Shulou(Shulou.com)06/03 Report--

The function of Green League website Security Monitoring Service

Vulnerability detection: Web site vulnerability scanning security announcements

Usability testing: website stationarity detection, web page speed measurement, domain name resolution monitoring

Integrity monitoring: Web page horse monitoring web page tampering monitoring sensitive content monitoring

Authentication detection: phishing website monitoring

Key points: basic monitoring principles

Event handling flow

Network foundation

Stationarity module

DNS module

Tamper module

Hanging horse module

Osi reference model

Specific 7-layer data format function and connection mode typical equipment

Application-oriented application Network Services and Consumer applications

An interface between

Presentation layer presentation data presentation data security data compression

Session layer session establishes, manages and terminates sessions

The transport layer transport data is organized into segments that use an addressing mechanism to identify a

Specific application (port number)

Network layer network splits and reassembles packets for different network system routers based on ip addresses

Path selection between packet

The data link layer encapsulates the bitstream into a data frame to address the bridge switch network card with an MAC address.

Data lnk

Physical layer physical transport bit stream establishment, maintenance and cancellation of physical link optical fiber coaxial cable

Ip (ipv6) identifies hosts on the network

Domain name baidu.com primary domain name

Www.baidu.com second-level domain name

Bbs.baidu.com second-level domain name

Iterative query of mapping between domain name and ip in DNS (domain name system) domain name system

There will be damage to the security values of different roles on the network.

Scanner product positioning

Web scanning: web application third-party web component web service

System scan: database application operating system basic network

Website * *-web vulnerability Discovery-Cross-site leakage-Information Disclosure-sql injection-Information Theft-Page tampering

How to change the status quo: web scanner

* the most fundamental basis is to discover and exploit web vulnerabilities.

Finding and fixing web vulnerabilities before * * is always the best way to get to the root of the problem.

Automatic web vulnerability checking tool-- web Scanner

Dos (denial of service) denial of service belongs to the early form of *.

At present, the mainstream means of DDos distributed denial of service mainly consume network bandwidth and host resources, and use host to initiate * *.

Ddos mainly uses commands to block bandwidth along the way, * basic network facilities (so that legitimate users do not have bandwidth, and the accessed domain name cannot access the final server through DNS), and access to the desired server through the DNS domain name resolution system.

Stationarity module

Hypertext transfer protocol

How does http work

Cp establish connection-send request message-server-- send response message-close connection on cp side

Stationarity event type: connection disconnection, connection delay, abnormal return code fluctuation

Http response status code: 1xx indicates that the request has been received. Continue processing.

2xx successfully indicates that the request has been successfully received.

3xx redirection requires further action to complete the request

301 permanent redirection

302 temporary transfer

4xx client error request has syntax error or the request cannot be implemented

400 Bad Request client request has syntax error

403 Forbidden server receives a request but refuses to provide service

404 Not Found request resource does not exist eq: incorrect URL entered

5xx server-side error server failed to implement legitimate request

Unexpected error occurred on 500 Internal server error server

503 the server unavailable server is currently unable to process client requests and may return to normal after a period of time

Verification gadget ping telnet curl

Ping-t domain name / ip test whether the host is alive ping www.baidu.com ping 172.25.254.1

Telnet hostname / ip port determines whether the port is open telnet-antlpe | grep mysql/3306

The curl-v domain name displays all commands sent to the server

Curl-I domain name only shows header

Common port 80 HTTP for web browsing

443 HTTPS provides another HTTP for encryption and secure transmission

21 FTP is used for upload and download

23 TELNET remote login

25 SMTP is used to send mail

8080 http for web browsing is used for www proxy server

Traceroute monitors the routing tools through which packets are sent to the target host

Verification process of stationarity monitoring

Manual access, click the "verify" button

Remark requirement

Look at the protocol http https tcp ping

Browsers access http https/ie chrome firefox/wap directly

View 'related events'

Auxiliary judgment tool

Key customers (mobile customers of Minsheng Bank)

The web page speed measurement monitors the loading speed of the target web page elements remotely and in real time from the network routes of the provincial operators. Once the web page loading speed is found to exceed the threshold set by the user, the customer will be notified as soon as possible.

Web speed measurement is actually monitoring the elements of the web page, zabbix cacti.

Opening of web speed measurement service

Enter authorization PAWSS-PS

Select 3 monitoring points (IDC&LastMile) for speed measurement

Add speed measurement key pages test customers only provide home page speed measurement service, no more than 5 key pages at most

DNS module

Alias for ALIAS domain name

NS authorized domain server

SOA initial Authorization record

Mname (primary server) data source server for the current zone

Rname (mailbox for the person in charge) the mailbox of the current district manager

Mail refers to the mail server.

Dig command set dig www.126.com query A record of www.126.com

Dig www.126.com @ 212.89.34.20 query www.126.com records on 212.89.34.20 server

Dig www.126.com + trace tracks the process of domain name resolution

Clear the local DNS cache

Ipconfig

Ipconfig /?

Ipconfig / all

Ipconfig / displaydns View the list of native DNS caches

Ipconfig / flushdns clear local DNS cache command

Specify the server to resolve the nslookup

Nslookup /?

DNS server IP or domain name specified by the target domain name of the nslookup-qt= type

Eq:nslookup-qt=A domain name 8.8.8.8

DNS monitoring and verification process

"dig" button manual dig

Remark requirement

View "related matters"

Auxiliary judgment tool (monitoring Bao Ali test 17CE)

See if the domain name can be accessed properly.

Key clients (China Merchants Bank Huaxia Fund)

Tamper module

What is tampering = write permission

Tampering-- purpose-- displaying the results.

Crawlers, also known as web spiders, can grab scripts and information on the web.

Key page 1 crawler depth crawler pycurl search engine google/baidu

2 add manually

Web page tampering monitoring and verification process

Manually access the View details button to download the scene file

Remark requirement

View "related matters"

Key customers (Guoxin Securities)

Hanging horse module

Network horse type: 1 system loophole browser vulnerability various component vulnerabilities

2 Software loophole flash player browser plug-in office loophole other application software

Create *-insert a web page * *

A virus is a special program that controls one computer through another.

* website *

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.