Let us explain the website security protection methods from multiple angles

1. Safety measures

     In response to hacker threats, network security administrators have taken various measures to enhance server security and ensure the normal operation of WWW services. Like email, ftp and other servers on the Internet, you can use the following methods to protect the WWW server:

     Security configuration

     To turn off unnecessary services, it is best to provide only the WWW service, install the latest patch of the operating system, upgrade the WWW service to the latest version and install all patches, configure the security recommendations of the WWW service provider, etc. These measures will be extremely Greatly provide the security of the WWW server itself.

     Firewall

     Install the necessary firewall to prevent the temptation and information collection of various scanning tools, and even block machine connections from certain IP address ranges based on some security reports, add a layer of protection to the WWW server, and also need to protect the network inside the firewall The environment is adjusted to eliminate hidden security risks of the internal network.

     Vulnerability scanning

     Use commercial or free vulnerability scanning and risk assessment tools to regularly scan the server to discover potential security issues and ensure that normal maintenance work such as upgrades or configuration changes will not cause security issues.

     Intrusion detection system

     Use the real-time monitoring capabilities of the intrusion detection system (IDS) to discover ongoing attacks and pre-attack test behaviors, and record the source of hackers and the steps and methods of attacks.

     These security measures will greatly provide the security of the WWW server and reduce the possibility of being attacked.

     Second, the website's special protection method

     Although the various security measures adopted can prevent many hackers from attacking, due to the continuous discovery of various operating system and server software vulnerabilities, the attack methods are endless, and highly skilled hackers can still break through the layers of protection and gain control of the system, thus To achieve the purpose of destroying the homepage. In this case, some network security companies have launched protection software specifically for the website, only protecting the most important content of the website-the web page. Once it detects that {protected} changes have occurred in the protected file, it will be restored. Under normal circumstances, the system first needs to back up the normal page file, and then start the detection mechanism to check whether the file is modified, and if it is modified, it needs to be restored. We analyze and compare the following aspects of technology:

     Monitoring method

     Local and remote: The detection can be running a monitoring terminal locally or another host on the network. If it is local, the monitoring process needs sufficient permissions to read the protected directory or file. If the monitoring terminal is at the remote end, the WWW server needs to open some services and give the monitoring terminal corresponding permissions. The more common way is to directly use the open WWW service of the server and use the HTTP protocol to monitor protected files and directories. You can also use other common protocols to detect and protect files and directories, such as FTP. The advantage of using the local detection method is high efficiency, while the remote method is platform independent, but it will increase the burden of network traffic.

     Timing and triggering: Most of the protection software uses the timing detection method. Whether local or remote detection is based on the time set by the system, it can also be divided into different levels, high-level detection The time interval can be set shorter to obtain better real-time performance, and the webpage file detection interval with a lower protection level is set longer to reduce the burden on the system. The trigger method is to use some functions provided by the operating system to be notified when a file is created, modified, or deleted. This method has the advantage of high efficiency, but remote detection cannot be achieved.

     Comparison method

     When judging whether a file has been modified, the files in the protected directory and the backup library are often compared, and the most common way is full text comparison. Using full text comparison can directly and accurately determine whether the file has been modified. However, the full text comparison is very inefficient when the files are large and large. Some protection software uses file attributes such as file size, creation modification time, etc. Although this method is simple and efficient, it also has serious flaws: {malicious intruder It can be carefully constructed to set the attributes of the replacement file to be exactly the same as the original file, {so that the maliciously modified file cannot be detected}. Another solution is to compare the digital signature of the file. The most common one is the MD5 signature algorithm. Due to the unforgeability of the digital signature, the digital signature can ensure that the files are the same.

     Recovery method

     The recovery method is directly related to the location of the backup inventory. If the backup inventory is stored locally, the recovery process must have permission to write to the protected directory or file. If you need to do it through file sharing or FTP at a remote location, you need a file sharing or FTP account, and the account has write permissions to the protected directory or file.

     Backup library security

     When the hacker finds that the replaced homepage will be restored soon, it will often arouse the desire for further destruction. At this time, the security of the backup library is particularly important. The security of the webpage file is transformed into the security of the backup library. One way to protect the backup library is through file hiding, so that hackers can not find the backup directory. Another method is to digitally sign the backup library. If a hacker modifies the contents of the backup library, the protection software can discover through the signature, then stop the WWW service or use a default page.

     Through the above analysis and comparison, we find that various technologies have their advantages and disadvantages, and we need to select the most suitable technical solution in combination with the actual network environment.

     3. Defects of website protection

     Although website protection software can further improve the security of the system, there are still some defects. First of all, these protection software are designed for static pages, and now dynamic pages occupy more and more scope. Although the local monitoring method can detect script files, the database used for script files is powerless.

     In addition, some attacks are not carried out against the page file. The "Red Code" that was flooded recently has used a dynamic library to modify the IIS service to achieve the purpose of attacking the page. On the other hand, the website protection software itself will increase the load of the WWW server. When the load of the WWW server is already very heavy, you must carefully plan the use plan.

     4. Conclusion

     This article discusses the commonly used protection methods of websites, analyzes and compares various technical implementations, advantages and disadvantages of the dedicated website protection software in detail, and points out their shortcomings. Although security cannot be solved by using a certain tool or certain tools, using these tools can help improve security and reduce security risks.