Shulou(Shulou.com)06/03 Report--

The Internet world is a mixture of fish and dragons, our website is placed on the internet, in addition to website users and members will visit, there will also be a group of people who covet the interests of the website server function to observe secretly, seize the opportunity to find loopholes and take down the website in one fell swoop, thus stealing data or using server resources as mining machines, and so on, so server defense is also an aspect that can not be ignored.

In the process of development, operation and maintenance, most companies will not deliberately pay attention to server security, nor will they hire special security personnel. They will not realize the importance of security problems until the server is breached and blackmailed. Although it is not too late to see rabbits and dogs, it is never too late to mend, but if we can take precautions and make basic defenses, at least the hackers at the primary school level will be shut out. Wouldn't it be nice.

This article is only collected as a basic defense means, if the company data is very important, or need to ask a special security company to escort.

Common means of attack

1. For the website

1.1.The SQL injection

Sql injection is also a clich é, basically common sense, which is nothing more than the use of background vulnerabilities to bring key SQL statements into the program and execute them in the database through URL, resulting in destructive results. Common situations include lethal string concatenation used in the background, such as the following in java's jdbc

String sql = "select * from t_user where username =" + username;1

If the input username is replaced with malicious sql statements or something else in url, the database is also dangerous.

Localhost:8080/testproj/queryUser?username=;drop%20t_user

In addition, a similar mybatis ${} is written in the same way, preferably with #.

1.2. Backend framework and protocol loopholes

The use of framework protocol vulnerabilities is aimed at program and system defects, such as the flawed struts2 framework, so far I do not know how many loopholes have been released, these vulnerabilities are basically aimed at EL expression defects so that the code in URL can be executed, the way is also very simple, replace struts2 or constantly upgrade. To deal with this situation, operation and maintenance personnel need to pay attention to loophole announcement, timely communication and cooperation with development, update the program, the cost is also relatively high. It is also recommended that you can use some vulnerability scanning tools to find the back door of your website in time. For example, Acunetix Web Vulnerability Scanner is quite easy to use.

1.3. Loopholes in program logic

This requires black hats to be patient, to find out little by little, for example, to check the validity of the website. For numerical validity, the front end is filtered, but the website backend does not do parameter validity verification. At this time, malicious people use F12 or postman to assemble ajax requests and send illegal numbers such as dfa or-1ad to the background. The program with poor robustness is easy to report errors, abnormal exposure to the page, and instantly let the operator know what language and framework are used in the background. More serious may be the use of program logic loopholes to do repeated submission, ultra vires and other behaviors, so developers need to pay attention to.

1.4.The CSRF attack

This method is more clever, the need for black hats will build phishing sites, and more familiar with the target site request method. The principle is to use the cookie saved by the browser, for example, I log in to the target member website (assuming www.huiyuan.com here), and use the message function to leave a phishing URL, and the administrator may click on it, jump to the web page I constructed and trigger the request of the page. The request needs to add an administrator user.

Www.huiyuan.com/account/addUser?username=god&password=123456&role=1

At this time, the browser still carries the cookie of the administrator login, so the behavior is executed, and I get an administrator user, of course, such a stupid website generally does not exist, here is just an analogy.

Preventive measures are more common is that url carries token for verification, this means can also prevent cookie tampering, embezzlement and other situations, quite a panacea.

1.5. Brute force cracking

Directly use the password table brute force to log in to the administrator account, which is not technical. Developers can do verification of verification code and malicious attacks, and frequently request IP blocking.

2. For the server

2.1. Server login user, database login user burst

Black Hat has a variety of means to determine the background database, such as 1.3 directly let the background report an error, it is easy to find what framework used in the background, connected to what library. Or use tools such as nmap to scan directly, and the target server exposes port 3306 with a high probability that it is mysql. After confirming the database type and port, the next step is to use password table to violently crack. Many passwords with poor security awareness are exposed minute by minute, and scanning to the open port 22 of the backend server can also confirm that the backend server uses linux to open ssl login. So there are three ways to deal with it:

Mysql restricts access to IP, which can be achieved by using alter user statements. Root accounts only give localhost permissions as far as possible, so use user@% carefully.

Do not use weak passwords, try to use alphanumeric + special character passwords

The server uses brute force cracking service, which can lock IP defense against illegal access and malicious operations.

2.2, server port vulnerabilities

Through nmap, it is easy to scan the ports exposed by the server, such as port 139, and there are a number of ways to infiltrate:

Net use ipipcContentContentnbsp; "" / user:administrator

Therefore, the response is also very simple, open the firewall, and only open the necessary ports, sensitive ports such as 139445 should not be exposed.

2.3. Operating system vulnerabilities

Although most companies use linux as a server, which is much more secure, many companies (at least many bloggers have seen it) still use windows server, a large number of vulnerabilities put the service in jeopardy, the response is also very simple and rough, hit the patch, don't be lazy.

2.4. Trojan horse implantation

This is that hackers directly plant Trojans to the server, open the back door, and gain control of the server. The main ways to deal with this are as follows:

1. Don't use the server to visit the messy website (especially if the company's server is abroad, don't try to get over the wall, don't do it), download the messy stuff.

2. Pay attention to antivirus before accessing the mobile peripherals of the physical machine.

3. Install the corresponding security products on the server, check and kill Trojans regularly, and update vulnerability patches regularly.

4. The firewall should be turned on and the corresponding port should be configured.

To achieve the above points, basically, hackers below the intermediate level can not get in, and even middle and senior hackers have to spend a lot of effort. Of course, if the company's server data involves very high assets, it is recommended to honestly find security company bodyguards.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.