I: General protection method of the website
For hacker threats, network security administrators take various means to enhance the security of the server to ensure the normal operation of the WWW service. Like servers such as Email, FTP on the Internet, you can use the following methods to protect the WWW server:
Security configuration
Close unnecessary services, it is best to provide only WWW services, install the latest patches of the operating system, upgrade the WWW service to the latest version and install all patches, configure the security recommendations of the WWW service provider, etc., these measures will be extremely Great offers the security of the WWW server itself.
Firewall
Install the necessary firewalls, prevent the collection and information collection of various scanning tools, can even block machine connections from certain IP addresses from some security reports, add a protective layer to the WWW server, while needing networks within the firewall The environment is adjusted to eliminate the security hidden dangers of internal networks.
Vulnerability scan
Use the commercial or free vulnerability scan and risk assessment tools to scan the server regularly to discover potential security issues, and ensure that security issues will not cause safety issues due to the normal maintenance work such as upgrade or modification.
Intrusion detection system
Using the real-time monitoring capability of the Intrusion Detection System (IDS), it is found that the ongoing attack behavior and the test behavior before the attack are recorded, and the source of hackers and the attack steps and methods are recorded.
These security measures will greatly provide the security of the WWW server and reduce the possibility of attacked.
Second: Site special protection method
Although various security measures adopted can prevent many hackers' attacks, due to the continuous discovery of various operating systems and server software vulnerabilities, the attack method is endless, and the technique of high-quality hackers can break through the level protection, obtain the control of the system, thus The purpose of destroying the home page. In this case, some network security companies have launched the protection software specifically for the website, only protect the website's most important content - web page. Once the protected file is detected, the {abnormal} change is detected, it is recovered. In general, the system first needs to back up the normal page file, then start the detection mechanism, check if the file is modified, if you are modified, you need to recover. We analyze the following technical comparisons:
Monitoring method
Local and remote: The detection can be running a monitoring end locally, or another host on the network. If it is a local, the monitoring end process requires enough permission to read the protected directory or file. If the monitoring is on the far end, the WWW server needs to open some services and give the monitoring end, the more common way is to directly utilize the open WWW service of the server, using the HTTP protocol to monitor the protected files and directories. Other common protocols can also be used to detect protection files and directories, such as FTP, etc. The advantages of using local methods are high efficiency, and remote approach has a platform-independent, but will increase the burden on network traffic.
Timed and trigger: Most of the protection software is the way to detect the timing detection, whether in the local or remote detection is based on the time timing detection of the system, and the protected web page can be divided into different levels and high detection. The time interval can be made shorter to achieve better real-time, and the time interval of the page file detection time between the protection level is set to mitigate the burden of the system. The trigger method is to use the functions provided by the operating system, and are notified when the file is created, modified, or deleted. The advantage of this method is high efficiency, but remote detection cannot be achieved.
Comparative method
When it is determined whether the file is modified, it is often used to compare the files in the protected directory and backup library, and the most common method is compared. The file can be used directly and accurately to accurately determine whether the file is modified. However, the full-text comparison is very low in the file, and some protection software compares the properties of the document such as file size, creating a modification time, but also has a serious defect: {malicious intruder} You can set the properties of the replacement file and the original file is identical, {will not be detected by the files that are identified by the original file. Another solution is to compare the digital signature of the file, the most common is the MD5 signature algorithm, due to the unfairibility of digital signatures, digital signatures can ensure the same file. Recovery method
The recovery method is directly related to the location of the backup inventory. If the backup inventory is placed locally, the recovery process must have permission to write the protected directory or file. If you need to perform through file sharing or ftp, you need a file sharing or FTP account, and the account has a write permission to the protected directory or file.
Backup library security
When the hacker found that the home page of its replacement is quickly recovered, it is often excited that the desire to damage will, and the security of the backup library is particularly important. The security of the web file file is transformed into the security of the backup library. The protection of the backup library is implemented through file hidden, so that hackers cannot find the backup directory. Another method is to digitally sign the backup library. If the hacker modifies the contents of the backup library, the protection software can stop the WWW service or use a default page through the signature discovery.
Through the above analysis, we have found that various techniques have its advantages and disadvantages, and need to combine the actual network environment to choose the most suitable technical solution.
Three: Defects for website protection
Although the website protection software can further improve the security of the system, there are still some defects. First of all, these protection software are designed for static pages, and now the range of dynamic pages is growing, although the local monitoring method can detect script files, but the database used by the script file is not powerful.
In addition, some attacks are not for page files, and "Red Code" that is flooded shortly, is the purpose of using a dynamic library that modifies the IIS service to achieve the attack page. In another aspect, the website protection software itself will increase the load of the WWW server. When the WWW server load itself is very heavy, it must be carefully planned to plan the usage program.
Four: Conclusion
This paper discusses the usual protection methods commonly used by the website, and analyzes the various technical implementation and advantages and disadvantages of the special website protection software, and points out their defects. Although security is not using a tool or some tools, it can be solved, but uses these tools can help improve security and reduce security risks.
