Work on the IAS - “Means of information protection. Site Protection »
Last year (when I was in the 9th grade) I wrote a paper for the Small Academy of Sciences of Ukraine, where I took 3rd place in the district, and now I decided to publish it here. I want to immediately warn you, the work is not saturated with complicated terms and those. moments, since it was written for people quite remote from IT-technologies (my work was taken by people who are clearly over 50).
Introduction
At the moment, the Internet contains many sites, portals and other Internet resources. Almost all “web designers”, administrators and owners of Internet resources are wondering - “How to protect my Internet resource from hacking, plagiarism, graphic design and more?”. Now there are many ways to attack the site and steal images, etc ... But there are also enough ways to protect the site. It is about these methods that will be discussed in this work. Here we will try to highlight some of these methods and test their performance and benefits for the site.
The purpose of this study is to prove or disprove certain types of site protection. We will highlight how to protect the site from hacker attacks, spam, and how to protect the site design from plagiarism.
')
General analysis at the time of the study.
All methods of protection were tested on a site specially made for this. It is located on the server of the company “Ucoz” which provides the site's robustness and not bad protects it from hacking. Now the so-called "Yukoz" is the most popular server for creating a website.
The hoster tech support forum has a very large number of messages about hacking sites. After a survey of owners of Internet resources, I came to the conclusion that "Yukoz" does not provide reliable protection of the site from hacking. Even the use of complex passwords and scripts does not provide complete protection. Next we look at some of the ways to protect sites from various threats. To begin, consider the protection of the site from hacker attacks. The main method of site attack by hackers is either the selection of a password to the administration system, or the complete removal of all site resources (internal files from the site root).
But in some cases, the hacker's goal is to steal the design of the site. Not experienced webmasters use simple Java scripts that block the right mouse button.
SQL Injection Protection
The easiest way to protect against SQL injection is to insert SQL query parameters with single paws ('), because it is not possible to transfer a single foot symbol via a GET-POST query (it will automatically be changed by connecting the characters - \' - tobish to be escaped).
SELECT * FROM `table_name` WHERE` param` = '$ param_name' ORDER BY `sort` ASC;
The SQL query in the case of an injection will look something like this:
SELECT * FROM `table_name` WHERE` param` = '10 union select 1,2,3 / * 'ORDER BY `sort` ASC;
Also, never save passwords in the database in clear text, be sure to bring them (for example, the function sha1). Using SQL injection it is easy to “get” data from the database, and if they are encrypted, then there is a high probability that the attacker will not be able to use them.
To ensure the confidentiality of the login and password for accessing the database, the database connection functions are best stored in a separate file and connected to each page of the site.
Also, disabling the on-screen display of errors that occurred when an incorrect request, greatly complicates the task for the attacker. To turn off error output, just write the following (for example, in the database connection file):
ini_set ('display_errors', '0');
Try to check the result of each executable request for execution and the number of records found. If this number is zero, redirects the user, for example, to the main page, this will provide good protection against SQL injections.
If your site does not contain sections in which to write and edit rows in the database, it is necessary in the user database, under which the connection to the database occurs, to disable all rights except the right to read data. By default, the database user has rights to both delete and edit. For sections of the site that require greater rights, for example, a book of reviews or a forum, you should have a separate user who will have the right to edit only a specific table. And for the content management system it is necessary to have a separate database user, as he needs full rights.
All the methods described above do not guarantee one hundred percent protection against SQL injections; however, they will prevent them in the overwhelming majority of cases.
DoS attack
Denial of service, denial of service (Eng. DoS, DDoS, (Distributed) Denial-of-service) - an attack on a computer system with the intention of making computer resources inaccessible to users for whom the computer system was intended.
One of the common methods of attack is the penetration of an attacked computer or network equipment with a large number of external requests (often meaningless or incorrectly formed) so that the attacked equipment cannot respond to its users, or responds so slowly that it becomes virtually inaccessible. In general, service failure is carried out:
§ by forcing the attacked equipment to shut down the program or equipment or to spend the available resources, so that the equipment cannot continue to work;
§ occupancy of communication channels between users and attacked equipment, so that the quality of the connection ceases to meet the requirements.
If an attack occurs simultaneously from a large number of IP addresses, then it is called distributed (DDoS).
Methods of struggle
The danger of most DDoS attacks is in their absolute transparency and “normality”. After all, if an error in the software can always be corrected, then the complete resource utilization is an almost common phenomenon. Many administrators encounter them when the resources of the machine (channel width) become insufficient, or the web site is subject to a slashdot effect. And if you cut traffic and resources for everyone, then you will be saved from DDoS, but you will lose more than half of clients.
There is virtually no way out of this situation, but the effects of DDoS attacks and their effectiveness can be significantly reduced by properly configuring the router, firewall, and constant analysis of anomalies in network traffic.
Also for the help and similar scripts, you can prohibit the selection of text. But this is not interesting, and we will not wake up in these ways. At the moment we will look at how to protect graphic images of the site.
Protection of the picture (method 1)
A “leaf” picture is created in the table. The idea is to allow the visitor of the page to save pictures, only in return he sees completely different images, for example, transparent ones. To make such a picture, you need any HTML editor, for non-hypertext markup experts it’s better to use Dreamweaver. Create a table with a single cell, the size coincides with our picture, and insert the latter as the background of the table (or cell). We insert exactly the same one more table into this table, and already at the last - a transparent gif-file (the name of the picture and the name of the transparent gif-file must be made almost the same in appearance). If this method suits you, and there is no desire to create tables with images manually, you can use a special program for creating layers - for example, Cool Page.
Protection of the picture (method 2)
The idea is to cut the picture into pieces. The image is cut into many segments, each of which is then inserted into the table. In this case, the one who wants to restore this image will have to save each segment as a separate file and then “stitch” it in one of the graphic editors. With a large number of fragments of the partition, the desire to steal a picture from someone may disappear completely. When automating such a method, you can use the automatic image cutting function found in some graphic editors. in Ulead PhotoImpact, you can cut the image into the required number of parts and save the result in HTML. This generates a table that can be exported to Dreamweaver, set up its appearance there, and then paste the resulting code into your web page.
It is necessary to pay attention to the fact that the above described methods will not save from copying pictures using the Print Screen keyboard button, therefore it is recommended to publish pictures with acceptable quality for comfortable viewing, but not acceptable for their commercial use.
Now you need to understand in more detail the protection and concealment of the source HTML code of the page. I know for myself that a page that has a large number of scripts and complex codes is of great value. For example, a script for forum-role-playing games, which, depending on the number of messages a user, gives him certain equipment. Such a script is paid, but many users try to get it for free. To view the code of the page, just use the Internet browser "Google Chrome" or "Mozilla Firefox", which provide free access to the code. From the browser "Chrome" you can try to protect the script, locking the right mouse button. But for the experienced user, this is not an obstacle. Therefore, there is a reasonably reliable way to hide your code — this is encryption of the page code.
Encryption is a very difficult task, a full description of which will take more than one article, so the ways are indicated below, the purpose is to demonstrate the basic principles and are not ready-to-use solutions.
Using the perl2exe compiler
The easiest way to protect the code is to use the perl2exe compiler (Windows), which creates a regular executable file from the code. For one of the most popular Perl scripts in RuNet, one of the options for hiding source codes was the ability to compile codes into PE-exe executable format for win32, ELF for Linux . Such a compilation utility, called Perl2Exe, is provided by a third-party company IndigoStar Software .
In this case, the most elementary way (and most often used) is to encrypt the program, put it into a variable, and at the end put the decryptor. But, despite the fact that the authors of the Perl2Exe utility do not provide its source codes, therefore, it is impossible to find the engineering password in automatic mode, even with the help of various hacker programs. And talking about the cryptographic strength of such encryption is meaningless, since the key to the cipher is located next to the cipher itself. (That will only increase the size of your encrypted page). This program change can be easily stopped.
Remove syntax characters and add fragments.
The most interesting are irreversible changes to the code. Part of this is the removal of all line breaks, comments, extra brackets and spaces from the code - in general, everything is “unnecessary”, which was there only to improve readability. This is only partially irreversible, since some editors can automatically arrange line breaks and tabs.
You can insert meaningless chunks in the code that do nothing (most often this method is used in combination with the removal of "unnecessary").
Ideally, these meaningless chunks should be diverse and similar to the code surrounding them in order to make them harder to recognize.
The last and perhaps the easiest way to encrypt webmaster sites.
Encryption of HTML code using the service www.ph4.ru/wm_html2js.ph4 , which turns all non-Latin symbols of HTML code (except dots, commas, question marks and colons) into UNICODE character codes.
Example:
Original:
In UNICODE:
In the same place, the service issues an final code that is inserted into your page:
But this way has its drawbacks - some Internet users sometimes turn off the support of the Java script in the browser, and therefore the page is encoded in such a way that it will not be displayed.
Also quite large is the problem of protecting graphic images of a site or design elements, and in some cases the whole design. I personally always try to protect my work, which I expose to free access to the network. At the moment, among Internet users are dominated by people whose age is from 10 to 35 years. A very large number of young site administrators want to have the design of another site they like. At the moment, almost no one protects their Internet projects with copyrights, because it takes time and money. Therefore, if you are not a very well-known designer, and your work has been redone — it’s measured, you can never prove anything to anyone — it has also been tested on your own experience. All designs put copyrights below. Therefore, their script is not a secret to anyone. One way to save copyright is to use a simple java script, which we will now discuss.
The problem of protecting our pages is that we write in the client language, which is accessible to everyone ... Of course, the script outlined below will not save if a person understands JavaScript a little, but some percentage of copyrights still remain in place. The code tried to make it less understandable, noticeable and voluminous.
Underline the so-called selector. In the absence of which, the template will refuse to work and will forward the users to the main page of the author of the template.
Selector settings:
Record format: tag_name [parameter_name = "value"]
eg:
a [href = " www . *******. en /"]
img [src = "logo link "]
But, as mentioned above, it does not always help.
Also a lot of important protection cascading style sheet site. Cascading Style Sheets (Cascading Style Sheets or CSS for short) is a special language used to display pages written in data markup languages. Most often, CSS is used for the visual presentation of pages written in HTML and XHTML, but the CSS format can be applied to other types of XML documents.
Now we will look at an example of protecting a table from being copied.
Funny and fast, you can hide your CSS.
This is not even a script, this is most likely an idea for a hidden css style sheet.
If you go to my page source code (main page + ctrl + u), then having climbed all the code, you will not find anything!
Now let's see how to do it.
Go to your CSS and copy it completely.
Then on the desktop, create a text document and paste there what
Copied in my CSS.
Save as: 1cc2s1.css
Then fill in your file manager.
Now go to the CSS Style Sheet and erase everything and paste it:
"KCC is not here to write your best"
Save ...
After you upload the CSS to the file manager, copy the link and
replace the text: HERE YOUR CSS on your:
Code
/>
Then go to this site: studioweb.boom.ru/kod_html1.htm
Paste That code with a link to your CSS that you have already filled. And code. (We have already considered the coding method)
After you get the code.
Take only content from it. And that is only the code.
Example:
We take only
You insert your own!
And paste into a new text document. Keep the like: jquery1.0.1.js
And upload to your file manager.
Everything, now the one who tries to view and copy your code, will see only the inscription “do not have KCC here, write your best”, for a person who wanted, as the saying goes “on the ball” your code, this will be a great surprise!
Also at times for advertising their resources, unscrupulous site owners go into SPAM on other sites that are better known.
Spam (eng. Spam) - mass mailing of advertising or other correspondence to people who have not expressed a desire to receive it. Formerly, the term "spam" refers to promotional emails, and is listed on sites.
There are many programs in this for Simplified spam mailing, so sending messages to a large number of sites is quite difficult. Therefore, to send spam using programs that are now a very large number. Some mail services, such as Mail.ru, Rambler, Gmeil, scramble to fight spam in their own ways, for example, they make black lists of addresses and websites, messages from which are automatically transferred to a special SPAM folder. But since there are programs for sending spam, then there are ways to protect against this. Now we consider the program for sending spam.
Programs for mass mailing of letters deliver letters simultaneously in several streams and can work several times faster than a regular mail client. At the same time, they are not affected by the restrictions of the provider's mail server, neither on the number nor on the amount of letters sent through them. The programs for mass mailing have a built-in SMTP mail server, thanks to which you can create a mailing letter in any format and in any mail program - even in Microsoft Outlook, even in TheBat. It can also serve as remailers for any other program for the mass distribution of letters or the mail server (for example, GroupMailer or Eserv). The remailers function — the ability to send emails directly — will prove to be particularly useful for mobile users, since they will not need to change the settings in the accounts in the email program every time they find themselves on another network.Spam mailing programs support mailing lists of any format, including those imported on the fly from a database on SQL query (even from Microsoft Excel document, even from Microsoft Access, even from Microsoft SQL Server), Windows address books. The presented mailing programs allow you to perform anonymous mailings through a Socks5 proxy, hiding the sender's IP address. But as already mentioned, there are ways to combat spam. Always when registering at various sites, a special system asks you to enter a code from an image, the so-called “protection against robots. Protection against SPAM is divided into two types:
1. With the participation of the user.
2. Automatic.
Now we will consider both methods in more detail.
Ways of protection that require action from the user.
I think that the anti-spam system on the CAPTCHA website (pronounced “captcha”) is not necessary. You probably saw “distorted” characters (numbers, letters) on forums, guest books, when registering new users, sending SMS via the Internet, which must be recognized and entered from the keyboard, thereby proving that you are not a bot.
Captcha is a computer test used to determine whether a user of a Web site is a person or a computer.
There is a concept of "weak captcha" and "steady captcha". The weak captchas include those that have a fixed font, a fixed position of characters, no noise, etc. That is, those that bot software is easier to recognize.
The main idea of captcha- test: to offer the user such a task, which he will easily cope with, but, the computer will not be able to solve it, or for him it will be a daunting task.
Captcha is most often used when it is necessary to prevent the use of Internet services by spam bots, for example, to prevent automatic sending of messages, registration, downloading files, adding comments to the guest book, sending SMS, etc.
Captcha is one of the most popular anti-spam tools. This method is used by large Internet services, including Google, MSN, Yandex, etc.
How does the classical CAPTCHA (general scheme) work?
In scripts (for example, in PHP), “secret” text is randomly generated and stored on the server using a session. Then a picture (captcha) with this text is created and displayed by means of a programming language. It is important that the “secret” text does not get knocked (got) from the data transmitted by the browser, just by the picture.
The user, when submitting the form on the website, must enter this “secret” text in the field.
In a script that modifies a Web form, the correspondence of the transmitted field with the session value is checked. If the values are equal, the script continues; an entry is added to the guest book or a new user is registered.
The effectiveness of a captcha depends on the complexity of creating an algorithm for its recognition, and on the popularity of this or that protection. Since trying to break even a primitive, but unusually protected site with an average attendance, most likely, no one will.
Disadvantages of most captchas:
Modern bots have “learned” to recognize even distorted characters and thus crack the defense.
CAPTCHA forces the user to tense up, filling the extra field.
Captcha creates an almost impassable barrier for people with poor eyesight and color blindness.
Sometimes the picture with the text is so distorted that not only the bot, but also a person with normal vision is not able to make out what needs to be entered. The situation will escalate if the Web form is already filled out, for example, with a large amount of data and it is impossible to disassemble the “secret” text. It is a pity to refresh the page, but what to do, is necessary. Although Web-craftsmen have found a way out of this situation. Created captchas that allow you to restore the number (or rather the image) using JavaScript without updating the entire page and, accordingly, without losing the fields (filled with such difficulty).
Is it hard to bypass the captcha protection?
Captcha is not a 100% reliable method of protection. But is there such a thing? There are several ways to circumvent it. For this purpose, OCR programs (OCR programs) can be used.
The brightest representative of such programs is FineReader. Oskilky has the ability to connect modules with FineReader to third-party programs for image recognition.
However, in most cases, you can bypass the captcha protection even without using OCR. For example, hire people to guess. Or organize the so-called. The “lemmings” method, where many real people take part in the captcha recognition process: spammers re-view the picture from the site that they want to break to a special site with high traffic, where to access information (most often of pornographic content) a person decides captcha and reports the result to spammers (not directly, but by entering text from a picture in a special field.
Ideas captchas that differ from the classic version.
These include audio captchas, math problems, word problems, object recognition, etc.
As an alternative, mathematical tasks can be used (for example, customers who wish to leave a comment, the script asks to solve a simple problem: “how much is 2 plus 5.”
This method is a good solution, but can provide decent protection only because of its novelty and low popularity .Naspravdi, do arithmetic computer does best person for the person performing in the minds of action can be tedious and relatively difficult task.
Word problems.
The visitor back site This is a question that he must answer (for example, on the blog laset.infoI met the question: "Capital of Ukraine?"). As a rule, the answer can be entered in the field or selected from the list. The advantage of this idea is that the check is available for people with visual impairments. Disadvantages of the idea: the user must be proficient in the language which the question is asked, besides the number of questions is the ending, so the attacker can form the basis with the answers.
CAPTCHA tests using graphic images of various objects are currently recognized as the most advanced. The essence of such a test is that before sending data from a form, the user needs to select from the list of pictures those depicting wildlife, cats, or something else. In this case, the order of selecting the correct images may be important or not important. Since bots cannot distinguish between images, this captcha test is a highly effective anti-spam tool. This implementation of protection against spam is very promising, since it is less annoying to the user. This type of captcha can be seen, for example, on the site www.kyivstar.net (Kyivstar mobile operator) when sending SMS messages.
Ways that do not require action from the user.
These methods of protection are more user-friendly to the site visitor than all sorts of captchas and therefore, when they are used, the convenience of using the site for clients increases. The system can both limit the number of requests, and try to distinguish a person from a bot by indirect signs of behavior. Indirect signs and "indirect", do not provide a guarantee, but only increase the likelihood that the bot "will not pass."
The main difference between a bot program from a person is the approach to the Web page as in a sequence of text and tags, whereas an ordinary person sees the final result (visual image) and the page code is of little interest to it.
Most of the methods that do not require active actions from the user when sending a Web form, based on the fact that the average bot, unlike a full-fledged browser, is not trained to interpret CSS, JavaScript, Flash, etc.
Limit the frequency of messages.
The essence of the method: it is necessary to ensure that from the same IP address there are no more than, for example, ten messages per minute. Since the visitor is unlikely to be able to write intelligent thoughts with such frequency. Note that this trick does not eliminate spam, but only reduces its volume. It makes sense when it is impossible to force a user to solve a captcha, but to defend himself. Dealing with the number of requests from a single IP address is a fairly simple method, but with sufficient preparedness of the attacker.
Locking by form loading time.
Protection can be blocked when processing messages for the time elapsed between the form loading and sending it - a person, unlike a bot, will obviously take some time to enter data (which is usually more than 1-2 seconds).
Block messages by keywords.
The filter usually works like this: messages that have indecent words, offensive, abusive phrases, etc. are not allowed for publication.
Changing the names of fields that are involved in data transfer.
Most spam robots are looking for fields with standard names on the page, for example, “name”, “email”, “mail”, etc ... In order to deliver some awkwardness to the bot, it is better to call the fields outside the box. You can, for example, call the "email" field "name", and "name" - "email", in the hope that the bot will decide on the essence of the fields by the name attribute of the tag.
Creating bait fields.
Since the spam bot is looking for the “name”, “email” and similar fields, why not give it to him. We create a hidden field, not hidden, but, for example, hidden by means of CSS. An ordinary visitor does not see the field and naturally do not fill it. Spam Robot will fill this field. The form should be processed only if the field hidden by us is empty. Among the bait fields, there should usually be fields that the user saw, but they should be given non-standard names.
Blocking messages to fit the screen
This method of protection works according to a simple scheme: if, when programmed, the visitor does not have dimensions (width, height) of the screen, the bot tries to send the form, so it should not be processed.
Building a form with JavaScript
This method makes the analysis of the form even more difficult: the bot needs to find and execute JavaScript code to see the field that needs to be filled. You can, for example, hide a field in JavaScript code like this: And then on the server side you should check if $ _POST ['antis'] exists and that it is 1104.
However, I repeat: indirect methods are by definition less effective than captcha. The fight against most of these methods is quite simple: once the bot program should be shown how to act in a given situation, and all - rake spam on the site.
Also, to protect the site from plagiarism, there is another way-the translation of the entire code page, that is, the page itself in Flash. For imprudent users, these barriers will not be passable, but there are also hacking methods for this method. Gedyo expensive flash file can be downloaded on your computer, for help and special programs. Then, also with help and special decompilers, you can “disassemble” the flash movie into an image, video, codes, etc ...
Conclusions.
After checking and testing all the methods of protecting sites described in this paper, I came to the conclusion that they all have their pros and cons. Some of them provide less, and the latter are more useful for protecting the site.
But, not one of the ways can not protect the site at 100%. For users with a certain experience in the Internet, and creating a website, it will not be a big problem to bypass them all. For example, to bypass the lock of the right mouse button, you just need to disable support for the Java script in the browser settings. And when using encryption, users with java disabled will not display the page. After all, no one now can hundred percent protect and protect their site from plagiarism, and theft of material from it. But, more reliable is a flash site, it is quite difficult to copy. Ordinary "user" of the Internet can not do this.
But such sites are loaded longer than usual, and they work worse. People with charged Internet, and small schwikistoy such sites do not open Ged.
Therefore, if your site is “stolen”, evil ”or have done anything with it, it’s better to stand up, because you cannot prove to anyone that this is it. And the prosecutor's office of Ukraine is not engaged in the investigation of plagiarism, or the intentional "damage" of your site. Personally, I use only the CTML code encoders, and the right mouse key lock. Spam protection is provided by the hoster, and nothing more is needed.
The list of sources of information used:
1. General methods of protection of sites [Electronic resource] - Access mode: kadaj.by.ru/protect.shtml
2. Copyright protection [Electronic resource] - Access mode: www.thebeststudio.ru
3. Captcha [Electronic resource] - Access Mode: mycodes.in.ua/archives/398
4. Technical ways to protect the site [Electronic resource] - Access mode: www.seonews.ru/masterclasses/detail/29849.php
5. Protection against SQL injection [Electronic resource] - Access mode:
www.kadaweb.ru/papers/ 5.php
6. Protection against DDoS attacks [Electronic resource] - Access mode:
xaknet.ru
7. Protection against SPAM [Print] - hacktools.ru/book/hack-book/29-zashhita-informacii-v-ofise .html
(c) Ilya Markelov. Kiev-2011.
Introduction
At the moment, the Internet contains many sites, portals and other Internet resources. Almost all “web designers”, administrators and owners of Internet resources are wondering - “How to protect my Internet resource from hacking, plagiarism, graphic design and more?”. Now there are many ways to attack the site and steal images, etc ... But there are also enough ways to protect the site. It is about these methods that will be discussed in this work. Here we will try to highlight some of these methods and test their performance and benefits for the site.
The purpose of this study is to prove or disprove certain types of site protection. We will highlight how to protect the site from hacker attacks, spam, and how to protect the site design from plagiarism.
')
General analysis at the time of the study.
All methods of protection were tested on a site specially made for this. It is located on the server of the company “Ucoz” which provides the site's robustness and not bad protects it from hacking. Now the so-called "Yukoz" is the most popular server for creating a website.
The hoster tech support forum has a very large number of messages about hacking sites. After a survey of owners of Internet resources, I came to the conclusion that "Yukoz" does not provide reliable protection of the site from hacking. Even the use of complex passwords and scripts does not provide complete protection. Next we look at some of the ways to protect sites from various threats. To begin, consider the protection of the site from hacker attacks. The main method of site attack by hackers is either the selection of a password to the administration system, or the complete removal of all site resources (internal files from the site root).
But in some cases, the hacker's goal is to steal the design of the site. Not experienced webmasters use simple Java scripts that block the right mouse button.
SQL Injection Protection
The easiest way to protect against SQL injection is to insert SQL query parameters with single paws ('), because it is not possible to transfer a single foot symbol via a GET-POST query (it will automatically be changed by connecting the characters - \' - tobish to be escaped).
SELECT * FROM `table_name` WHERE` param` = '$ param_name' ORDER BY `sort` ASC;
The SQL query in the case of an injection will look something like this:
SELECT * FROM `table_name` WHERE` param` = '10 union select 1,2,3 / * 'ORDER BY `sort` ASC;
Also, never save passwords in the database in clear text, be sure to bring them (for example, the function sha1). Using SQL injection it is easy to “get” data from the database, and if they are encrypted, then there is a high probability that the attacker will not be able to use them.
To ensure the confidentiality of the login and password for accessing the database, the database connection functions are best stored in a separate file and connected to each page of the site.
Also, disabling the on-screen display of errors that occurred when an incorrect request, greatly complicates the task for the attacker. To turn off error output, just write the following (for example, in the database connection file):
ini_set ('display_errors', '0');
Try to check the result of each executable request for execution and the number of records found. If this number is zero, redirects the user, for example, to the main page, this will provide good protection against SQL injections.
If your site does not contain sections in which to write and edit rows in the database, it is necessary in the user database, under which the connection to the database occurs, to disable all rights except the right to read data. By default, the database user has rights to both delete and edit. For sections of the site that require greater rights, for example, a book of reviews or a forum, you should have a separate user who will have the right to edit only a specific table. And for the content management system it is necessary to have a separate database user, as he needs full rights.
All the methods described above do not guarantee one hundred percent protection against SQL injections; however, they will prevent them in the overwhelming majority of cases.
DoS attack
Denial of service, denial of service (Eng. DoS, DDoS, (Distributed) Denial-of-service) - an attack on a computer system with the intention of making computer resources inaccessible to users for whom the computer system was intended.
One of the common methods of attack is the penetration of an attacked computer or network equipment with a large number of external requests (often meaningless or incorrectly formed) so that the attacked equipment cannot respond to its users, or responds so slowly that it becomes virtually inaccessible. In general, service failure is carried out:
§ by forcing the attacked equipment to shut down the program or equipment or to spend the available resources, so that the equipment cannot continue to work;
§ occupancy of communication channels between users and attacked equipment, so that the quality of the connection ceases to meet the requirements.
If an attack occurs simultaneously from a large number of IP addresses, then it is called distributed (DDoS).
Methods of struggle
The danger of most DDoS attacks is in their absolute transparency and “normality”. After all, if an error in the software can always be corrected, then the complete resource utilization is an almost common phenomenon. Many administrators encounter them when the resources of the machine (channel width) become insufficient, or the web site is subject to a slashdot effect. And if you cut traffic and resources for everyone, then you will be saved from DDoS, but you will lose more than half of clients.
There is virtually no way out of this situation, but the effects of DDoS attacks and their effectiveness can be significantly reduced by properly configuring the router, firewall, and constant analysis of anomalies in network traffic.
Also for the help and similar scripts, you can prohibit the selection of text. But this is not interesting, and we will not wake up in these ways. At the moment we will look at how to protect graphic images of the site.
Protection of the picture (method 1)
A “leaf” picture is created in the table. The idea is to allow the visitor of the page to save pictures, only in return he sees completely different images, for example, transparent ones. To make such a picture, you need any HTML editor, for non-hypertext markup experts it’s better to use Dreamweaver. Create a table with a single cell, the size coincides with our picture, and insert the latter as the background of the table (or cell). We insert exactly the same one more table into this table, and already at the last - a transparent gif-file (the name of the picture and the name of the transparent gif-file must be made almost the same in appearance). If this method suits you, and there is no desire to create tables with images manually, you can use a special program for creating layers - for example, Cool Page.
Protection of the picture (method 2)
The idea is to cut the picture into pieces. The image is cut into many segments, each of which is then inserted into the table. In this case, the one who wants to restore this image will have to save each segment as a separate file and then “stitch” it in one of the graphic editors. With a large number of fragments of the partition, the desire to steal a picture from someone may disappear completely. When automating such a method, you can use the automatic image cutting function found in some graphic editors. in Ulead PhotoImpact, you can cut the image into the required number of parts and save the result in HTML. This generates a table that can be exported to Dreamweaver, set up its appearance there, and then paste the resulting code into your web page.
It is necessary to pay attention to the fact that the above described methods will not save from copying pictures using the Print Screen keyboard button, therefore it is recommended to publish pictures with acceptable quality for comfortable viewing, but not acceptable for their commercial use.
Now you need to understand in more detail the protection and concealment of the source HTML code of the page. I know for myself that a page that has a large number of scripts and complex codes is of great value. For example, a script for forum-role-playing games, which, depending on the number of messages a user, gives him certain equipment. Such a script is paid, but many users try to get it for free. To view the code of the page, just use the Internet browser "Google Chrome" or "Mozilla Firefox", which provide free access to the code. From the browser "Chrome" you can try to protect the script, locking the right mouse button. But for the experienced user, this is not an obstacle. Therefore, there is a reasonably reliable way to hide your code — this is encryption of the page code.
Encryption is a very difficult task, a full description of which will take more than one article, so the ways are indicated below, the purpose is to demonstrate the basic principles and are not ready-to-use solutions.
Using the perl2exe compiler
The easiest way to protect the code is to use the perl2exe compiler (Windows), which creates a regular executable file from the code. For one of the most popular Perl scripts in RuNet, one of the options for hiding source codes was the ability to compile codes into PE-exe executable format for win32, ELF for Linux . Such a compilation utility, called Perl2Exe, is provided by a third-party company IndigoStar Software .
In this case, the most elementary way (and most often used) is to encrypt the program, put it into a variable, and at the end put the decryptor. But, despite the fact that the authors of the Perl2Exe utility do not provide its source codes, therefore, it is impossible to find the engineering password in automatic mode, even with the help of various hacker programs. And talking about the cryptographic strength of such encryption is meaningless, since the key to the cipher is located next to the cipher itself. (That will only increase the size of your encrypted page). This program change can be easily stopped.
Remove syntax characters and add fragments.
The most interesting are irreversible changes to the code. Part of this is the removal of all line breaks, comments, extra brackets and spaces from the code - in general, everything is “unnecessary”, which was there only to improve readability. This is only partially irreversible, since some editors can automatically arrange line breaks and tabs.
You can insert meaningless chunks in the code that do nothing (most often this method is used in combination with the removal of "unnecessary").
Ideally, these meaningless chunks should be diverse and similar to the code surrounding them in order to make them harder to recognize.
The last and perhaps the easiest way to encrypt webmaster sites.
Encryption of HTML code using the service www.ph4.ru/wm_html2js.ph4 , which turns all non-Latin symbols of HTML code (except dots, commas, question marks and colons) into UNICODE character codes.
Example:
Original:
script language="JavaScript1.2">
if (document.all) document.body.onmousedown = new Function ("if
(Event.button == 2 | | event.button == 3) alert (' ') ")
In UNICODE:
% 3Cscript% 20language% 3D% 22JavaScript1.2% 22% 3E% 0D% 0A% 0D% 0Aif% 20% 28documen
t.all% 29% 20document.body.onmousedown% 3Dnew% 20Function% 28% 22if% 20% 28event.butt
on% 3D% 3D2% 7C% 7Cevent.button% 3D% 3D3% 29alert% 28% 27% u041F% u0440% u0435% u04
34% u0443% u043F% u0440% u0435% u0436% u0434% u0430% u044E% u0449% u0438% u0439%
20% u0442% u0435% u043A% u0441% u0442% 27% 29% 22% 29% 0D% 0A% 0D% 0A% 3C/script%
3E
In the same place, the service issues an final code that is inserted into your page:
But this way has its drawbacks - some Internet users sometimes turn off the support of the Java script in the browser, and therefore the page is encoded in such a way that it will not be displayed.
Also quite large is the problem of protecting graphic images of a site or design elements, and in some cases the whole design. I personally always try to protect my work, which I expose to free access to the network. At the moment, among Internet users are dominated by people whose age is from 10 to 35 years. A very large number of young site administrators want to have the design of another site they like. At the moment, almost no one protects their Internet projects with copyrights, because it takes time and money. Therefore, if you are not a very well-known designer, and your work has been redone — it’s measured, you can never prove anything to anyone — it has also been tested on your own experience. All designs put copyrights below. Therefore, their script is not a secret to anyone. One way to save copyright is to use a simple java script, which we will now discuss.
The problem of protecting our pages is that we write in the client language, which is accessible to everyone ... Of course, the script outlined below will not save if a person understands JavaScript a little, but some percentage of copyrights still remain in place. The code tried to make it less understandable, noticeable and voluminous.
Underline the so-called selector. In the absence of which, the template will refuse to work and will forward the users to the main page of the author of the template.
Selector settings:
Record format: tag_name [parameter_name = "value"]
eg:
a [href = " www . *******. en /"]
img [src = "logo link "]
But, as mentioned above, it does not always help.
Also a lot of important protection cascading style sheet site. Cascading Style Sheets (Cascading Style Sheets or CSS for short) is a special language used to display pages written in data markup languages. Most often, CSS is used for the visual presentation of pages written in HTML and XHTML, but the CSS format can be applied to other types of XML documents.
Now we will look at an example of protecting a table from being copied.
Funny and fast, you can hide your CSS.
This is not even a script, this is most likely an idea for a hidden css style sheet.
If you go to my page source code (main page + ctrl + u), then having climbed all the code, you will not find anything!
Now let's see how to do it.
Go to your CSS and copy it completely.
Then on the desktop, create a text document and paste there what
Copied in my CSS.
Save as: 1cc2s1.css
Then fill in your file manager.
Now go to the CSS Style Sheet and erase everything and paste it:
"KCC is not here to write your best"
Save ...
After you upload the CSS to the file manager, copy the link and
replace the text: HERE YOUR CSS on your:
Code
/>
Then go to this site: studioweb.boom.ru/kod_html1.htm
Paste That code with a link to your CSS that you have already filled. And code. (We have already considered the coding method)
After you get the code.
Take only content from it. And that is only the code.
Example:
We take only
document.write (unescape ("% 3Clink% 20type% 3D% 22text/css% 22% 20rel% 3D% 22StyleSheet%
22% 20href% 3D% 22% u0422% u0423% u0422% 20% u0412% u0410% u0428% u0415% 20CSS% 22% 20 /% 3E "));
You insert your own!
And paste into a new text document. Keep the like: jquery1.0.1.js
And upload to your file manager.
/>
Everything, now the one who tries to view and copy your code, will see only the inscription “do not have KCC here, write your best”, for a person who wanted, as the saying goes “on the ball” your code, this will be a great surprise!
Also at times for advertising their resources, unscrupulous site owners go into SPAM on other sites that are better known.
Spam (eng. Spam) - mass mailing of advertising or other correspondence to people who have not expressed a desire to receive it. Formerly, the term "spam" refers to promotional emails, and is listed on sites.
There are many programs in this for Simplified spam mailing, so sending messages to a large number of sites is quite difficult. Therefore, to send spam using programs that are now a very large number. Some mail services, such as Mail.ru, Rambler, Gmeil, scramble to fight spam in their own ways, for example, they make black lists of addresses and websites, messages from which are automatically transferred to a special SPAM folder. But since there are programs for sending spam, then there are ways to protect against this. Now we consider the program for sending spam.
Programs for mass mailing of letters deliver letters simultaneously in several streams and can work several times faster than a regular mail client. At the same time, they are not affected by the restrictions of the provider's mail server, neither on the number nor on the amount of letters sent through them. The programs for mass mailing have a built-in SMTP mail server, thanks to which you can create a mailing letter in any format and in any mail program - even in Microsoft Outlook, even in TheBat. It can also serve as remailers for any other program for the mass distribution of letters or the mail server (for example, GroupMailer or Eserv). The remailers function — the ability to send emails directly — will prove to be particularly useful for mobile users, since they will not need to change the settings in the accounts in the email program every time they find themselves on another network.Spam mailing programs support mailing lists of any format, including those imported on the fly from a database on SQL query (even from Microsoft Excel document, even from Microsoft Access, even from Microsoft SQL Server), Windows address books. The presented mailing programs allow you to perform anonymous mailings through a Socks5 proxy, hiding the sender's IP address. But as already mentioned, there are ways to combat spam. Always when registering at various sites, a special system asks you to enter a code from an image, the so-called “protection against robots. Protection against SPAM is divided into two types:
1. With the participation of the user.
2. Automatic.
Now we will consider both methods in more detail.
Ways of protection that require action from the user.
I think that the anti-spam system on the CAPTCHA website (pronounced “captcha”) is not necessary. You probably saw “distorted” characters (numbers, letters) on forums, guest books, when registering new users, sending SMS via the Internet, which must be recognized and entered from the keyboard, thereby proving that you are not a bot.
Captcha is a computer test used to determine whether a user of a Web site is a person or a computer.
There is a concept of "weak captcha" and "steady captcha". The weak captchas include those that have a fixed font, a fixed position of characters, no noise, etc. That is, those that bot software is easier to recognize.
The main idea of captcha- test: to offer the user such a task, which he will easily cope with, but, the computer will not be able to solve it, or for him it will be a daunting task.
Captcha is most often used when it is necessary to prevent the use of Internet services by spam bots, for example, to prevent automatic sending of messages, registration, downloading files, adding comments to the guest book, sending SMS, etc.
Captcha is one of the most popular anti-spam tools. This method is used by large Internet services, including Google, MSN, Yandex, etc.
How does the classical CAPTCHA (general scheme) work?
In scripts (for example, in PHP), “secret” text is randomly generated and stored on the server using a session. Then a picture (captcha) with this text is created and displayed by means of a programming language. It is important that the “secret” text does not get knocked (got) from the data transmitted by the browser, just by the picture.
The user, when submitting the form on the website, must enter this “secret” text in the field.
In a script that modifies a Web form, the correspondence of the transmitted field with the session value is checked. If the values are equal, the script continues; an entry is added to the guest book or a new user is registered.
The effectiveness of a captcha depends on the complexity of creating an algorithm for its recognition, and on the popularity of this or that protection. Since trying to break even a primitive, but unusually protected site with an average attendance, most likely, no one will.
Disadvantages of most captchas:
Modern bots have “learned” to recognize even distorted characters and thus crack the defense.
CAPTCHA forces the user to tense up, filling the extra field.
Captcha creates an almost impassable barrier for people with poor eyesight and color blindness.
Sometimes the picture with the text is so distorted that not only the bot, but also a person with normal vision is not able to make out what needs to be entered. The situation will escalate if the Web form is already filled out, for example, with a large amount of data and it is impossible to disassemble the “secret” text. It is a pity to refresh the page, but what to do, is necessary. Although Web-craftsmen have found a way out of this situation. Created captchas that allow you to restore the number (or rather the image) using JavaScript without updating the entire page and, accordingly, without losing the fields (filled with such difficulty).
Is it hard to bypass the captcha protection?
Captcha is not a 100% reliable method of protection. But is there such a thing? There are several ways to circumvent it. For this purpose, OCR programs (OCR programs) can be used.
The brightest representative of such programs is FineReader. Oskilky has the ability to connect modules with FineReader to third-party programs for image recognition.
However, in most cases, you can bypass the captcha protection even without using OCR. For example, hire people to guess. Or organize the so-called. The “lemmings” method, where many real people take part in the captcha recognition process: spammers re-view the picture from the site that they want to break to a special site with high traffic, where to access information (most often of pornographic content) a person decides captcha and reports the result to spammers (not directly, but by entering text from a picture in a special field.
Ideas captchas that differ from the classic version.
These include audio captchas, math problems, word problems, object recognition, etc.
As an alternative, mathematical tasks can be used (for example, customers who wish to leave a comment, the script asks to solve a simple problem: “how much is 2 plus 5.”
This method is a good solution, but can provide decent protection only because of its novelty and low popularity .Naspravdi, do arithmetic computer does best person for the person performing in the minds of action can be tedious and relatively difficult task.
Word problems.
The visitor back site This is a question that he must answer (for example, on the blog laset.infoI met the question: "Capital of Ukraine?"). As a rule, the answer can be entered in the field or selected from the list. The advantage of this idea is that the check is available for people with visual impairments. Disadvantages of the idea: the user must be proficient in the language which the question is asked, besides the number of questions is the ending, so the attacker can form the basis with the answers.
CAPTCHA tests using graphic images of various objects are currently recognized as the most advanced. The essence of such a test is that before sending data from a form, the user needs to select from the list of pictures those depicting wildlife, cats, or something else. In this case, the order of selecting the correct images may be important or not important. Since bots cannot distinguish between images, this captcha test is a highly effective anti-spam tool. This implementation of protection against spam is very promising, since it is less annoying to the user. This type of captcha can be seen, for example, on the site www.kyivstar.net (Kyivstar mobile operator) when sending SMS messages.
Ways that do not require action from the user.
These methods of protection are more user-friendly to the site visitor than all sorts of captchas and therefore, when they are used, the convenience of using the site for clients increases. The system can both limit the number of requests, and try to distinguish a person from a bot by indirect signs of behavior. Indirect signs and "indirect", do not provide a guarantee, but only increase the likelihood that the bot "will not pass."
The main difference between a bot program from a person is the approach to the Web page as in a sequence of text and tags, whereas an ordinary person sees the final result (visual image) and the page code is of little interest to it.
Most of the methods that do not require active actions from the user when sending a Web form, based on the fact that the average bot, unlike a full-fledged browser, is not trained to interpret CSS, JavaScript, Flash, etc.
Limit the frequency of messages.
The essence of the method: it is necessary to ensure that from the same IP address there are no more than, for example, ten messages per minute. Since the visitor is unlikely to be able to write intelligent thoughts with such frequency. Note that this trick does not eliminate spam, but only reduces its volume. It makes sense when it is impossible to force a user to solve a captcha, but to defend himself. Dealing with the number of requests from a single IP address is a fairly simple method, but with sufficient preparedness of the attacker.
Locking by form loading time.
Protection can be blocked when processing messages for the time elapsed between the form loading and sending it - a person, unlike a bot, will obviously take some time to enter data (which is usually more than 1-2 seconds).
Block messages by keywords.
The filter usually works like this: messages that have indecent words, offensive, abusive phrases, etc. are not allowed for publication.
Changing the names of fields that are involved in data transfer.
Most spam robots are looking for fields with standard names on the page, for example, “name”, “email”, “mail”, etc ... In order to deliver some awkwardness to the bot, it is better to call the fields outside the box. You can, for example, call the "email" field "name", and "name" - "email", in the hope that the bot will decide on the essence of the fields by the name attribute of the tag.
Creating bait fields.
Since the spam bot is looking for the “name”, “email” and similar fields, why not give it to him. We create a hidden field, not hidden, but, for example, hidden by means of CSS. An ordinary visitor does not see the field and naturally do not fill it. Spam Robot will fill this field. The form should be processed only if the field hidden by us is empty. Among the bait fields, there should usually be fields that the user saw, but they should be given non-standard names.
Blocking messages to fit the screen
This method of protection works according to a simple scheme: if, when programmed, the visitor does not have dimensions (width, height) of the screen, the bot tries to send the form, so it should not be processed.
Building a form with JavaScript
This method makes the analysis of the form even more difficult: the bot needs to find and execute JavaScript code to see the field that needs to be filled. You can, for example, hide a field in JavaScript code like this: And then on the server side you should check if $ _POST ['antis'] exists and that it is 1104.
<Form action ="..." name = "addMsg" method = "post">
However, I repeat: indirect methods are by definition less effective than captcha. The fight against most of these methods is quite simple: once the bot program should be shown how to act in a given situation, and all - rake spam on the site.
Also, to protect the site from plagiarism, there is another way-the translation of the entire code page, that is, the page itself in Flash. For imprudent users, these barriers will not be passable, but there are also hacking methods for this method. Gedyo expensive flash file can be downloaded on your computer, for help and special programs. Then, also with help and special decompilers, you can “disassemble” the flash movie into an image, video, codes, etc ...
Conclusions.
After checking and testing all the methods of protecting sites described in this paper, I came to the conclusion that they all have their pros and cons. Some of them provide less, and the latter are more useful for protecting the site.
But, not one of the ways can not protect the site at 100%. For users with a certain experience in the Internet, and creating a website, it will not be a big problem to bypass them all. For example, to bypass the lock of the right mouse button, you just need to disable support for the Java script in the browser settings. And when using encryption, users with java disabled will not display the page. After all, no one now can hundred percent protect and protect their site from plagiarism, and theft of material from it. But, more reliable is a flash site, it is quite difficult to copy. Ordinary "user" of the Internet can not do this.
But such sites are loaded longer than usual, and they work worse. People with charged Internet, and small schwikistoy such sites do not open Ged.
Therefore, if your site is “stolen”, evil ”or have done anything with it, it’s better to stand up, because you cannot prove to anyone that this is it. And the prosecutor's office of Ukraine is not engaged in the investigation of plagiarism, or the intentional "damage" of your site. Personally, I use only the CTML code encoders, and the right mouse key lock. Spam protection is provided by the hoster, and nothing more is needed.
The list of sources of information used:
1. General methods of protection of sites [Electronic resource] - Access mode: kadaj.by.ru/protect.shtml
2. Copyright protection [Electronic resource] - Access mode: www.thebeststudio.ru
3. Captcha [Electronic resource] - Access Mode: mycodes.in.ua/archives/398
4. Technical ways to protect the site [Electronic resource] - Access mode: www.seonews.ru/masterclasses/detail/29849.php
5. Protection against SQL injection [Electronic resource] - Access mode:
www.kadaweb.ru/papers/ 5.php
6. Protection against DDoS attacks [Electronic resource] - Access mode:
xaknet.ru
7. Protection against SPAM [Print] - hacktools.ru/book/hack-book/29-zashhita-informacii-v-ofise .html
(c) Ilya Markelov. Kiev-2011.
Source: https://habr.com/ru/post/128119/
All Articles