration file has only write rights to the Web Administrator.


7. Some Web servers refer to the Web's document directory in the same directory as the FTP directory, and should be careful not to assign FTP directories and CGI to a directory. This is to prevent some users through FTP upload some programs such as Perl or SH, and use web CGI to execute, causing undesirable consequences.


8. Access to User IP or DNS by restricting permissions, as in access.conf in NCSA:


"Directory/full/path/to/directory"


"Limit get POST"


Order Mutual-failure


deny from all


allow from 168.160.142. abc.net.cn


"/limit"


"/directory"


This can only be accessed by a client with domain name abc.net.cn or IP belonging to 168.160.142.


can be added to the httpd.conf for a CERN or a consortium server:


Homeowner Local-users {


Getmask @ (*.capricorn.com, *.zoo.org, 18.157.0.5)


        }


protect/relative/path/to/directory/* local-users


9.WINDOWS httpd


(1) Netscape Communications Server for NT


perl Interpreter Vulnerability:


The extensions and their application relationships under CGI are not recognized in Netscape Communications server, such as. pl files are interpreted files that are invoked automatically by Perl code programs, even if the Perl.exe files are now only stored under the CGI directory. Perform such as:/cgi-bin/perl.exe?&my_script.pl. But this gives anyone the possibility of executing Perl, and when someone adds a URL to their browser, such as/cgi-bin/perl.exe?-e unlink <*>, it may be dangerous to delete files from the server's current directory. However, other such as: o′reilly website or purveyor do not exist this loophole.


CGI Execution batch file vulnerability:

The contents of the
file Test.bat are as follows:


@echo off


Echo Content-type:text/plain


Echo


Echo Hello world!


if the URL of the client browser is:/cgi-bin/test.bat?&dir, execute the call command interpreter to complete the dir list. This allows the visitor to execute other command possibilities.


Article o′reilly WebSite Server for Windows nt/95


has the same vulnerability as Netscape in the use of batch files in previous versions of Website1.1b, but the new version closes. BAT's role in CGI. Support for Perl, the new version of VB and C as a CGI development tool.


(3) microsoft′s IIS Web Server


IIS before March 5, 1996 is a serious bug in NT, and you can use command commands arbitrarily. But after the vulnerability has been patched, you can check the date your executable was created. IIS3.0 also has some security bugs, mainly CGI under the rights of the review. In addition, many Web servers themselves have some security vulnerabilities, are constantly updated in the version upgrade process, this is not listed.


three. Consider security
from a CGI programming perspective

1. It is safer to use a compiled language than to interpret the language, and the CGI program should be placed under CGI separate from the HTML repository, in order to prevent some illegal visitors from obtaining the original code of an interpreted language from the browser to find a loophole.


2. When writing CGI programs in C, you should minimize the use of Popen (), System (), all shell commands involving/bin/sh, and system (), EXEC (), open (), eval () in Perl () Such commands as exec or eval.


Do not call functions such as system () directly when the user-filled form is returned to CGI.


In addition, for data encryption and transmission, there are currently SSL, Shttp, Shen and other protocols for everyone to study.


four. Firewall (Firewall)


1. The concept of firewall


Firewall (Firewall) is a combination of software or software and hardware devices, between the enterprise or network groups of computers and the outside channel (Internet), restricting the access of external users to the internal network and the management of internal users access to the external network permissions.


2. Firewall measures


(1) Proxy host


"Internal network--proxy gateway"--internet "


This approach is that the internal network does not communicate directly with the Internet. is the internal network of computer users and proxy gateway using a means of communication, that is, the provision of Internal network protocol (Netbios, TCP/IP, etc.), and between the gateway and the Internet is a standard TCP/IP network communication protocol. This makes the network packet not directly between the internal and external network. Internal computers must access the Internet through a proxy gateway, which makes it easy to restrict access to external computers on the proxy server for internal network computers. In addition, due to the use of different protocol standards at both ends of the proxy server can directly prevent the outside of illegal intrusion. Also, the proxy server's gateway can verify the data packet and confirm the password for security control. In this way, can better control the user at both ends of the management, play a firewall role.


because this kind of firewall measure uses through the proxy server to carry on, on the on-line user, the efficiency must be affected, the proxy server heavy burden, therefore many accesses the Internet the client software may not have the normal access to the Internet in the internal network computer.


(2) router plus filter complete


"Internal Network-filter (filter)--Router (Router)--internet"


This structure is performed by routers and filters to complete the restriction of access to the internal network from an IP address or domain name to an external computer, or to specify or restrict the internal network's access to the Internet. Routers route only the data traffic on a specific port on the host, and filters perform filtering, filtering, validation, and security monitoring, which can largely cut off the abnormal access logins between the internal and external networks.