Security precautions three have three must be what?
Simply talk about the web server, then you can do security measures from several levels:
1. web code level is mainly anti-notes (sqlinjection) anti-span (xss), the measures that can be used is the ready-made code products to play a good patch, the realization of their own code to do a good job of security audits.
Prevention can be on the WAF2. Service framework level is mainly to prevent the system itself and the vulnerability of the error or omission of the configuration of the vulnerability. Timely update patches and learn the appropriate security configuration.
Anti-0day then on the ips3. traffic pressure test level is mainly to prevent cc, ddos, etc., do domain name guidance or on the CDN it
ddos attack protection ideas?
1, the use of high-performance network equipment first to ensure that the network equipment can not become a bottleneck, so the choice of routers, switches, hardware firewalls and other equipment, we should try to choose a high visibility, good reputation of the product. Then if and network providers have a special relationship or agreement, it is better, when a large number of attacks occur, please ask them to do a little traffic restrictions at the network interface to combat some kinds of DDOS attacks is very effective.
2, try to avoid the use of NAT, whether it is a router or a hardware protection wall device to try to avoid the use of network address translation NAT use, because the use of this technology will be a greater reduction in the ability to communicate with the network, in fact, the reason is very simple, because the NAT needs to be converted back and forth to the address, the conversion process needs to be on the network packet checksum calculations, and therefore a lot of wasted time on the CPU. But there are times when NAT must be used, and that's no good.
3, sufficient network bandwidth to ensure that the network bandwidth directly determines the ability to resist attacks, if only 10M bandwidth, no matter what measures are very difficult to fight the current SYNFlood attack, the current at least 100M **** enjoy bandwidth, the best of course, is to be hung on the trunk of 1000M. However, it should be noted that the host of the network card is 1000M does not mean that its network bandwidth is gigabit, if it is connected to a 100M switch, its actual bandwidth will not exceed 100M, and then connected to a 100M bandwidth is not the same as the bandwidth of 100 megabytes, because the network service provider is likely to be in the switch to limit the actual bandwidth to 10M, this point must be clarified.
4, upgrading the host server hardware in the network bandwidth guarantee under the premise, please try to upgrade the hardware configuration, to effectively combat 100,000 per second SYN attack packets, the server configuration should be at least: P42.4G/DDR512M/SCSI-HD, the key role is mainly CPU and memory, if there is a Zhiqiang dual-CPU, then use it, memory must be Choose DDR high-speed memory, hard disk to try to choose SCSI, do not just greedy IDE price is not expensive, but also sufficiently cheap, otherwise you will pay a high price of performance, and then the network card must choose 3COM or Intel and other brand-name, if it is Realtek's or used in their own PC it.
5, the site into a static page a lot of facts have proved that the site as far as possible into a static page, not only can greatly improve the ability to resist attacks, but also to bring a lot of trouble to the hacker invasion, at least up to now on the overflow of HTML has not yet appeared, look at it! Sina, Sohu, NetEase and other portals are mainly static pages, if you do not need to call dynamic scripts, then get it to another separate host, lest the attack even the main server, of course, appropriate to put some do not do the database call script or can be, in addition, it is best in the need to call the database script to refuse to use the agent's access, because experience has shown that the use of proxies to access your website 80% belong to malicious behavior.
6, enhance the operating system's TCP/IP stack Win2000 and Win2003 as a server operating system, itself has a certain resistance to DDOS attacks on the ability, just the default state is not open, if you open the package can resist about 10,000 SYN attacks, if you do not open the package is only able to resist hundreds of specific how to open, see for yourself! Microsoft's article! Strengthening TCP/IP stack security. Maybe some people will ask, that I use Linux and FreeBSD how to do? That's easy, follow this article! SYNCookies.
7, install a professional anti-DDOS firewall
8, other defensive measures to combat DDOS recommendations, suitable for the vast majority of users with their own hosts, but if you take the above measures still can not solve the problem of DDOS, it is a bit of a problem, you may need to invest in more servers and increase the number of DNS rounds or load-balancing technology, and even the need to buy seven layer switching equipment. You need to buy Layer 7 switching equipment, which makes the anti-DDOS attack capability exponentially higher, as long as the investment is deep enough.