The successful way of Internet Entrepreneurship (v): Web site to prevent the security of small Kam Bag

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

After the website is built, maintenance and management become the work that needs to be carried on continuously. In this chapter, the site will be optimized for internal links, efficient maintenance, PR upgrade way to introduce.

Optimize the internal link of the website

Two, the website effective maintenance three general knowledge

Third, improve the site PageRank have a coup

Iv. Site Exchange links also beware of counterfeit

V. Objectionable content of the website against Vulgar Prohibition

Vi. simple configuration to make the Web server impregnable

Seven, to understand the "spider" to improve the site included

Eight, cleverly speed up the display of Web pages

Nine, improve the domain name PageRank tips

Ten, avoid messy online management of web site files

XI. website fault real-time monitoring automatic reminder

12, for the site to add a simple search function

The above details can go to "Internet entrepreneurship Success (five): for the site simply add search function" read.

13, the Web site to prevent the security of small Kam Bag

Personal Webmaster Most afraid but also most often encountered, may be the site was invaded. Because most personal websites use programs that are public, they are often more vulnerable to attacks. However, if you do the following, the site security will be enhanced a lot.

1. Simplify the function to remove redundant programs

Some sites like to use a variety of external plug-ins, or test procedures. These plug-ins have a lot of problems, in this way, hackers can easily to the site side note intrusion, resulting in site security is a great hidden danger. Therefore, it is recommended that the site in some dynamic plug-in testing, will not use the program files are all deleted, so as not to the normal operation of the site caused harm.

One of the great benefits of using the online site is that it will continue to be upgraded, and there will often be a variety of upgrades to the official website, or patches that are released specifically for some bugs. So, often on the official website to download patches is also a way to ensure security.

Tips:

When downloading the station program, you must go to a large web site, and to carry out their own drug search and then upload to the server for use.

2. Password protection set Complex password

Set a complex account password is a cliché topic, the Web site program is the same, if set a complex enough management password, even if the hacker through the download database to get the password of the MD5 data, it is difficult to transform the cracked. Special attention is the general procedures have the default original password, often many webmaster will ignore.

Set up a complex password, but also need to pay attention to protect the personal information, usually webmaster like to put their own email address on the website, to facilitate advertisers to contact the ads, but the current Alipay or even the net silver transactions and other information will be saved in the mailbox. It is likely to cause hackers to use social engineering to get information to break passwords.

3. Check traps to make the site indestructible

Other methods include often in the program official website download patches, if the use of the server's Web site, you need to improve server security, the server's permissions must be carefully set, this is often a lot of webmaster easy to ignore the problem, but also be sure to install all the Windows Update patches.

It should be reminded that if, for example, a site uses only a single programming language, such as a php+mysql architecture, you can leave only the corresponding permissions in the IIS application configuration. In addition, because many Web Trojans are used ASA suffix for file name hidden, so if we do not use the ASP program, we must remove the ASA option. For users using the virtual host system, it is recommended that you do not use the fully functional web site space supported by ASP, PHP language, but choose a single script space.

Figure 26

After the above settings, hackers even cracked the program's management account password into the site backstage, can not do other things such as elevation of authority, the malicious operation of the Trojan, can not be more serious damage.

14, visitor inquiries and security measures

1. Identify the visitor IP address

Web site to encounter hackers or malicious visitors how to do, such as someone through the software to illegally collect the content of the site. A lot of time is wasted when you encounter a similar hostile visitor. Even if you really want to "stick to the ground" can not always stay on the site. What to do, the site is closed? Of course it's just a joke. Unbearable, no longer endure! Look at me, a few steps to determine the identity of malicious viewers!

Tips: Why you need to identify IP addresses

An IP address is an important information that determines the identity of the browser and is used to mark the address of each computer in the TCP/IP communication protocol. Even if the current network is most of the dynamic IP address, but the dynamic IP address by ICP Distribution, as well as the management of the norms, according to the IP Information Security Department can still determine the specific location of the viewer.

To query the Web site visitors to the IP information, can be done in a variety of ways, such as according to the server's IIS files for analysis, using a dedicated IP Access tool query, or through the Web site program to achieve the function.

In fact, one of the easiest ways to do this is to take advantage of the statistical programs that most websites are using. In general, because many sites use similar statistical functions, so no need to add or change any Web site files, you can use directly. Because the most basic function of the statistical program is to determine the user's IP address and other information.

First step: If you have not used any statistics, you can start the application of statistical services. Then place the statistics code at the site's corresponding location. If you have already used the statistical procedures, you can skip this step.

The second step: here to 51 statistical services to explain, login site backstage, click on the "Online users" section, will show detailed visitors to the various information, including access to the entrance, stay time, leaving the page, can be based on the time of the message to roughly determine the location of malicious visitors, Then make a detailed lookup in the visitor list.

Figure 27 The visitors in the statistics list

Step three: Determine the malicious browser's IP address, you can click on the address, the program will display the specific information of the visitor, enumerated the IP network line, routing, access, and even computer information, such as system version, browser type, screen resolution, such as detailed parameters.

Figure 28 Detailed information for a visitor

To make the information more accurate, we can also combine the log files of the IIS server for analysis to determine the browsing information for specific visitors, such as browsing the file in a few seconds, and then turning to that page. So accurate information, still afraid to find "behind the hand"?!

2. No Mercy! Screen Viewer access rights

After checking the IP address of the malicious viewer, at this point, you can use some methods and techniques to prevent malicious attacks, the best way is to prohibit his access, so that the IP address can not browse the site, so whether the collection or malicious destruction can not succeed, so that our goal is achieved.

Tips:

Because the current broadband or other Internet access, most of the automatic allocation of dynamic IP, so shielding a single IP may not work. But these dynamic IP generally only in one segment of the change, that is, C class host address, you can block the entire IP segment.

(1) How to shield the virtual host

Login Virtual Host management background, now most of the virtual host management system has set up the function of denying access to IP, as shown in the relevant Settings page, and then in accordance with the text prompted to enter the need to screen the IP address, confirm the submission, it is done.

Figure 29 Setting up a virtual host to deny access to IP

(2) How to set up the server

In IIS, you can restrict the IP address of a Web site by providing a mechanism for IP restrictions. To do this, open the properties of IIS, and then click the security →ip address and the domain name restrictions. In the pop-up interface, select "Authorized Access", and then add the IP address that needs to be screened, finally OK.

After the above settings, when the relative IP visitors to the site, there will be HTTP Error 403 blocked access prompts. As a result, the malicious viewer is blocked from the door.

The right to set up Web sites to refuse hacking

In the course of the website operation, the most can be the webmaster headache is the site was invaded, in fact, if the site set up ahead of the directory permissions, you can ensure that the site can withstand most of the vulnerabilities attack. And the way to set permissions is not difficult, this article describes the setting of file directory and database permissions, as long as the following step-by-step operation of this article, you can greatly improve the security of the site.

1. Site Directory permissions to set the method

Most websites are built with programs, for systems managed directories, you can set it to be readable and executable, but not writable permissions, but you can set it as read-write, but not executable, for the directory where the static file of the Web page is placed, and the directory where the picture file and template file are placed. After the permission assignment is clear, even in the event of a system intrusion, you can only browse and not directly manipulate the file.

Figure 30

For files that can execute scripts, it is best to set permissions that can only be read but not written (figure), and the files that need to be written are set to be unable to execute scripts, and directory permissions are configured so that the security of the site system can be greatly improved.

2. Database permissions should also be carefully set

For the site, the database can be said to be the core of the site, all the content of the site is stored in the database. So database security is also a place to pay attention to. For MySQL database, it is best not to use the root of the site directly to manage the user's permissions, but specifically for each site to open a database account, and the account permissions are limited to the operation of the current database directory, These separate MySQL accounts are stripped of file and execute permissions, so that even if the database is injected into SQL, it can only go to the database level and not the permissions of the entire database server. This makes it very rare for a database to be compromised as long as the database of the site is backed up frequently.

Also note that because many build systems do not use database stored procedures, it is a good idea to disable file, execute, and so on to execute stored procedures or file operations.

Tip: For access's database, you can modify the location of the database, preferably a more hidden directory, which will avoid the database files are malicious detection download. In addition, some programs also support the modification of suffixes, such as the database file of the. mdb can be modified to the. ASA suffix name, the same can effectively protect the database security.

3. Delete unwanted files

Many content management systems, there will be many in the space later do not need files, the most common may belong to the system installation files, such files are usually named install.php or install.asp, if you have a similar space in the file, now quickly delete it.

In addition, some CMS also have many functions, such as question and answer system, etc., but often these features are not used in the site, it is recommended that the directory of these features removed, or only the HTML static page, and then set the directory to be read-write but not executable permissions.

16, refused to "be black" safety prevention

Whether it is the well-known Windows operating system, or the application of a wide range of construction procedures, will inevitably appear in a variety of large and small security vulnerabilities, often hackers burst into a variety of site procedures for the loopholes and also issued a loophole to use tools. In the face of this situation, the webmaster in addition to timely play a corresponding patch to do a good job, but also to enhance the security of the program and the server.

At present, most webmasters are in the use of ready-made web site procedures, such as ASP or PHP language station procedures, although easy to use but there are some security risks, but as long as we do a good job of security precautions, we can rest easy.

1. Website Safety prevention

(1) Delete the tested program files

Some sites like to use a variety of external plug-ins, or test procedures. These plug-ins have a lot of problems, in this way, hackers can easily to the site side note intrusion, resulting in site security is a great hidden danger. Therefore, it is recommended that the site in some dynamic plug-in testing, will not use the program files are all deleted, so as not to the normal operation of the site caused harm.

(2) Do not use Third-party plug-ins easily

Many CMS programs have a lot of third-party plug-ins, but some are not official developers, many of these programs have loopholes, and even deliberately put a lot of malicious script in it. It is recommended that you do not download plug-ins that use third-party programs easily.

(3) Change the Access database to SQL

Access has a shortage of use as a Web site database, such as security issues that have not been very secure and can easily be downloaded maliciously. You can consider changing the Access database of your Web site to a SQL database, and the official web site for many CMS programs also provides downloads of the corresponding conversion programs, and the security of database sites using SQL is greatly enhanced.

(4) Regularly download patches on the official website of the program

One of the great benefits of using the online site is that it will continue to be upgraded, and there will often be a variety of upgrades to the official website, or patches that are released specifically for some bugs. So, often on the official website to download patches is also a way to ensure security.

2. Born on guard, dead in negligence

(1) Management file name skillfully modified

Many Web site program management background are using the default file name, such as admin and other commonly used words are easy to guess, similar file name to the site's security only harm and useless, if we change the file name to a complex letter combination, For example, change the admin.php to endtoweb123.php and other names, manage the site directly input file name can be (such as http://www. your domain name, com/endtoweb123.php). The advantage of this is that even if the hacker cracked the program's management account password, and can not log into the admin backend, thus blocking the hacker's intrusion, it will not cause greater loss.

(2) Enhance the complexity of management account

Set up a complex account password is a cliché topic, the Web site program is the same, if set a complex enough management password, even if the hacker through the download database to get the password of the MD5 data, it is difficult to transform the cracked. While complex passwords can be cumbersome to use, it is important to remember that our laziness will only facilitate hackers. The letter + number + symbol is a better combination of passwords.

(3) Improve server security

Server security settings are numerous, the so-called simple is practical, we take the Windows2000 system as an example to explain. Other Windows systems have a similar set of methods.

The first step: click "IIS file security → file security → Anonymous access and security control," in the pop-up control Panel, remove the "Allow Anonymous access" checkbox before adding an "Integrated Windows Authentication". Alternatively, you can disable the default administrator account in the system and set up an administrator account to use it.

Step two: If the site uses only a single programming language, such as a php+mysql architecture, you can leave only the corresponding files in the IIS application configuration. In addition, because many Web Trojans are used ASA suffix for file name hidden, so if we do not use the ASP program, we must remove the ASA option. For those who use the virtual host system, it is recommended that you do not use the full functionality of the ASP, PHP language support space, but choose a reputable IDC to provide a single script space.

The third step: the server's rights allocation must be carefully set, which is often a lot of webmaster easy to ignore the problem, but also be sure to install all the Windows Update patches.

After the above settings, hackers even cracked the program's management account password into the site backstage, can not do other things such as elevation of authority, the malicious operation of the Trojan, can not be more serious damage.

Please pay attention to the other paragraphs in chapter Fifth:

17, after the site was hacked to deal with the method

18, let the website lossless transition operation method

19. Database backup and management of website

RELATED links:

The successful way of Internet Entrepreneurship (IV.): Improve the function to make the website more easy to use

"Internet Entrepreneurship success: Web site planning, construction, promotion of profitable combat strategy" is a comprehensive explanation of the whole process of website construction of a book, is also the author of five years experience in the establishment of a summary of the station.

This book revolves around the whole process of website construction, from the beginning of the site planning, one by one explained the site creation, site content management, website maintenance, network marketing programs, website SEO, website profitability and other practical operations, and in the form of examples for you to introduce the success of the network business case and website operation of the misunderstanding, So that we can learn the most direct site experience.

A5 Webmaster Network will be serialized this book, if you want to first read, you can go to the Network of Excellence Online bookstore Purchase, the book in Xinhua bookstore throughout the country also has sales.

Author: Tao Qiufung (endto) publishing house: Computer newspaper Electronic audio-visual publishing house.