{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網站,是互聯網時代的企業名片。對於互聯網公司來說,沒有網站是一件無法想象的事情。也因此,互聯網公司在成立之初,首先需要做的事情就是搭建自己的官網。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那麼,互聯網公司應該搭建什麼樣的官網?換句話說,互聯網企業官網應該具備哪些特點?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"互聯網公司搭建網站之前,需要想清楚建站目標。因爲這個目標關係到網站的類型。比如,是想做企業展示站、產品推廣站、網絡商城站還是門戶資訊站,需要提前想好。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網站類型按性質劃分:有展示類、資訊類、服務類、交易類、政府類、資源類等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"按功能劃分有:品牌型網站,展示型網站,營銷型網站,電商型網站,門戶型網站。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"1.品牌型網站:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"顧名思義,這種類型的網站目的就是爲樹立品牌形象,因此看上去很高端大氣。特點是首頁會突出設計展示企業品牌,通常會用一些華麗精美的大圖和動感十足的flash動圖爲主,具有較強的互動性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類網站一般採用半定製或全定製,網站要求高,費用也高。適合中大型企業,上市公司等有高端品牌建設需求的企業。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"2.展示型網站:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以展示產品、服務爲主。這類網站的主要目的是放企業介紹、產品種類、相關服務案例等。比如,產品規格和型號方便潛在客戶隨時查看產品信息。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類網站的特點是簡單、樸實,沒有多麼華麗的外觀,就是一個展示企業產品服務的簡單網站。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"3.營銷型網站:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"近年來企業不斷追求和推崇的一類網站。通常將網站佈局體現產品用戶體驗+搜索引擎優化規則的合理性,稱爲營銷型網站建設。關於營銷型網站,我其他文章中專門寫過,感興趣可以去我賬號查看。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"營銷型網站建站的目的是直接獲取銷售線索或轉化爲訂單,承擔業務員角色,解決用戶決策時的心理障礙。順利促使目標客戶留下銷售線索或直接下單。這是營銷型網站的優點,也是企業偏愛的原因。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"4.電商型網站(網絡商城):"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"電商網站是針對做電商的企業而言的,帶有相對應的在線下單功能,主要用來進行企業產品的在線銷售。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類網站中會有詳細的產品介紹和服務信息。通常網站上會有大量的照片,還會有購物車和付款方式,主要是爲了方便用戶完成產品的購買。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"5.門戶型網站:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"門戶型網站相對來講是專注以資訊來展示給訪客用戶的,分享企業資訊動態。門戶型企業網站建設與電子商務型企業網站大不相同。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/75/7566fcba0e0d99831f7d3f3613fca13b.jpeg","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"門戶型企業網站通常是爲特定的客戶搭建的,爲他們提供一個資訊交流的平臺。通常這類企業網站上會有大量企業資源和企業服務信息,可以很好地將其與其他類型企業網站區別開。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"想清楚建站目標以後,就可以根據目標去選擇相對應的網絡建站類型。但這就完了嗎?當然不是。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"想想互聯網企業相對於傳統企業來說,最大的不同是什麼,是高度的數字化。這個數字化體現在營銷數字化、商品數字化、門店數字化、供應鏈數字化等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"數字化意味着你的客戶大部分來自線上或全部來自線上,用戶是一條條數據,而不是像傳統企業用戶,是一個個看得見的人。產品呈現在線上,也是一條條數據,只有快遞到家打開包裹,才能感受到它的重量。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"既然是數據,就必須保障安全性。因此,網站安全才是互聯網公司在建站時,首要考慮和必須解決的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Facebook僅在2018年就發生了3次大規模用戶數據泄露事件,一度成爲互聯網行業的焦點,幾百億美元市值因此瞬間蒸發。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"老實說,這個代價都足以在地球上養活任何一支龐大精銳的安全團隊,甚至直接收購幾家規模比較大的安全公司都綽綽有餘了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前全球互聯網公司的趨勢是越來越重視隱私,尤其網站安全領域,也重新被提升到了一個新的高度。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"互聯網企業目前面臨的安全威脅和安全挑戰,互聯網公司的安全需求和安全目標,這些都是互聯網企業在制定契合自身業務特性的網站安全規劃時,需要重點考慮的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從外部環境看,目前互聯網整體的安全態勢依然存在風險和挑戰。企業網站每天都面臨着來自各方面的安全威脅,網絡攻擊、木馬病毒、安全漏洞等事件時有發生。企業敏感信息、數據泄露時刻威脅着企業的生存與發展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一旦發生此類網站安全事件,會對企業正常運營、業務發展造成很大不良影響。加上近年來一些重大網絡安全事件的頻發,被媒體曝光後影響到了整個互聯網行業的發展,使得越來越多的互聯網企業意識到網站安全的重要性,進而對網站的安全性進行防護和升級。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"那麼,互聯網企業面臨的安全威脅和挑戰主要有哪些?換句話說,常見的網站攻擊方式有哪些?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比較常見的有:網絡黑產、外部黑客、競爭對手、安全漏洞、網絡攻擊、數據泄露、敏感信息泄露等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以黑客攻擊爲例。網站攻擊的手段有很多,黑客慣用的手段有幾下幾種:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"1.阻塞攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過強佔網站服務器中的存儲空間資源,使網站服務器崩潰或資源耗盡,從而無法對外提供服務。這類攻擊手段用的方法是拒絕服務攻擊(Denial of Service,DOS),該方法是個人或多人利用網絡協議組的某些工具,拒絕合法用戶對目標系統或信息訪問的攻擊。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊成功後的結果是目標系統死機,端口處於停頓狀態等。還可以在網站服務器中發送雜亂信息、改變文件名稱、刪除關鍵的程序文件等,進而扭曲系統的資源狀態,使系統的處理速度降低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"2.文件上傳漏洞攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網頁代碼中文件在上傳過程中,由於上傳路徑變量過濾不嚴格,產生一些以某種形式存在的安全方面的脆弱環節,被稱爲網站上傳漏洞。利用這個上傳漏洞可以隨意上傳網頁木馬(如ASP木馬網頁),連接上傳的網頁就可以控制整個網站系統。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上傳漏洞攻擊方式對網站安全威脅極大,攻擊者可以直接上傳就ASP木馬文件而得到一個WEBSHELL,進而控制整個網站服務器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"3.跨站腳本攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"黑客在遠程站點頁面HTML代碼中插入具有惡意目的的代碼,當用戶下載該頁面,嵌入其中的惡意腳本就被解釋執行。跨站腳本攻擊方式最常見的有:通過竊取cookie、欺騙打開木馬網頁,或者直接在存在跨站腳本漏洞的網站中寫入注入腳本代碼,在網站掛上木馬網頁等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6a/6a152fb0b26e690f0d0856df6bd3ba1d.jpeg","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"4.弱密碼的入侵攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類攻擊首先需要用掃描器探測到SQL賬號和密碼信息,進而獲取預留密碼,然後用SQLEXEC等攻擊工具通過1433端口連接網站服務器,再開設一個系統賬號,通過3389端口登錄。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種攻擊還會配合WEBSHELL來使用。一般的ASP+MSSQL網站通常會把MSSQL連接密碼寫到一個配置文件當中,可以用WEBSHELL讀取配置文件裏面的預留密碼,然後上傳一個SQL木馬來獲取系統的控制權限。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"5.網站旁註入侵"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種技術通過IP綁定域名查詢的功能查出服務器上有多少網站,再挑選一些防護薄弱的網站實施入侵,拿到權限之後轉而控制同一服務器上的其它網站。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"6.其他腳本攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網站服務器的漏洞主要集中在各種網頁中。由於網頁程序編寫不嚴謹,因此出現了各種腳本漏洞,如動圖文件上傳漏洞、cookie欺騙漏洞等都屬於腳本漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"除了這幾種常見腳本漏洞外,還有一些專門針對某些網站程序出現的腳本程序漏洞,最常見的有用戶對輸入的數據過濾不嚴、網站源代碼暴露以及遠程文件包含漏洞等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"這些網站安全問題最直接的會導致用戶流失、經濟損失、聲譽受損、公信力下降等糟糕後果。那麼,該如何保障互聯網公司網站的安全性呢?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"仔細觀察會發現,上述六種最常見的網站攻擊方式中,大部分都與服務器直接相關或間接相關。因此,首先從服務器層面來說說,如何確保互聯網企業網站安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對服務器,存在兩種情況,一種是租別人的服務器,一種是購買的大廠商的服務器(比如阿里雲)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"一、租用不知名廠商服務器的情況下,網站管理員只能在網站開發方面多下功夫"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.一般的攻擊主要是針對網站數據庫,所以需要在數據庫連接文件中添加相應的防攻擊代碼。比如,在檢查網站程序時打開那些含有數據庫操作的ASP文件,這些文件是需要防護的頁面。在其頭部加上相關的防注入代碼,最後再把它們都上傳到服務器上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.堵住數據庫下載漏洞。換句話說就是不讓別人下載數據庫文件,並且數據庫文件的命名最好複雜並隱藏起來,讓別人認不出來。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.網站中最好不要有上傳和論壇程序,因爲這樣極易產生上傳文件漏洞以及其他網站漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4.對於後臺管理程序的要求,首先不要在網頁上顯示後臺管理程序的入口鏈接,防止黑客攻擊。其次是用戶名和密碼不能過於簡單,而且需要定期更換。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5.需要定期查殺網站上的木馬,使用專門查殺木馬的工具,或使用網站程序集成的檢測工具,定期檢查網站上是否存在木馬。以上除了數據庫文件以外,還可以把網站上的文件都改成只讀的屬性,防止文件被篡改。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"看到這裏,有人就說了,又是加代碼,又是堵漏洞,還要定期更換和檢查。本來建網站就已經夠累了!能不能讓我省點心?有沒有什麼一勞永逸的操作?有,就是上面介紹的第二種,購買阿里雲服務器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d6/d6205319484302847281f3d94b555f34.jpeg","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"二、如果是購買的阿里雲服務器,安全問題則無需擔心"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"早在2014年,阿里雲就曾幫助部署在阿里雲上的一家知名遊戲公司,成功抵禦全球互聯網史上最大的一次DDOS攻擊。攻擊時間長達14個小時,攻擊峯值流量達到每秒453.8Gb。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現如今,阿里雲保護着中國超過40%的網站,防護全國50%的大流量DDOS攻擊。每天成功抵擋50億次攻擊,全年幫助用戶修復超過833萬個高危漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"阿里雲服務器其他方面的性能優勢就不多說了,僅安全可靠這方面就有其他服務商無可比擬的優勢。我隨便說兩點,大家自行感受下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.提供虛擬防火牆、角色權限控制、內網隔離、防病毒攻擊及流量監控等多重安全方案。免費提供 DDoS 防護、木馬查殺、防暴力破解等服務,通過多方國際安全認證,ECS雲盤支持數據加密功能等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.同地域多可用區(機房)可爲用戶提供超高的容災能力。單實例可用性達99.975%,多可用區多實例可用性達99.995%,雲盤可靠性達99.9999999%。可實現自動宕機遷移、快照備份,進一步保障企業服務和數據安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不管是在網站開發方面下功夫,還是花錢升級服務器,或多或少都存在一些瑕疵。前者對網站開發人員是一個不小的考驗,時間上投入的也會比較多。後者會存在一筆額外的支出,對中小企業來說可能會是壓力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/4e/4e12c9c9d3964844469430c61b2a0b07.jpeg","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"其實還有更簡便的方法,就是直接找靠譜建站服務商搭建網站。比如,阿里雲心選建站主打產品-雲速成美站。不僅不需要自己建網站,就連買服務器的錢都省了。價格也不貴,基礎版500元/年,標準版998元/年,企業版1998元/年。最關鍵的是網站很安全穩定。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "},{"type":"link","attrs":{"href":"https://ac.aliyun.com/application/webdesign/sumei","title":""},"content":[{"type":"text","text":"https://ac.aliyun.com/application/webdesign/sumei"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"想想自己建網站,光是招開發人員和設計人員,就得好幾萬,還不算其他成本。網站建成以後,租或者買服務器是一筆費用。網站推廣又是另外一筆開銷。這還不算後期爲網站運營維護而付出的人力、時間成本。最關鍵的,建成的網站安全問題不一定能得到保障。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用阿里雲速成美站,不需要購買服務器,服務器是包含在建站費用裏的。阿里雲服務器(ECS)、負載勻衡(SLB)、雲數據庫(RDS)、雲存儲(OSS)、網絡加速(CDN)等雲計算資源集羣,以SaaS的方式提供給客戶,讓每一個網頁都能秒開,同時確保互聯網公司網站安全與穩定。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"投入最少,卻能收穫最大,我實在想不出比這更好的方法了。(配圖來源於網絡,侵刪~)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
互聯網公司建網站時最應該注意什麼?
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網站,是互聯網時代的企業名片。對於互聯網公司來說,沒有網站是一件無法想象的事情。也因此,互聯網公司在成立之初,首先需要做的事情就是搭建自己的官網。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那麼,互聯網公司應該搭建什麼樣的官網?換句話說,互聯網企業官網應該具備哪些特點?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"互聯網公司搭建網站之前,需要想清楚建站目標。因爲這個目標關係到網站的類型。比如,是想做企業展示站、產品推廣站、網絡商城站還是門戶資訊站,需要提前想好。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網站類型按性質劃分:有展示類、資訊類、服務類、交易類、政府類、資源類等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"按功能劃分有:品牌型網站,展示型網站,營銷型網站,電商型網站,門戶型網站。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"1.品牌型網站:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"顧名思義,這種類型的網站目的就是爲樹立品牌形象,因此看上去很高端大氣。特點是首頁會突出設計展示企業品牌,通常會用一些華麗精美的大圖和動感十足的flash動圖爲主,具有較強的互動性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類網站一般採用半定製或全定製,網站要求高,費用也高。適合中大型企業,上市公司等有高端品牌建設需求的企業。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"2.展示型網站:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以展示產品、服務爲主。這類網站的主要目的是放企業介紹、產品種類、相關服務案例等。比如,產品規格和型號方便潛在客戶隨時查看產品信息。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類網站的特點是簡單、樸實,沒有多麼華麗的外觀,就是一個展示企業產品服務的簡單網站。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"3.營銷型網站:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"近年來企業不斷追求和推崇的一類網站。通常將網站佈局體現產品用戶體驗+搜索引擎優化規則的合理性,稱爲營銷型網站建設。關於營銷型網站,我其他文章中專門寫過,感興趣可以去我賬號查看。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"營銷型網站建站的目的是直接獲取銷售線索或轉化爲訂單,承擔業務員角色,解決用戶決策時的心理障礙。順利促使目標客戶留下銷售線索或直接下單。這是營銷型網站的優點,也是企業偏愛的原因。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"4.電商型網站(網絡商城):"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"電商網站是針對做電商的企業而言的,帶有相對應的在線下單功能,主要用來進行企業產品的在線銷售。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類網站中會有詳細的產品介紹和服務信息。通常網站上會有大量的照片,還會有購物車和付款方式,主要是爲了方便用戶完成產品的購買。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"5.門戶型網站:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"門戶型網站相對來講是專注以資訊來展示給訪客用戶的,分享企業資訊動態。門戶型企業網站建設與電子商務型企業網站大不相同。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/75/7566fcba0e0d99831f7d3f3613fca13b.jpeg","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"門戶型企業網站通常是爲特定的客戶搭建的,爲他們提供一個資訊交流的平臺。通常這類企業網站上會有大量企業資源和企業服務信息,可以很好地將其與其他類型企業網站區別開。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"想清楚建站目標以後,就可以根據目標去選擇相對應的網絡建站類型。但這就完了嗎?當然不是。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"想想互聯網企業相對於傳統企業來說,最大的不同是什麼,是高度的數字化。這個數字化體現在營銷數字化、商品數字化、門店數字化、供應鏈數字化等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"數字化意味着你的客戶大部分來自線上或全部來自線上,用戶是一條條數據,而不是像傳統企業用戶,是一個個看得見的人。產品呈現在線上,也是一條條數據,只有快遞到家打開包裹,才能感受到它的重量。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"既然是數據,就必須保障安全性。因此,網站安全才是互聯網公司在建站時,首要考慮和必須解決的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Facebook僅在2018年就發生了3次大規模用戶數據泄露事件,一度成爲互聯網行業的焦點,幾百億美元市值因此瞬間蒸發。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"老實說,這個代價都足以在地球上養活任何一支龐大精銳的安全團隊,甚至直接收購幾家規模比較大的安全公司都綽綽有餘了。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前全球互聯網公司的趨勢是越來越重視隱私,尤其網站安全領域,也重新被提升到了一個新的高度。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"互聯網企業目前面臨的安全威脅和安全挑戰,互聯網公司的安全需求和安全目標,這些都是互聯網企業在制定契合自身業務特性的網站安全規劃時,需要重點考慮的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從外部環境看,目前互聯網整體的安全態勢依然存在風險和挑戰。企業網站每天都面臨着來自各方面的安全威脅,網絡攻擊、木馬病毒、安全漏洞等事件時有發生。企業敏感信息、數據泄露時刻威脅着企業的生存與發展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一旦發生此類網站安全事件,會對企業正常運營、業務發展造成很大不良影響。加上近年來一些重大網絡安全事件的頻發,被媒體曝光後影響到了整個互聯網行業的發展,使得越來越多的互聯網企業意識到網站安全的重要性,進而對網站的安全性進行防護和升級。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"那麼,互聯網企業面臨的安全威脅和挑戰主要有哪些?換句話說,常見的網站攻擊方式有哪些?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比較常見的有:網絡黑產、外部黑客、競爭對手、安全漏洞、網絡攻擊、數據泄露、敏感信息泄露等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以黑客攻擊爲例。網站攻擊的手段有很多,黑客慣用的手段有幾下幾種:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"1.阻塞攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過強佔網站服務器中的存儲空間資源,使網站服務器崩潰或資源耗盡,從而無法對外提供服務。這類攻擊手段用的方法是拒絕服務攻擊(Denial of Service,DOS),該方法是個人或多人利用網絡協議組的某些工具,拒絕合法用戶對目標系統或信息訪問的攻擊。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊成功後的結果是目標系統死機,端口處於停頓狀態等。還可以在網站服務器中發送雜亂信息、改變文件名稱、刪除關鍵的程序文件等,進而扭曲系統的資源狀態,使系統的處理速度降低。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"2.文件上傳漏洞攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網頁代碼中文件在上傳過程中,由於上傳路徑變量過濾不嚴格,產生一些以某種形式存在的安全方面的脆弱環節,被稱爲網站上傳漏洞。利用這個上傳漏洞可以隨意上傳網頁木馬(如ASP木馬網頁),連接上傳的網頁就可以控制整個網站系統。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上傳漏洞攻擊方式對網站安全威脅極大,攻擊者可以直接上傳就ASP木馬文件而得到一個WEBSHELL,進而控制整個網站服務器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"3.跨站腳本攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"黑客在遠程站點頁面HTML代碼中插入具有惡意目的的代碼,當用戶下載該頁面,嵌入其中的惡意腳本就被解釋執行。跨站腳本攻擊方式最常見的有:通過竊取cookie、欺騙打開木馬網頁,或者直接在存在跨站腳本漏洞的網站中寫入注入腳本代碼,在網站掛上木馬網頁等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6a/6a152fb0b26e690f0d0856df6bd3ba1d.jpeg","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"4.弱密碼的入侵攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類攻擊首先需要用掃描器探測到SQL賬號和密碼信息,進而獲取預留密碼,然後用SQLEXEC等攻擊工具通過1433端口連接網站服務器,再開設一個系統賬號,通過3389端口登錄。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種攻擊還會配合WEBSHELL來使用。一般的ASP+MSSQL網站通常會把MSSQL連接密碼寫到一個配置文件當中,可以用WEBSHELL讀取配置文件裏面的預留密碼,然後上傳一個SQL木馬來獲取系統的控制權限。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"5.網站旁註入侵"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種技術通過IP綁定域名查詢的功能查出服務器上有多少網站,再挑選一些防護薄弱的網站實施入侵,拿到權限之後轉而控制同一服務器上的其它網站。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"6.其他腳本攻擊"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網站服務器的漏洞主要集中在各種網頁中。由於網頁程序編寫不嚴謹,因此出現了各種腳本漏洞,如動圖文件上傳漏洞、cookie欺騙漏洞等都屬於腳本漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"除了這幾種常見腳本漏洞外,還有一些專門針對某些網站程序出現的腳本程序漏洞,最常見的有用戶對輸入的數據過濾不嚴、網站源代碼暴露以及遠程文件包含漏洞等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"這些網站安全問題最直接的會導致用戶流失、經濟損失、聲譽受損、公信力下降等糟糕後果。那麼,該如何保障互聯網公司網站的安全性呢?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"仔細觀察會發現,上述六種最常見的網站攻擊方式中,大部分都與服務器直接相關或間接相關。因此,首先從服務器層面來說說,如何確保互聯網企業網站安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對服務器,存在兩種情況,一種是租別人的服務器,一種是購買的大廠商的服務器(比如阿里雲)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"一、租用不知名廠商服務器的情況下,網站管理員只能在網站開發方面多下功夫"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.一般的攻擊主要是針對網站數據庫,所以需要在數據庫連接文件中添加相應的防攻擊代碼。比如,在檢查網站程序時打開那些含有數據庫操作的ASP文件,這些文件是需要防護的頁面。在其頭部加上相關的防注入代碼,最後再把它們都上傳到服務器上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.堵住數據庫下載漏洞。換句話說就是不讓別人下載數據庫文件,並且數據庫文件的命名最好複雜並隱藏起來,讓別人認不出來。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.網站中最好不要有上傳和論壇程序,因爲這樣極易產生上傳文件漏洞以及其他網站漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4.對於後臺管理程序的要求,首先不要在網頁上顯示後臺管理程序的入口鏈接,防止黑客攻擊。其次是用戶名和密碼不能過於簡單,而且需要定期更換。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5.需要定期查殺網站上的木馬,使用專門查殺木馬的工具,或使用網站程序集成的檢測工具,定期檢查網站上是否存在木馬。以上除了數據庫文件以外,還可以把網站上的文件都改成只讀的屬性,防止文件被篡改。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"看到這裏,有人就說了,又是加代碼,又是堵漏洞,還要定期更換和檢查。本來建網站就已經夠累了!能不能讓我省點心?有沒有什麼一勞永逸的操作?有,就是上面介紹的第二種,購買阿里雲服務器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d6/d6205319484302847281f3d94b555f34.jpeg","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"二、如果是購買的阿里雲服務器,安全問題則無需擔心"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"早在2014年,阿里雲就曾幫助部署在阿里雲上的一家知名遊戲公司,成功抵禦全球互聯網史上最大的一次DDOS攻擊。攻擊時間長達14個小時,攻擊峯值流量達到每秒453.8Gb。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現如今,阿里雲保護着中國超過40%的網站,防護全國50%的大流量DDOS攻擊。每天成功抵擋50億次攻擊,全年幫助用戶修復超過833萬個高危漏洞。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"阿里雲服務器其他方面的性能優勢就不多說了,僅安全可靠這方面就有其他服務商無可比擬的優勢。我隨便說兩點,大家自行感受下:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.提供虛擬防火牆、角色權限控制、內網隔離、防病毒攻擊及流量監控等多重安全方案。免費提供 DDoS 防護、木馬查殺、防暴力破解等服務,通過多方國際安全認證,ECS雲盤支持數據加密功能等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.同地域多可用區(機房)可爲用戶提供超高的容災能力。單實例可用性達99.975%,多可用區多實例可用性達99.995%,雲盤可靠性達99.9999999%。可實現自動宕機遷移、快照備份,進一步保障企業服務和數據安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不管是在網站開發方面下功夫,還是花錢升級服務器,或多或少都存在一些瑕疵。前者對網站開發人員是一個不小的考驗,時間上投入的也會比較多。後者會存在一筆額外的支出,對中小企業來說可能會是壓力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/4e/4e12c9c9d3964844469430c61b2a0b07.jpeg","alt":null,"title":"","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"其實還有更簡便的方法,就是直接找靠譜建站服務商搭建網站。比如,阿里雲心選建站主打產品-雲速成美站。不僅不需要自己建網站,就連買服務器的錢都省了。價格也不貴,基礎版500元/年,標準版998元/年,企業版1998元/年。最關鍵的是網站很安全穩定。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "},{"type":"link","attrs":{"href":"https://ac.aliyun.com/application/webdesign/sumei","title":""},"content":[{"type":"text","text":"https://ac.aliyun.com/application/webdesign/sumei"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"想想自己建網站,光是招開發人員和設計人員,就得好幾萬,還不算其他成本。網站建成以後,租或者買服務器是一筆費用。網站推廣又是另外一筆開銷。這還不算後期爲網站運營維護而付出的人力、時間成本。最關鍵的,建成的網站安全問題不一定能得到保障。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用阿里雲速成美站,不需要購買服務器,服務器是包含在建站費用裏的。阿里雲服務器(ECS)、負載勻衡(SLB)、雲數據庫(RDS)、雲存儲(OSS)、網絡加速(CDN)等雲計算資源集羣,以SaaS的方式提供給客戶,讓每一個網頁都能秒開,同時確保互聯網公司網站安全與穩定。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"投入最少,卻能收穫最大,我實在想不出比這更好的方法了。(配圖來源於網絡,侵刪~)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章