Rethinking the security configuration of a Web site from a common web site intrusion process

Source: Internet
Author: User
Keywords Website security

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

The so-called TSE side can win, for stationmaster, want to know how to invade a website, will be in the website security have a deeper understanding, it is not easy to give others opportunity; many times, many Web site invasion itself can be avoided, just because the webmaster negligence, will have such a loss. If you can properly complete the site security configuration, then your site in 98% of the case is safe, such a high security for the common site is already enough.

At present, the common Web site intrusion methods are procedural loopholes, blasting, side note, injection, upload, and so on, each type of intrusion may bring great disaster to your website, be hung black chain or you lucky, be emptied of data is your misfortune, more unfortunate is left behind the door convenient to use your server at any time ... Fortunately, as long as you have a general idea of the flow of these intrusion modes, consider these aspects in the site security configuration, most of the time your site security will be greatly improved.

The following is a detailed description of the common Web site intrusion methods and prevent intrusion of the site configuration.

Program Vulnerabilities

Intrusion Mode: Web site program vulnerability is to refer to their own vulnerabilities, such as you use DEDECMS did not modify the background address and admin account, or did not upgrade the Dedecms patch, or the use of the cracked program, these procedures of their own vulnerabilities are very fatal, the user knows the loophole to search engine to find out, Easily find hundreds of vulnerability sites.

Security configuration: Try to use less crack procedures, the use of well-known CMS should pay attention to the official introduction of the security configuration, recommended erase the website kernel program information; In addition, do the information station to close the Member Center, do the forum to recommend strict restrictions on the format of the attachment, but also pay attention to timely upgrade patches, do not build a station for 10 days and

Blasting invasion

Intrusion mode: Blasting is violent crack, now the internet has a lot of programs in the scan to crack FTP, server login address, etc., if you use a weak password, like the server root account 6-digit password, then it is easy to be brute force crack; This intrusion method is silly, but very effective, people always dislike too complex password.

Security Configuration: First of all, you have to make sure to set the length of no less than 18 digits of the password, recommended English letter case and number combination; In addition, you have to ensure that your account password and other local account password is different, to avoid others through the dictionary to match success. As for the background address and the port number of what, do not take the usual road, complex means security.

Side note intrusion

Intrusion mode: Side note intrusion is from your side to start, your website program is very safe, your security configuration is very professional, you think your site is very safe, right? Maybe you look back, only to find around the site are all kinds of horse all kinds of pony possession, all kinds of you are eyeing the pace of the press, you do not yield to have no way.

Security configuration: This situation often occurs in the virtual host, one of the sites poisoned, if the server security configuration is not good, it is likely to be access to the server authority, so that all sites; if the economic conditions allow, the proposed selection of VPS or cloud host, security can be upgraded to more than one grade.

Inject intrusion

Intrusion mode: Injection intrusion is to deceive the database to obtain top-secret information, such as my Site http://www.121h.com/, known as the PHP program, there are php?id=1 such a page, then you can add and 1=2 in the following statements, if the statement properly, May return the database account password This kind of important information, this is so-called Bauku, exposes the database, injects is Bauku one way, simultaneously is the very effective way.

Security configuration: To prevent injection, first of all to set the extremely complex password, so that the other party to know the value of the password can not be cracked MD5; second, also pay attention to the database authority management, do not give the Web site program too much database operation authority; Again, pay attention to the safety of the website In fact, many injections are for programs that have known obvious vulnerabilities.

Upload intrusion

Intrusion mode: This is very good to understand, upload the invasion is through uploading files to get permissions, for have uploaded file permissions of the website implementation, such as the forum can upload attachments, information station can submit upload pictures, these are likely to upload Trojans to facilitate, upload Trojan, a lot of information will be easily exposed.

Security Configuration: Timely upgrade program patches, but also pay attention to upload the file restrictions, such as to limit the upload of compressed packets, at the same time to upload files stored after the folder permissions restrictions, such as the image Store folder does not need to retain script execution permissions, remove script execution permissions and file decompression permissions.

The above intrusion mode is still very popular intrusion mode, many novice can be through the above intrusion mode to invade the novice site, fortunately, we just choose a good host, and pay attention to the program security and set complex passwords, the effect of these intrusion methods will be greatly compromised. Of course, if the other party and you have a grudge, or a master, then the other side is not necessarily so intrusive, may be from your mailbox, computer, life habits start, at that time the situation is 2% of unsafe conditions.

At any time, the site is not 100% secure, even Baidu that kind of big Web site may appear DNS security problems, we these small sites, as long as there is traffic, then there will be security problems, always pay attention to the site security configuration, although not to make your site 100% security, at least can reduce the majority of unnecessary attacks, This has been achieved to improve the security of the site. This article by 121 good Information (http://www.121h.com/) to provide, reproduced share please specify the source, thank you for your cooperation!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.