Web server security Settings

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Web sites, as a web-based application, are often more vulnerable to security problems than other C/s structures. Especially for the application in the financial, telecommunications and other areas of the Web site system, its security has become a critical aspect of the system, a little security problems, will cause major economic disaster. Theoretically, in terms of network security, any system can be invaded if sufficient time and resources are given. Therefore, we cannot ignore the security of the site. Many webmaster friends have their own web server, then the Web server has what security needs our attention? Typically, Web server security settings include directory security, SSL sockets, user logon authentication, log files, and scripting language security settings, as follows:

First, the Directory security settings for the Web server. Web directory security is not negligible. For a Web server, you first need to set up a secure directory, each directory should have index.html or default.html pages, so that the contents of the directory can be secured. If the Web program or Web server is not handled properly, the entire directory is exposed to external users through URL substitution and directory name speculation. At this time, we should strictly set the Web server directory access permissions to reduce directory security vulnerabilities.

Second, SSL security settings. Typically, the HTTP protocol is not encrypted by default, and all messages are transmitted over the network in plaintext. An external malicious attacker can then install a listener to obtain communication between the user and the server. However, if the Web server establishes SSL security, only SSL-enabled clients can communicate with the SSL-allowed Web site, and when using the URL resource Locator, you can only enter https://, not access using http://. When using SSL security, the client randomly generates session keys, using the Public key dialog key from the server to encrypt and pass the session key to the server on the network, and the session key can only be decrypted by the private key on the server side, so that the client and server can establish a unique secure channel. The use of SSL security settings protects the security of data transfers between the client and the server.

Next, Web login security verification. The current site is basically the first registration, after the way to log in. Therefore, it is necessary to verify that the system prevents illegal user names and passwords from being logged on, and that an effective secure login is implemented. For example, the number of logins logged by a user is limited, whether users are limited to log on from certain IP addresses, whether there are rules for password settings, and whether to browse some Web pages without logging in.

In addition, the site server requires effective storage of the site action log files. Log files are critical and we need to focus on whether the relevant important information is written into the log file and whether the source of the failure can be traced after the failure. When the website is officially online, it needs to monitor the log and traffic of the Web server running and accessing, which requires the website server to have the corresponding function for log management. For example, whether the log file records the user's access to the IP address, whether the user's username is logged, whether all transaction information is recorded in the log file, and whether the failed registration attempt is recorded, especially if it involves money security, such as whether to record the use of stolen credit cards, etc.

Finally, the Web server script runs the security settings. Each scripting language works differently. Some scripting languages allow access to the root directory of the server, some cannot run in the server root directory, some only allow access to mail servers, but no matter what scripts, some experienced hackers can send their server username and password to themselves by various means, At this point, they find out what scripting language the site uses, and study the flaws and vulnerabilities of these languages, and attack and tamper with the server. Before, I have many times found that a lot of friends of the site was hanging a section of VB or JS script, when users log on to the site's members backstage, these scripts will automatically run, the user name and password to steal, resulting in a large number of user accounts stolen. So we have to run the server-side script to prevent malicious script attacks.

This article by the home of Psychology http://www.psybook.com original, reprint please indicate the source! Thank you!