Along the way, I realized that the server security problem should not be underestimated. I won't know until I experience it. The security of the server has also brought me long-term benefits. I hope my experience can help the landlord, and helping others is also helping myself.
Here are some suggestions about safety!
After building a website for a period of time, I can always hear what websites have been hung up and hacked. It seems that it is a very simple thing to invade a horse. In fact, intrusion is not simple, but the necessary security measures of your website are not done well.
1. Precautions for hanging horses:
1, users are advised to upload and maintain the webpage through ftp, and try not to install the uploading program of asp.
2. Check the security of the website regularly. You can use some online tools, such as the sinesafe website hanging horse detection tool!
Orders, as long as they are files that asp can upload, must be authenticated!
The user name and password of 3.asp program administrator should be complicated, not too simple, and should be changed regularly.
4. Download asp program from regular website. After downloading, the database name and storage path should be modified, and the database file name should be complicated.
5. Try to keep the program up to date.
6. Don't add a link to the background manager login page on the webpage.
7. In order to prevent unknown vulnerabilities in the program, you can delete the login page of the background management program after maintenance, and then upload it through ftp during the next maintenance.
8. Always back up important files, such as databases.
9, daily maintenance, and pay attention to whether there are unknown asp files in the space. Remember: a sweater is in a safe!
10, once it is found to be hacked, you should delete all the Trojan files unless you can identify them.
1 1. The call to the asp uploader must be authenticated, and only trusted people are allowed to use the uploader. This includes various press releases, shopping malls and forums.
Second, the recovery measures of hanging horse:
1. Modify the account password
Whether it is business or not, the initial password is mostly admin. So the first thing you do when you receive the website program is to "change your account password". account number
Don't use a password until you get used to it. Change it to something special. Try to put letters, numbers and symbols together. In addition, the password is preferably 15 digits. Shang Ruo, you use it.
SQL should use a special account password, not admin, or it will be easily invaded.
2. Create a robots.txt.
Robots can effectively prevent hackers from using search engines to steal information.
3. Modify the background document
Step 1: Modify the name of the verification file in the background.
Step 2: Modify conn.asp to prevent illegal downloading, or modify conn.asp after encrypting the database.
Step 3: Modify the name of the ACESS database. The more complicated the better. If possible, change the directory where the data is located.
4. Restrict login background IP
This method is the most effective, and every virtual host user should have a function. If your IP is not fixed, please change it every time. Safety comes first.
5. Customize 404 pages and send ASP error messages.
404 allows hackers to find some important files in your background in batches and check whether there are injection holes in the webpage.
ASP is wrong, it may send the information that the other party wants to someone he doesn't know.
6. Choose the website program carefully
Pay attention to whether there are loopholes in the website program itself. You and I must have a steelyard in our hearts.
7. Be careful about uploading vulnerabilities
It is reported that uploading vulnerabilities are often the simplest and most serious, which can make hackers or hackers easily control your website.
You can prohibit uploading or limit the types of uploaded files. If you don't know, you can find sinesafe, who specializes in website security.
8.cookie protection
Try not to visit other websites when logging in to prevent cookie from being leaked. Remember to quit when you quit. Exit when all browsers are closed.
9. Directory permissions
Ask the administrator to set some important directory permissions to prevent abnormal access. If you don't give the upload directory permission to execute scripts, you don't give the non-upload directory permission to write.
10. Self-test
There are many hacking tools on the Internet now, so it is necessary to find some to test whether your website is OK.
1 1. Daily maintenance
A. back up data regularly. It is best to back it up once a day. After downloading the backup file, delete the backup file on the host computer in time.
B. Change the database name and the administrator's account password regularly.
C through WEB or FTP management, check the volume number, last modification time and file number of all directories, check whether the files are abnormal, and check whether there are abnormal accounts.