WEB dedicated server security settings of the practical skills

delete the virtual directory of the default established site, stop the default web site, delete the corresponding file directory c: inetpub, configure the public settings of all sites, set the relevant connection limit, bandwidth settings And other settings such as performance settings. Configure application mapping, remove all unnecessary application extensions, and only keep asp, php, cgi, pl, aspx application extensions. For php and cgi, it is recommended to use isapi to parse, and exe parsing has an impact on security and performance. User program debug settings send text error messages to the user. For the database, try to use the mdb suffix, do not need to change to asp, you can set an extension mapping of mdb in IIS, use this map to use an unrelated dll file such as C:WINNTsystem32inetsrvssinc.dll to prevent the database from being downloaded. Set the IIS log save directory and adjust the log record information. Set to send text error messages. Modify the 403 error page and turn it to another page to prevent detection by some scanners. In addition, in order to hide system information, the system version information leaked from telnet to port 80 can be modified to modify the banner information of IIS. You can use winhex to manually modify or use related software such as banneredit to modify.
For the directory where the user site is located, here is a description of the user's FTP root directory corresponding to three files, wwwroot, database, logfiles, respectively, store site files, database backups and logs of the site. If an intrusion event occurs, specific permissions can be set for the directory where the user site is located. The directory where the image is located only gives the permissions of the column directory. If the directory where the program is located does not need to generate a file (such as a program that generates html), no write permission is given. Because the virtual host usually has no way to make the script security meager, more can only be used in the method user to enhance the permissions from the script:
ASP security settings:
After setting permissions and services, prevent asp Trojans also need to do the following: Run the following command in the cmd window:
regsvr32/u C:WINNTSystem32wshom.ocx
del C:WINNTSystem32wshom.ocx
regsvr32/u C:WINNTsystem32shell32.dll
del C :WINNTsystem32shell32.dll
Uninstall WScript.Shell, Shell.application, WScript.Network components, effectively prevent asp trojans from executing commands via wscript or shell.application and using Trojans to view some system sensitive information. Another method: Can cancel the permissions of the users of the above files, restart IIS to take effect. However, this method is not recommended.
In addition, for FSO, because the user program needs to be used, the server can not log out of the component. Here, only the FSO prevention is mentioned, but it does not need to be used on the virtual merchant server that automatically opens the space. It is only suitable for manual opening. Site. You can set two groups for sites that need FSO and do not need FSO. For the user group that needs FSO, give permission to execute c:winntsystem32scrrun.dll file. Restart the server to take effect.
For such a setting combined with the above permission settings, you will find that the Haiyang Trojan has lost its role here!
PHP security settings:
The default installation of php requires the following attention:
C:winntphp.ini only gives users read permission. In php.ini you need to do the following settings:
Safe_mode=on
register_globals = Off
allow_url_fopen = Off
display_errors = Off
magic_quotes_gpc = On [default is on, but check it again]
open_basedir =web directory
disable_functions =passthru,exec,shell_exec,system,phpinfo,get_cfg_var,popen,chmod
The default setting com.allow_dcom = true is changed to false [to cancel the previous one before modifying;]
MySQL security settings:

If you enable MySQL database on the server, MySQL database needs to pay attention to security settings:
remove all of the default user mysql, leaving only local root account for The root user adds a complex password. Give the ordinary user updatedeletealertcreatedrop permission, and limit to a specific database, especially to avoid the ordinary customer has permission to operate on the mysql database. Check the mysql.user table, cancel the unnecessary user's shutdown_priv, relo
ad_priv, process_priv and File_priv permissions. These permissions may leak more server information including non-mysql other information. You can set up a startup user for mysql, which has permissions only for the mysql directory. Set the permissions of the data database of the installation directory (this directory stores the data information of the mysql database). For the mysql installation directory, add reads, column directories, and execute permissions to users.
Serv-u Security Issues:
The installer tries to use the latest version, avoiding the default installation directory, setting the permissions of the serv-u directory, and setting a complex administrator password. Modify the banner information of serv-u, set the passive mode port range (4001— 4003) to make relevant security settings in the local server settings: including checking anonymous passwords, disabling anti-timeout scheduling, intercepting “FTP bounce”attacks and FXP, For users who have connected more than 3 times in 30 seconds, they intercept 10 minutes. The settings in the domain are: Require complex passwords, the directory uses only lowercase letters, and the Advanced setting cancels the date the file is allowed to be changed using the MDTM command.
Change the startup user of serv-u: Create a new user in the system and set a complex password, which does not belong to any group. Give the user the full control of the servu installation directory. To establish an FTP root directory, you need to give the user full control of the directory, because all ftp users upload, delete, and change files are inherited by the user, otherwise the file cannot be manipulated. In addition, you need to give the user the read permission of the upper directory above the directory, otherwise it will appear 530 Not logged in, home directory does not exist. For example, when testing, the ftp root directory is d:soft, you must give d disk the user's read permission, in order to safely cancel the inherited permissions of other folders on the d disk. Generally, there is no such problem when using the default system startup, because system generally has these permissions.