Top 10 Hosting > Web Hosting Articles
The best shared hosting security configuration
Injection vulnerability, upload vulnerability, weak password vulnerability issues
everywhere. Cross-site attacks, remote control and so is the old-fashioned, but the topic
again. Some administrators do not know the shared hosting is configured to facilitate or
are not familiar with, simply all of the sites will be in the same directory, then the
parent directory set to the site root directory. Some of it, will catalog all of the sites
are set to executable, can write, can be modified. Some are for the convenience, the
server hangs up QQ, also fitted with a BT. Moreover, even the Internet Guest Account to
Administrators Group! Khan ... ...! Ordinary users will set their own password like 6
birthday of pure numbers, this situation can be forgiven, after all, most of them are not
specifically engaged in network research, raising awareness of China's national security
Well take some time, but If the network administrator so that people would not understand
how a little bit. Network security issues become increasingly prominent, some people do
not claim the recent "million net: I came in played twice!" In short, the
current security situation is most worrying site!
Here on my own past experiences and working together to investigate the safety of shared
hosting configuration problem. To create a site cert.ecjtu.jx.cn the following example, we
discuss with shared hosting configuration problem.
First, the establishment of Windows users
Individual settings for each site windows user account cert, delete account User Group,
will join the Guest user group cert. The user can not change the password, Password never
expires two options selected.
Second, set the folder permissions
1, set the non-site related to directory permissions
Windows installed, a lot of directories and files by default everyone can browse, view,
run or can be amended. This has brought great server security risks. Here to mention some
of my personal experience, some of the more commonly used in the invasion of the
directory.
C: \; D: \; ... ... C: \ perl C: \ temp \ C: \ Mysql \ C: \ php \ C: \ autorun.inf C: \
Documents and setting \ C: \ Documents and Settings \ All Users \ "Start" menu \
Programs \ C: \ Documents and Settings \ All Users \ "Start" menu \ Programs \
Startup C: \ Documents and Settings \ All Users \ Documents \ C: \ Documents and Settings
\ All Users \ Application Data \ Symantec \ C: \ Documents and Settings \ All Users \
Application Data \ Symantec \ pcAnywhere C: \ WINNT \ system32 \ config \ C: \ winnt \
system32 \ inetsrv \ data \ C: \ WINDOWS \ system32 \ inetsrv \ data \ C: \ Program Files
\ C: \ Program Files \ Serv-U \ C: \ Program Files \ KV2004 \ C: \ Program Files \ Rising
\ RAV C: \ Program Files \ RealServer \ C: \ Program Files \ Microsoft SQL server \ C: \
Program Files \ Java Web Start \
These directory or file permissions should be appropriate restrictions. Guests such as the
abolition of the user's view, modify and implement such authority. Due to space relations,
here only briefly.
2, set the site related to directory permissions:
A, set the site root directory permissions: The user cert just created a folder to the
corresponding site, is assumed to be D: \ cert to set appropriate permissions:
Adiministrators group full control; cert have to read and run, List Folder Contents, Read
the abolition of all other rights.
B, setting file permissions update: After step 1 site root folder permissions settings,
Guest users have not changed any of the contents of the site folder permissions for the.
This is clearly an update for the site is not enough. Then need to be updated on a
separate file permissions set. Of course, this may be inconvenient for some shared hosting
providers. Customer sites need to update the file content type may behave differently. At
this time, may provide a folder can be written, can be changed. As some shared hostinging
providers on the regulations, the site uploads the root folder for the web can upload,
data or database as the database folder. This hosting service that customers can customize
the permissions for both folders. Of course, can also better, as some do, like Web hosting
provider, to the customer to do a program that allows customers to set their own. May have
to do so, service providers it would take no small money and manpower oh.
Basic configuration should we all, here to mention a few special about or need attention.
1, the main directory permissions set: This can be set to read on the trip. Write,
directory browsing and so can not, the key is that directory browsing. Unless special
circumstances, otherwise should be closed, otherwise will be exposed to a lot of important
information. This will bring convenience to hacking. The rest leave the default on it.
2, the application configuration: in the site properties, this one in the main directory
there is a configuration option, and click enter. In the application mapping options can
be seen, there are many applications the default mapping. Will need to retain, remove all
unnecessary. The invasion process, many procedures may limit the asp, php file upload,
etc., but not on the cer, asa and other documents to limit, if not to delete the
corresponding application mapping, you can cer asp suffix changed the name or asa after
the upload, Trojans will be resolved properly. This is often the administrator ignored.
Also add an application extension mapping, the executable file can choose, as a. mdb. This
is to prevent the extension of the user database is called mdb download.
3, the directory security settings: In the site properties, select Directory Security,
click on Anonymous access and authentication control, choose to allow anonymous access,
click Edit. As shown below. Delete the default user, browse to select the corresponding
setting in front of the user for the cert web site and enter the password. Can select the
Allow IIS to control password. The purpose of this setup is to prevent things like
webmaster assistant, marine and other Trojan cross-site cross-directory browsing, can
effectively prevent such cross-catalog cross-site intrusion.
4, writable directory execute permissions set: Close all writable directory execute
permissions. As the procedural flaws, currently the most popular Trojan upload some pages,
mostly carried out with the web upload. Since the directory can not be written Trojan can
not upload, if you turn off the execute permissions writable directory, then upload the
Trojan will not run properly. Can effectively prevent such forms of web invasion.
5, processing runtime error: There are two ways, first turn off the error echo. IIS
Properties - Home Directory - Configuration - application debug - script error message,
select Send text error message to the customer. Second, custom error pages. In the IIS
properties - custom error message, double-click the error message in http need custom
error page will pop up an error box mapping property. Message types have default values,
URL and file of three, you can customize according to their own circumstances. This can
hide some error message, on the other hand can make a more friendly error display.
Fourth, configure FTP
Ftp is that most Web hosting providers must have a service. Most of the user's station
files are uploaded using ftp for. Most currently used non-Serv-U ftp server must go. Here
are a few points need to explain.
1, the administrator password must be changed
If the invasion of fans certainly right Serv-U to mention the source is familiar. These
provide the right tools to use Serv-U is the default administrator account and password
operation. Serv-U Administrator as super-administrator is running. If you do not change
the administrator password to use these tools easy to use, but the on again. If you change
the password, it wants the normal operation of these tools, it is not straightforward is
woven. Cai Xing must first crack the administrator password.
2, change the installation directory permissions
Serv-U's default installation directory is everyone can view and even modify. If you
choose to install when the user information stored in the ini file, you can
ServUDaemon.ini get all the information users. If Guests have modify permissions, then the
hackers can successfully build a super-privileged users. This is not a good thing. So,
after installed Serv-U, may modify the appropriate folder permissions, the user can cancel
the appropriate permissions Guests.
5, command-line processing related operations
1, prohibits guests users to perform com.exe:
We can abolish the guests the following command authority Executive com.exe
cacls C: \ WINNT \ system3 \ Cmd.exe / e / d guests.
2, disable Wscript.Shell components:
Wscript.Shell can call the kernel to run basic DOS commands. Can modify the registry, the
component was renamed, to prevent the harm of such Trojans. HKEY_CLASSES_ROOT \
Wscript.Shell \ and HKEY_CLASSES_ROOT \ Wscript.Shell.1 \ renamed to other names. The two
values also change it clsid HKEY_CLASSES_ROOT \ Wscript.Shell \ CLSID \ project value and
the HKEY_CLASSES_ROOT \ Wscript.Shell.1 \ CLSID \ project value, you can delete it.
3, disable Shell.Application components
Shell.Application can also call the kernel to run basic DOS commands. Can modify the
registry, the component was renamed, to prevent the harm of such Trojans.
HKEY_CLASSES_ROOT \ Shell.Application \ and HKEY_CLASSES_ROOT \ Shell.Application.1 \
changed its name to other names. Will HKEY_CLASSES_ROOT \ Shell.Application \ CLSID \
project value HKEY_CLASSES_ROOT \ Shell.Application \ CLSID \ item value change or delete.
Meanwhile, the ban to prevent Guest users shell32.dll call this component. Use the
command: cacls C: \ WINNT \ system32 \ shell32.dll / e / d guests
4, FileSystemObject component
FileSystemObject can file for routine operations can modify the registry, the component
was renamed, to prevent the danger of such Trojans. The corresponding registry key is
HKEY_CLASSES_ROOT \ scripting.FileSystemObject \. May prohibit guests or direct users to
delete. Taking into account a lot of uploading to this component will be used, for
convenience, here is not recommended to change or delete.
5, prohibit telnet login
In the C: \ WINNT \ system32 directory with a login.cmd file to use Notepad to open, in
the end of the file for an alternative line, join the exit save. This user login telnet,
it will immediately and automatically quit.
Note: The above operations require modifying the registry to restart the WEB service will
come into force.
6, port settings
Port form at the bottom of the door, the analogy is the image. If our servers are all
ports open, then it means that hackers have a lot of doors can be invaded. In my opinion,
closing unused ports is an important thing. In the Control Panel - Network and Dial-up
connections - local connection - properties - Internet Protocol (TCP / IP) Properties,
click Advanced, enter the Advanced TCP / IP settings, select Options, select the settings
in the optional TCP / IP filtering, enable TCP / IP filtering. Add the necessary ports,
such as 21,80, etc., close all other unused port.
7, turn off file sharing
System default is enabled file sharing features. We should be given to cancel. In the
Control Panel - Network and Dial-up connections - local connection - properties, in the
General Options kinds of abolition of Microsoft Network File and Print Sharing. Principle
is to protect the security service for at least an important principle. Non-essential
services should be given to shut down. System services in Control Panel - Administrative
Tools - Services to set up.
8, close non-essential services
Similar to the telnet service, Remote Registry operations and other services should be
given to disabled. At least as far as possible to install the software. It avoids some
caused by software security vulnerabilities. Some network management server to install QQ,
use the server hanging QQ, this is extremely wrong.
9, concerned about the security vulnerability patch to update the dynamic
Update patches for a network administrator vulnerability is very important. Update patches
can further ensure the safety of the system.
What is VPS(Virtual Private Server)How to choose a web hosting company for your small business?How does web hosting affects SERP?