Experts teach you how to build a secure server environment

"Website hacking" and "Olympic hacking" seem to have become a hot topic in Internet security recently. Searching for the term "Olympic hacking" on Google has reached more than 646,000 times, which shows the high degree of attention it has received, and ordinary News of websites being attacked by hackers has been reported frequently recently. According to relevant data, from January to May this year, more than 30,000 websites across the country were invaded by "hackers"! Due to the lack of professional protection capabilities, small and medium-sized government websites and corporate websites have become the biggest victims of "hacker" intrusions.

Tip 1 from experts on security prevention issues for small and medium-sized websites: Build a secure server environment to prevent the first lock. According to a technician from the Shaanxi Earthquake Bureau in charge of website maintenance, the Shaanxi Earthquake Network was attacked by hackers, and the "Website Appearance" displayed on the homepage The information "Major Security Vulnerability" is false information released by hackers. However, the website currently operates safely and there are no technical vulnerabilities. While we are condemning "earthquake hackers", we are also thinking about another question: how to ensure the safe operation of our website? Regarding this issue, the reporter visited domestic experts on security prevention of small and medium-sized websites.

According to reports: Build a secure server environment and build the first chain of hacker attacks. However, building a secure server environment to resist "hacker" attacks involves a wide range of aspects. However, as far as small and medium-sized websites are concerned, it can be done from three aspects: (1): Technical level: using software and hardware firewalls and anti-virus software , page anti-tampering system to establish a structurally sound Web server environment; (2): In terms of services, conduct network topology analysis, establish a central computer room management system, establish a regular upgrade mechanism for operating systems and anti-virus software, and monitor important servers Access logs are backed up, and these services are used to enhance the anti-interference of the network; (3): In terms of support, service providers are required to provide troubleshooting services to improve the reliability of the network.

However, most small and medium-sized websites are currently hosted in the form of virtual hosts. To improve website security and reduce the risk of hacker attacks, website administrators should apply the latest patches to their website programs in a timely manner and strengthen them during development. Be aware of security, pay attention to preventing injection vulnerabilities, upload vulnerabilities and other issues. At the same time, host the website at a service provider with strong technical strength, high security factor, and can proactively help customers solve security issues to ensure the safety of the website's safe operating environment.

Expert Tip 2: Pay attention to the security of the website system and deploy a second lock to build a secure server environment. This only blocks attacks from "hackers" from the outside, but more importantly, it is important to ensure the security of the website system and prevent hackers from exploiting system vulnerabilities to attack. , thus threatening website security.

According to network security experts from Dongyi Company: According to the statistical results of the top 10 rankings of Web application vulnerabilities released by the OWASP organization in 2007, problems such as cross-site scripting, injection vulnerabilities, cross-site request forgery, and information leakage are still a problem for current hackers. Popular attack methods, especially SQL injection attacks and cross-site scripting attacks. The so-called SQL injection attacks use programmers to fail to judge the legality of user input data when writing code, allowing intruders to insert And execute malicious SQL commands to gain permission to read and modify data; while cross-site scripting attacks add malicious code to the web page. When the visitor browses the web page, the malicious code will be executed or by sending a message to the administrator. The method induces administrators to browse, thereby obtaining administrator rights and controlling the entire website.

So, are there any effective security measures to block this kind of hacker attack? It is reported that in the development of SiteFactory? content management system, corresponding complete defense plans have been formulated for various attack methods, and with the help of the characteristics and functions of ASP.NET, it can effectively resist attacks by malicious users on the website and improve the website's performance. Security, but for current SQL injection attacks and cross-site scripting attacks, what are the more effective means of blocking them? To this end, we asked Dongyi’s network security experts, who introduced us to some security methods:

(1) For SQL injection attacks: Dongyi system filters query parameters in SQL query statements; uses type-safe SQL parameterized query methods to fundamentally solve the problem of SQL injection; URL parameter type, quantity, and range restriction functions , solve the problem of malicious attacks by malicious users through the address bar, etc. These means control SQL injection, and also include other filtering processes and other verification of user input data to prevent SQL injection attacks.

(2): For cross-site scripting attacks: directly encode content that does not support HTML to fundamentally solve cross-site problems. For content that supports Html, we have a special filtering function that will process the data securely (based on the attack examples of the XSS attack library). Although this method is currently safe, it does not mean that it will be safe in the future, because Attack methods will continue to be updated, and our filtering function library will also be constantly updated.

In addition, we have also made judgments about external site access and direct access, which can also avoid cross-site attacks to a certain extent. Even if a cross-site attack occurs, we will minimize the impact of the attack: 1. For some places in the background where HTML content is displayed, use the security attribute security="restricted" of the frame to prevent the script from running (valid for IE) ; 2. Use the HttpOnly attribute of Cookie to prevent cookies from being leaked through scripts (IE6 SP1 or above, Firefox 3); 3. Authentication tickets are encrypted; 4. It is recommended to use a higher version of IE or FF.

Tip 3 from netizens: Call on webmasters and the government to pay attention to website security and mobilize the third lock. On April 29, 2008, the General Office of the State Council issued the "Opinions of the General Office of the State Council on Several Issues Concerning the Implementation of the Regulations of the People's Republic of China on Government Information Disclosure" "(Guobanfa (2008] No. 36),), the article fully reflects the determination of government affairs disclosure, and the important information channels for government affairs disclosure are traditional paper media and government websites, but according to CNCERT/CC monitoring, mainland China has been tampered with The total number of websites reached 61,228, an increase of 1.5 times compared with last year. The number of tampered government websites in mainland China reached 3,407. In 2007, a total of 4,234 government websites in mainland China were tampered with each month.

A series of figures and facts prove that we have major hidden dangers in website security, and webmasters and the government play an important role in security. On the one hand, we call on webmasters to pay attention to website security and build a website security environment. Basic protection capabilities to reduce the risk of being attacked by "hackers". On the other hand, we call on the government to pay attention, actively crack down on cyber hacker crimes, strengthen Internet crime legislation, and institutionally ensure the security of websites.