Top 10 Hosting > Web Hosting Articles
IIS Hosting intrusion prevention 10 Frequently Asked Questions
1. How to get system permissions to run asp script?
Asp script changes corresponding to your virtual directory, the "Application
Protection" to "low."
2. How to prevent asp Trojan horse?
Asp Trojan FileSystemObject component-based
cacls% systemroot% \ system32 \ scrrun.dll / e / d guests / / ban guests use
regsvr32 scrrun.dll / u / s / / Remove
Asp Trojan component based shell.application
cacls% systemroot% \ system32 \ shell32.dll / e / d guests / / ban guests use
regsvr32 shell32.dll / u / s / / Remove
3. How to encrypt asp files?
Free download from Microsoft to sce10chs.exe run directly to complete the installation
process. After installation, will generate screnc.exe file, which is a command to run in
DOS PROMAPT tool. Run screnc - l vbscript source.asp destination.asp ASP script generates
ciphertext contains a new file destination.asp. Use Notepad to open to see all
"" within, regardless of whether the notes are not read into ciphertext, but the
Chinese can not be encrypted.
Four. How to extract from the IISLockdown urlscan?
iislockd.exe / q / c / t: c: \ urlscan
5. How to Prevent Content-Location header exposes the web server's internal IP address?
Execution
cscript c: \ inetpub \ adminscripts \ adsutil.vbs set w3svc/UseHostName True
Finally need to restart iis.
6. How to solve the HTTP500 internal error?
iis http500 because most of the internal error, mainly due to iwam account password is not
synchronized result. As long as we simultaneously iwam_myserver account the com +
application code can solve the problem.
Execution
cscript c: \ inetpub \ adminscripts \ synciwam.vbs-v
7. How to enhance the capacity of iis defense SYN Flood?
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters]
Start syn attack protection. The default entry is 0, that is not open attack protection,
items that start value of 1 and 2 syn attack protection, set to 2, the security level
higher, and the circumstances in which that is an attack, you need according to the
following TcpMaxHalfOpen and TcpMaxHalfOpenRetried value, set the conditions to trigger
started. It should be noted that, NT4.0 must be set to 1, set 2, a special data packet
after the next will cause the system to restart.
"SynAttackProtect" = dword: 00000002
At the same time the number of connections allowed to open the half. The so-called
half-connections, that did not complete the TCP session is established, you can see with
netstat command was SYN_RCVD state is. Microsoft suggests the value used here, the server
set to 100, Advanced Server Set 500. Recommendation could set a little smaller.
"TcpMaxHalfOpen" = dword: 00000064
Determine whether the trigger point of attack. Microsoft recommended value is used here,
the server 80, Advanced Server 400.
"TcpMaxHalfOpenRetried" = dword: 00000050
SYN-ACK set waiting time. The default entry is 3, the default 45 seconds the process
time-consuming. Entry value of 2, time-consuming to 21 seconds.
Entry is 1, consumption of time 9 seconds. Minimum can be set to 0, that does not wait,
time-consuming to 3 seconds. This value can be modified according to the scale of attacks.
Microsoft site security recommended to 2.
"TcpMaxConnectResponseRetransmissions" = dword: 00000001
Set TCP segment of data re the number of leaflets. The default entry is 5, default 240
seconds the process time-consuming. Microsoft security recommendations for the three
sites.
"TcpMaxDataRetransmissions" = dword: 00000003
Syn attack protection set the threshold. When the available backlog to 0, this parameter
is used to control the syn attack protection of open, secure Microsoft's site
recommendation is 5.
"TCPMaxPortsExhausted" = dword: 00000005
Against IP source routing. The default value is 1 item that do not forward source routed
packets, key value set to 0, that all the forwarding, set to 2, said the source drop all
received routing packets, Microsoft site security recommended to 2.
"DisableIPSourceRouting" = dword: 0000002
Limit the maximum time in the TIME_WAIT state. The default is 240 seconds, a minimum of 30
seconds, up to 300 seconds. Recommendations set 30 seconds.
"TcpTimedWaitDelay" = dword: 0000001e
8. How to avoid * mdb file has been downloaded?
Ms released urlscan tools installed, you can fundamentally solve the problem. It is also a
powerful security tools, you can get from the ms website more detailed information.
9. How iis the smallest ntfs permissions to run?
Order to do the following work:
a. Select the hard drive:
system: full control
administrator: Full Control
(Allow inheritable permissions from parent to propagate to the object)
b. \ program files \ common files:
everyone: Read and Run
Listing file directory
Read
(Allow inheritable permissions from parent to propagate to the object)
c. \ inetpub \ wwwroot:
iusr_machine: Read and Run
Listing file directory
Read
(Allow inheritable permissions from parent to propagate to the object)
e. \ winnt \ system32:
Choice other than the addition inetsrv and centsrv all directories, remove the "Allow
inheritable from parent to propagate to the object permissions" box, copy.
f. \ winnt:
Choice in addition to downloaded program files, help, iis temporary compressed files,
offline web pages, system32, tasks, temp, web directory other than the removal of all the
"Allow inheritable from parent to propagate to the object permissions" box,
copy.
g. \ winnt:
everyone: Read and Run
Listing file directory
Read (Allow inheritable permissions from parent to propagate to the object)
h. \ winnt \ temp allow access to the database and displayed in the asp page)
everyone: modify
(Allow inheritable permissions from parent to propagate to the object)
10. How to Hide iis version?
A hacker can be easily web telnet to your port, send the command to get access to a lot of
information.
iis IIS BANNER storage of the corresponding dll file as follows:
WEB: C: \ WINNT \ SYSTEM32 \ INETSRV \ W3SVC.DLLFTP: C: \ WINNT \ SYSTEM32 \ INETSRV \
FTPSVC2.DLLSMTP: C: \ WINNT \ SYSTEM32 \ INETSRV \ SMTPSVC.DLL
You can use 16 hex editor to modify the dll file that keyword, such iis the
Microsoft-IIS/5.0.
Specific process is as follows:
1. Stopped iis iisreset / stop;
2. Delete the% SYSTEMROOT% \ system32 \ dllcache directory with the same name file;
3. Modification.
Novice School: DDoS attacks against several major coup
As a network administrator does not know whether you met the server because of denial of
service attacks have paralyzed the situation? On network security in terms of the most
worrying and fear of intrusion would be a denial of service attack. Different from the
traditional attack him and take the simulation of multiple clients to connect to the
server, causing the server could not complete so many client connections, thus unable to
provide services.
First, the development of denial of service attacks
Denial of service attack from birth to now have a lot of development, from initial brief
Dos to the present DdoS. Dos and DdoS So what is it? DoS is an attack using a single
computer mode. And DdoS (Distributed Denial of Service, distributed denial of service) is
a special form of DoS-based denial of service attack is a distributed, collaborative
large-scale attacks primarily aimed at larger sites, such as some commercial companies,
Search engines and government sites. DdoS attack is to use a number of controlled machines
to attack a machine, so fast and violent attacks is difficult to prepare, it has more
devastating. If the previous network administrator can be taken against the Dos method of
filtering IP addresses, then the number of forged out of the current DdoS address it
appears that there is no way. So to prevent DdoS attacks more difficult, how to take
measures to effectively respond? Here we introduce two aspects.
Second, ensure safety prevention
DdoS hacker attack is the most common means of attack, the following list of some
conventional methods to deal with it.
(1) regular scan
Regularly scans the existing network master node, checked security vulnerabilities that
may exist on the new loophole in time to clean up. Backbone nodes of a computer because of
high bandwidth, is the best place to hackers use, so the host itself to strengthen host
security is very important. And connected to the network master node is a server-level
computers, so periodic vulnerability scanning becomes more important.
(2) key node in the firewall configuration
The firewall itself can withstand DdoS attacks and other attacks. When the discovery of
attack, can attack some of the expense of the host-oriented, so the host can not protect
the real attack. Course-oriented host these expense can choose not important, or less
linux and unix and other vulnerabilities and prevent attacks outstanding natural systems.
(3) with enough machines to withstand hacker attacks
This is an ideal response strategy. If the user has sufficient capacity and sufficient
resources to hacking, in its continued access to the user, the time of capture user
resources, their consumption of energy is gradually lost, so the user may not be dead
attack a hacker has been unable to Return Weapon children มห. However, this method
requires more capital investment, usually most of the equipment is idle, and the current
situation of SMEs in the network does not match the actual operation.
(4) make full use of network equipment to protect network resources
The so-called network equipment is a router, firewall load balancing device, they can
effectively protect the network up. When the network is dead is the first to attack the
router, but the other machines did not die. Router dead will return to normal after
reboot, and start up has fast, there is no loss. If the other server died, one of the data
will be lost, and restart the server is a long process. In particular, a company using
load balancing device, so that when a router crashes when attacked, another will
immediately work. To the greatest degree of reduction DdoS attacks.
(5) filtering unnecessary services and ports
You can use Inexpress, Express, Forwarding and other tools to filter out unnecessary
services and ports that the router filter fake IP. Such as Cisco's CEF (Cisco Express
Forwarding) can target packet Source IP and Routing Table for comparison, and to filter.
Open service ports only become popular practice of many servers, such as WWW server, then
only 80 and will be open all other ports in the firewall to close or to stop the policy.
(6) Check your visitors come from
Using the Unicast Reverse Path Forwarding check the router and other methods through
reverse the IP address check whether the visitor is true, if false, it will be shielded.
Many hackers often use fake IP addresses ways to confuse users, it is difficult to
identify where it came from. Therefore, the use of Unicast Reverse Path Forwarding can
reduce the appearance of fake IP address to help improve network security.
(7) all the RFC1918 IP address filtering
RFC1918 IP address is the IP address of the internal network, such as 10.0.0.0,192.168.0.0
and 172.16.0.0, they are not a segment of the fixed IP address, but the Internet within
the reserved IP address regional, they should be filtered out. This method does not filter
access to internal staff, but will attack a large number of false forged internal IP
filtering, it can also reduce the DdoS attacks.
(8) limit the SYN / ICMP traffic
Users should configure the router SYN / ICMP traffic to limit the maximum SYN / ICMP
packets can occupy the highest bandwidth, so that when a large number of more than a
threshold SYN / ICMP traffic, the description is not a normal network access, and is
hacking. Early by limiting the SYN / ICMP traffic is the best way to prevent DOS, although
not as effective as the method for DdoS obvious, but still be able to play a role.
Third, look for opportunities to respond to attacks
If the user is being attacked, he can do against the work will be very limited. Because
the case had not prepared a large flow of catastrophic attack dashed users may not Huiguo
Shen occasion of the user, the network has been paralyzed. However, users can still seize
the opportunity to seek glimmer of hope.
(1) Check the source of attack, hackers will often fake IP address through a lot of
attack, this time, the user can tell if the IP which is really what is fake IP address,
and then learn from what these IP network segment, to find Web Network Administrators shut
down these machines, thus eliminating the first attack. If you find these IP addresses
from the outside rather than within the company's IP, it can take temporary filtering
method, the IP address of the server or router filter.
(2) to identify the route through which an attacker to block out offensive. If hacker
attacks from certain ports, users can screen out those ports to prevent intrusion.
However, this method is only one exit for the company network, but suffered attacks from
the outside DdoS not work, after all, the export port closed all the computers can not
access the internet มห.
(3) Finally, there is a more eclectic approach is to filter out the router ICMP. Although
the attack, he can not completely eliminate invasion, but after filtering out ICMP can
effectively prevent the escalation of attacks on the scale, but also to a certain extent,
reduce the level of attack.
Summary:
The current network security community for the prevention or DdoS no good way, mainly
through the maintenance of peace and scanning to fight. Simple software to prevent the
effect is very obvious, even using the hardware security facilities are only able to play
the effect of reducing attack levels, Ddos attack can only be weakened, can not be
completely eliminated. But if we follow this approach and ideas to prevent DdoS words,
have the effect of still very significant, can reduce the losses caused by attacks to a
minimum.
Knowledge of the seven kinds of DoS hacker attack methods outlined
Synflood: The number of random attack to the source host address to send SYN packets to
the destination host, destination host in the SYN ACK received no response after, so that
the destination host to the source host for such a large number of connections established
queue, and ACK has been received because there is no maintenance of these queues,
resulting in a large consumption of resources can not provide services to the normal
request.
Smurf: This attack to send a subnet broadcast address with a specific request (such as
ICMP echo request) packet, and disguise the source address of the host address you want to
attack. Subnet broadcast packets to all hosts to respond to the request of the host
bidding to be attacked, so that the host under attack.
Land-based: the attacker will be a package of source and destination addresses are set to
target host's address, then the packet is sent through the IP deception to attack the
host, this packet can cause the host to be attacked himself by trying to establish the
connection and into an infinite loop, which largely reduced system performance.
Ping of Death: According to TCP / IP specification, a packet length of up to 65536 bytes.
Despite the length of a package can not be more than 65,536 bytes, but a packet into
multiple fragments of the stack was able to do so. When a host receives a length greater
than 65536 bytes of packet is received Ping of Death attacks, the attacks would result in
host downtime.
Teardrop: IP packet transmission network, data packets can be divided into smaller
fragments. An attacker can send two (or more) to achieve the TearDrop attack packets. The
first packet offset 0, length N, the second offset package is less than N. In order to
merge the data segment, TCP / IP stack will be allocated disproportionately large
resources, resulting in a lack of system resources or even restart the machine.
PingSweep: polling multiple hosts using ICMP Echo.
Pingflood: The attack in a short time to the destination host to send large ping packets,
causing network congestion or depletion of host resources.
What is Web HostingHow to choose the right web hosting?Web hosting knowledge