Shulou(Shulou.com)06/02 Report--

I. active and passive discovery of loopholes

The initiative here refers to what safety engineers take the initiative to do, while passivity does not mean being beaten passively, but actively obtaining information and active defense.

Because of the information asymmetry between *, many * *, exploitation and vulnerability security engineers may not be able to get the information in the first place.

As a result, the server is hacked, and the uploaded webshell is nothing but this concentrated situation:

High-risk vulnerabilities in open source programs are uploaded to webshell by * users, and server configuration errors cause * users to take advantage of operation and maintenance defects to upload webshell

Programmers write code with problems such as sql injection, file inclusion, and command execution problems that are discovered and used by people who cause uploaded webshel.

Does that mean that as defenders, we must be passively beaten? Of course the answer is no.

If the security of the operation and maintenance is done well, a security check will be done at the initial stage of the server launch to make the reinforcement service into a reinforced baseline package.

In the later stage, outsiders are invited to conduct * tests to check the safety of the enterprise, and the security foundation is solid.

From the initiative, enterprises can use these methods to nip the ideas of the people in the bud.

1. Proactively strengthen the system, resolutely eliminate weak passwords and recycle the default management background of the public network.

(recycle those that can be recycled, access control those that cannot be recycled), and reinforce servers such as tomcat, jboss, resin, etc.

Avoid weak passwords, because people come to catch broilers through these services all the time on the Internet.

2. The repair of vulnerabilities should not only be limited to reinforcement, but also be found actively. The production environment and web should be scanned regularly.

Among them, the external network port scanning needs to be carried out in combination with assets, if it cannot be combined with assets, the scanning results will be unsatisfactory.

3. Have an in-depth understanding of open source programs used by enterprises, such as webserver and third-party middleware

And pay attention to the recent security risks of these app, such as struts vulnerabilities.

You can also control things if you can find out early (get information in time by following dark clouds, Weibo, etc.)

The second is permission control. In the struts vulnerability, struts2 running with root is used.

Lighter ones such as tomcat are the most seriously affected, which does not mean that they will not be *.

However, the user does not have the permission to do further operations on the server, such as rm-rf /, so the control of permissions should also be taken into account in reinforcement.

4. Passive discovery of vulnerabilities can rely on the submission of vulnerabilities on platforms such as dark clouds to predict possible vulnerabilities.

And combined with the third point to detect the application, if a loophole is found, it will be repaired quickly, and the webshell will not be uploaded by the person who has been uploaded.

Second, monitoring is primary and analysis is secondary.

The importance of monitoring does not need to be stated. There are surveillance cameras in all angles of the city. The role of monitoring belongs to the in-process or post-event stage.

For example, if a person commits a crime without monitoring, it cannot be traced back, and if there is monitoring, his behavior can be analyzed and traced.

For example, this can also be done in terms of enterprise security, by deploying behavior monitoring such as ossec to detect the behavior of people who are involved.

For example, for webshell testing, pay more attention to "behavior". What is behavior? your every move is behavior. Upload files and modify permissions.

Delete permissions these should be recorded, and monitoring tools like ossec can do this, of course, you can also write scripts to do real-time detection of the directory

The analysis is supplemented and can be combined from many points. For example, the injection behavior of the * * user to the website will trigger the record and record it to the log, and the * user will record the ssh.

The scanning behavior will be recorded in the log, and these can be used to analyze the behavior of the person, and some malicious scans can be counted as behavior.

And these behaviors can be analyzed and traced. Secondly, the log needs to be backed up remotely, and big data's log analysis tool splunk can be used.

To analyze the log, backup to the remote also causes the user to delete the local log to be traced back to. For webshel detection, it can be done from the log

Analysis, because any user's operation will be recorded in the log, so as long as you have sufficient log analysis ability, you can analyze the generated webshell.

Find out, so that the person has nowhere to hide.

Finally, when it comes to the safety of operation and maintenance, the safety work of operation and maintenance is actually a matter of the scope of work, but the operation and maintenance can not do this part of the work well, that is to say, most of the operation and maintenance are concerned about security.

The understanding is not deep, so the enterprise has the position of operation and maintenance security, or you can call it security operation and maintenance.

The security of operation and maintenance needs a wide range of knowledge to support the security of the enterprise.

There is a friend who plays games, he told me that their company has five layers of verification about ssh security!

Well, maybe for some operation and maintenance partners who don't pay much attention to safety, why is it so complicated?

Some companies even log in directly to root (very dangerous), and even some ssh default ports are not changed.

Personally, I don't think it's safe to do that much.

(of course, it should be determined according to the specific environment of the company's business.) but at least some basic security aspects should be done in place!

The following is my many years of actual combat personal summary of some methods, introduced and shared with you!

Third, commonly used server security measures

1. Hard firewall.

The acl policy also determines whether a host can be accessed through the hardware firewall.

2. Soft firewall [commonly used]

For example, iptables,tcpwrappers, protection software, etc. further restrictions on the host are imposed internally.

3. Modify the default ssh port [required]

The default is 22, and it is recommended to change it to five.

4. The password should meet the complexity requirements to prevent violent cracking [must]

To avoid ssh brute force cracking, it is recommended that the password is slightly more complex, in line with the 3/4 principle!

5. Prohibition of root login [required]

Disable root remote ssh login

In / etc/ssh/sshd_config setting: PermitRootLogin no:

Disable root local login (depending on the environment, this is not necessary)

Change auth required pam_succeed_if.so user! = root quiet

Add to the first line of the / etc/pam.d/login file

6. Forbid password login [commonly used]

Delete unnecessary accounts and prohibit users from logging in with passwords

7. Public key and private key authentication [commonly used]

Through the public key and private key rsa2048, and set the complexity password

8. Unified authentication and login by LDAP, etc.

Through centralized management of ssh accounts, security is further improved.

9. Cut the secure log, filter the unsafe access to ip and give an alarm through script.

The secure log records the information of users logging in remotely, and you can check this log for unsafe factors.

10. Set up a log server to monitor secure logs. Check for unsafe factors

A good log server can greatly reduce the work of administrators and facilitate management.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.