Today, as computer networks become increasingly popular, computer security not only requires preventing computer viruses, but also improving the system's ability to resist illegal intrusions by hackers. It also requires improving the confidentiality of remote data transmission to avoid illegal theft during transmission. This article only discusses some situations that may occur when constructing a Web server, hoping to attract attention.
1. Security vulnerabilities
Vulnerabilities on the web server can be considered from the following aspects:
1. Secret files, directories or important data on the web server that you do not allow others to access.
2. When sending information from a remote user to the server, especially when sending information such as credit cards, it is illegally intercepted by criminals midway.
3. There are some vulnerabilities in the Web server itself, which allow some people to invade the host system, destroy some important data, and even cause system paralysis.
4. CGI security vulnerabilities include:
(1) Intentionally or unintentionally omitting Bugs in the host system creates conditions for illegal hackers.
(2) Programs written with CGI scripts may provide Web Hazard to the host system.
5. There are also some simple web servers downloaded from the Internet without taking into account some security factors and cannot be used for commercial applications.
Therefore, whether you are configuring the server or writing CGI programs, you must pay attention to the security of the system. Try to plug any existing loopholes and create a safe environment.
2. Improve system security and stability
Web server security precautions:
1. Limit the opening of accounts on the web server and regularly delete some users who interrupt the process.
2. For accounts opened on the Web server, make requirements on password length and regular changes to prevent theft.
3. Try to separate FTP, MAIL and other servers from them, and remove some irrelevant applications such as ftp, sendmail, tftp, NIS, NFS, finger, netstat and so on.
4. Remove some absolutely unnecessary interpreters such as SHELL on the Web server. That is, when PERL is not used in your CGI program, try to delete PERL in the system interpreter.
5. Regularly check the logs file in the server and analyze any suspicious events. When records such as rm, login, /bin/perl, /bin/sh, etc. appear in the errorlog, your server may have been invaded by some illegal users.
6. Set the permissions and attributes of the system files on the Web server, assign a public group, such as WWW, to the document that can be accessed by others, and assign it only read-only rights. All HTML files belong to the WWW group, and the WWW group is managed by the Web administrator. Only Web administrators have write access to the Web configuration files.
7. When some web servers point the Web document directory and the FTP directory to the same directory, you should be careful not to specify the FTP directory and CGI-BIN in the same directory. This is to prevent some users from uploading some programs such as PERL or SH through FTP and using the Web's CGI-BIN to execute them, causing adverse consequences.
8. Access user IP or DNS by restricting permission, such as adding: to access.conf in NCSA:
"Directory /full/path/to/directory"
"Limit GET POST"
order mutual-failure
deny from all
allow from 168.160.142. abc.net.cn
《/Limit》
《/Directory》
In this way, only customers with the domain name abc.net.cn or the IP belonging to 168.160.142 can access the Web server.
For CERN or W3C servers, add this to httpd.conf:
Protection LOCAL-USERS {
GetMask @(*.capricorn.com, *.zoo.org, 18.157.0.5)
}
Protect /relative/path/to/directory/* LOCAL-USERS
9.HTTPD under WINDOWS
(1)Netscape Communications Server for NT
PERL interpreter vulnerabilities:
Netscape Communications Server cannot recognize the extension and its application relationship under CGI-BIN. For example, the .pl file is an interpretation file automatically called by the PERL code program. Even now, the perl.exe file can only be stored in the CGI-BIN directory. Down. Execute such as: /cgi-bin/perl.exe? &my_script.pl. But this is
Is it possible for anyone to execute PERL when someone adds something like: /cgi-bin/perl.exe to their browser's URL? -e unlink <*> may cause the risk of deleting files in the current directory of the server. However, others such as O'Reilly WebSite or Purveyor do not have this vulnerability.
Vulnerabilities in CGI execution of batch files:
The contents of the file test.bat are as follows:
@echo off
echo Content-type: text/plain
echo
echo Hello World!
What if the URL of the customer's browser is:/cgi-bin/test.bat? &dir, then the command interpreter is executed to complete the DIR list. This gives the visitor the possibility to execute other commands.
(2)O′Reilly WebSite server for Windows NT/95
The same vulnerability as Netscape exists when using batch files in versions prior to WebSite1.1B. However, the new version closes the role of .bat in CGI. Supports PERL, and the new version uses VB and C as CGI development tools.
(3)Microsoft's IIS Web Server
IIS before March 5, 1996 has serious bugs under NT, and you can use the command command arbitrarily. However, the vulnerability has since been patched and you can check the creation date of your executable. There are still some security bugs in IIS 3.0, mainly the grant rights under CGI-BIN. In addition, many web servers themselves have some security vulnerabilities, which are continuously updated during the version upgrade process. I will not list them one by one here.
[Cut-Page]
3. Consider security from the perspective of CGI programming
1. It is safer to use compiled language than interpreted language, and CGI programs should be placed under CGI-BIN independent of the HTML storage directory. This is to prevent some illegal visitors from obtaining the source of interpreted language from the browser. Find loopholes in the code.
2. When writing CGI programs in C, you should try to use popen(), system(), all SHELL commands involving /bin/sh as well as system(), exec(), open(), eval( in PERL ) and other commands such as exec or eval.
When the form filled in by the user is returned to CGI, do not directly call functions such as system().
In addition, for data encryption and transmission, there are currently SSL, SHTTP, SHEN and other protocols for everyone to study.
4. Firewall
1. The concept of firewall
Firewall refers to a device that is composed of software or a combination of software and hardware devices. It is located between the computers of an enterprise or network group and the external channel (Internet). It restricts external users' access to the internal network and manages internal users' access to the external network. permissions.
2. Firewall measures
(1)Proxy host
"Internal Network--Proxy Gateway--Internet"
In this way, the internal network does not communicate directly with the Internet. That is, the internal network computer users and the proxy gateway adopt a communication method, that is, providing internal network protocols (Netbios, TCP/IP, etc.), and the standard TCP/IP network communication protocol is adopted between the gateway and the Internet. This prevents network data packets from traveling directly between internal and external networks. Internal computers must access the Internet through a proxy gateway, which makes it easy to restrict internal network computers from accessing external computers on the proxy server. In addition, because the proxy server uses different protocol standards at both ends, it can also directly prevent illegal intrusions from the outside world. In addition, the gateway of the proxy server can perform security controls such as verifying data packets and confirming passwords. In this way, users at both ends can be better controlled and managed, functioning as a firewall.
Because this firewall measure is implemented through a proxy server, the efficiency will inevitably be affected when there are many online users. The proxy server is heavily burdened, so many client software that accesses the Internet may not be able to access the Internet normally on internal network computers.
(2) Router adding filter is completed
"Internal Network--Filter--Router--Internet"
This structure uses routers and filters to jointly restrict external computers from accessing the internal network based on IP addresses or domain names. It can also specify or restrict access to the Internet from the internal network. The router only routes the data communication on a specific PORT on the host, while the filter performs filtering, filtering, verification and security monitoring, which can largely isolate abnormal access logins between internal and external networks.
[Cut-Page]3. Consider security from the perspective of CGI programming
1. It is safer to use compiled language than interpreted language, and CGI programs should be placed under CGI-BIN independent of the HTML storage directory. This is to prevent some illegal visitors from obtaining the source of interpreted language from the browser. Find loopholes in the code.
2. When writing CGI programs in C, you should try to use popen(), system(), all SHELL commands involving /bin/sh as well as system(), exec(), open(), eval( in PERL ) and other commands such as exec or eval.
When the form filled in by the user is returned to CGI, do not directly call functions such as system().
In addition, for data encryption and transmission, there are currently SSL, SHTTP, SHEN and other protocols for everyone to study.
4. Firewall
1. The concept of firewall
Firewall refers to a device that is composed of software or a combination of software and hardware devices. It is located between the computers of an enterprise or network group and the external channel (Internet). It restricts external users' access to the internal network and manages internal users' access to the external network. permissions.
2. Firewall measures
(1)Proxy host
"Internal Network--Proxy Gateway--Internet"
In this way, the internal network does not communicate directly with the Internet. That is, the internal network computer users and the proxy gateway adopt a communication method, that is, providing internal network protocols (Netbios, TCP/IP, etc.), and the standard TCP/IP network communication protocol is adopted between the gateway and the Internet. This prevents network data packets from traveling directly between internal and external networks. Internal computers must access the Internet through a proxy gateway, which makes it easy to restrict internal network computers from accessing external computers on the proxy server. In addition, because the proxy server uses different protocol standards at both ends, it can also directly prevent illegal intrusions from the outside world. In addition, the gateway of the proxy server can perform security controls such as verifying data packets and confirming passwords. In this way, users at both ends can be better controlled and managed, functioning as a firewall.
Because this firewall measure is implemented through a proxy server, the efficiency will inevitably be affected when there are many online users. The proxy server is heavily burdened, so many client software that accesses the Internet may not be able to access the Internet normally on internal network computers.
(2) Router adding filter is completed
"Internal Network--Filter--Router--Internet"
This structure uses routers and filters to jointly restrict external computers from accessing the internal network based on IP addresses or domain names. It can also specify or restrict access to the Internet from the internal network. The router only routes the data communication on a specific PORT on the host, while the filter performs filtering, filtering, verification and security monitoring, which can largely isolate abnormal access logins between internal and external networks.