Server security experience: preventing illegal logins
Author:Eve Cole
Update Time:2009-07-24 15:42:20
1. Configure the security of the database, such as the account/password/permissions used by your program to connect to the database. If you are browsing news, use read-only permissions; you can use different accounts/permissions for different modules; in addition, Which stored procedures of the database can be called must also be strictly configured, and all unused ones are disabled (especially cmd) to prevent the use of stored procedures of the database to make system calls after injection;
2. When obtaining the parameters submitted by the client, perform strict filtering, including parameter length, parameter type, etc.;
3. Strictly protect the administrator's background. If possible, it should be set to only allow specific IP access (for example, only allow access to the administrator's network segment) - this depends on the actual situation;
4. Configure the operating system safely to prevent system functions from being called after injection, such as
cmd.exe/tftp.exe/ftp.exe/net.exe
All these files are transferred to other directories, and strict permissions are assigned to the directories;
5. Set up network access control;
6. If possible, configure content filtering for HTTP to filter viruses, malicious scripts, etc.;
7. If necessary, you can consider choosing HTTPS, which can prevent many injection tool scans. When I developed the injection detection tool myself, I considered supporting HTTPS, but it has not been implemented yet.
I believe you have also noticed that in general, the program mainly considers issues such as permissions and parameter filtering; permissions mainly include IIS browsing permissions and database calling permissions. In addition, the security configuration of the database and operating system must also be considered. In addition, I wonder if you will use components developed by others during the development process, such as image uploading. Have you studied the security of such components? Or during the development process, most people will use them. The security issues of ready-made codes provided on the Internet and in books, such as user login verification, etc., must also be studied.
