--,.------
EO THONG TIN vA TRUYEN THONG CONG HOA xA HOI CHiT NGHIA VII::T NAM DQc qp -T\I' Do - Hl}.nh Phuc S6:'u5J1BTTTT-VNCERT Ha NQi, ngay • V/v Huang dful dam bao an toan thong : /\p C8AJj S:'~~G'lGrf~P CAOSJ Vi~TNAM tin cho cac C6ng/Trang thOng tin di~n t\r 'IAN PliCl,G Dill J,tN"A NO: ~. s6: .2.-.4.6 . T';ProAN CON~ ~PCSYN DEN Ngay:.OLLi.o.1.-1. .' eJ!. Aj0.,t N "'-I. "/I'<'~~""..•••••••••.•Cac Bi), COquan ngang Bi), COquan trvc thui)c C phu. nr~(c)N) iJE N~y:!l1..W~.ILUBND cac tinh, thanh ph5 trvc thui)c Trung uang, Chuy~n:....I(
1. PH~M VI VA DOl TU<}NG A.P DT)NG
1.1. Phl].m vi lip d\lng Tai li~u hu6ng dfin nay duQ'c xay d\)11gnh~m m\lc dich cung dp nhfrng kiSn thuc va chi dfin ky thu~t co bi'm vS vi~c dam bao an toan thong tin (ATTT) d6i vai h~ th6ng ph~n Ctrng va ph~n rnSrn thuQc ci'>ng/trang thOng tin di~n tu (TTDT), cac yeu du thiSt l~p h~ th6ng phong thll va bao v~, qua d6 giup cac don vi quan Iy c6ng/trang TTDT c6 thS danh gia muc dQ ATTT va Iva chQn giai phap pM hqp nh~rn xay d\)11grnQtc6ng/trang TTDT an toano
1.2. Dbi tU"qng lip d\lng Cic c6ng/trang TTDT clla cac co quan nM nuac va cac doanh nghi~p dUQc khuySn cao t6 chuc thvc hi~n ap d\lng t6i da cac bi~n phap nay trong diSu ki~n C\lthS cho phep.
2. TONG QUAN VE CA.C BIJ):N PHA.P KY THU~T CO BAN DAM BAo ATTT CHO CONG/TRANG TTDT MQt trng d\lng web n6i chung hay c6ng/trang TTDT n6i rieng khi triSn khai duQ'c tren rn~ng Internet ngoai ySu t6 rna ngu6n trng dl,mg web, con c6 nhfrng thanh ph~n khac nhu: may chll ph\lc V\l web, h~ quan tri co sa dfr li~u,... Do v~y, rnQt c6ng/trang TTDT an toan doi hoi ban than rna ngu6n clla c6ng phai duQ'c I~p trinh an toan, tranh cac 16i bao rn~t xay ra tren trng d\lng web va cac thanh ph~n b6 trQ'nhu may chll ph\lc Y\l web va h~ quan tri co sa dfr li~u cho trng d\lng d6 cling phai dam bao an toano Cac bi~n phap dam bao ATTT cho c6ng/trang TTDT dn duQ'c triSn khai cho tow bQ cac thanh ph~n clla c6ng/trang TTDT, bao g6rn cac nQi dung sau (xern hinh 1):
I ": :l ( , 1 ~. '~," ,~l .1 ~t •, .r .
. "i~ • al•• {,..-:-t ~ ". ',&y,',/"':' I ,J - -H';rrng dh dam baoA.•..IT cho cAng 'nOT " '1 .~ f I <
, L ~, h~9 ~.I-~ 4 ~ I '\ Thi~t dilt, vn, cdu J ""II hnnh ling I' Thi~td~lva "f';:f'ffJf t;;Y.!", *~.,~'-'I:~.~ 4_, _ hlnh h~thon" d\l,Iigll'eb.n Ii du hlnh Clr sO' .~.J.';~';-'\ t- .',...:.:•.•• mal' chit an toan loan . it +' /, \ . ",:";t •. ~_~!/~~'.: • . J dii' Ii~uan tonn ~,- "' ' . J (~;t-i ~;(;.., ,~,",' ~ j < .l( ••") ': c. ;-.: . v :{ "jf~ j . .3t " ". r;' . .,' I .•. ... N ~ ~_ Xae djnh eliu Tri~1Ikhai h~ Mal' chli I Ki0m tra hO:,11 I Cilld~tcae ling true web thAh" phiJlI" thii Linux Thi~t I"p cO' eh~ 1 dQ,ng wcb an " d\lng blio v~ sao Itru vii ph \Ie hAi ..I loan r . ,::;------/, Phan IO\li M:iyehi, >... ITa chile m~']', I' . .,cau true wcb \. 1Windows Khac ph\IC L C" ch~",10 lUll )11 hlnh Ill\lng ; "I c:ic 16i phIl I. ~ri i 'T'h¥'~ '. hlrr ]5' ... . _. , May chli web bi~ntren web ti- CO' eh.! phVe h6i II Cac IMnh ("'r-- .. '::',:;, l' t- $,*.''' ~. I • Hinh 1. N9i dung &im bao AT1T cho cong/trang TTDT . • ::'1 -I - xac djnh du truc web: giup nguai quan trj xac djnh dugc rna hinh thi~t k~ web cua don vi, qua do co bi~n phap t6 chtrc rna hinh web hgp ly, tranh dugc cac ~~ na.ng t~n co~g leo thang d~c q~y€n. ,~- . -, Trien'khai h~ t~ong phOng thn:, gam hai nOi dung chinh la ~J.':;~~ ,hjnh 'm~hg ITgifly va to chtrc cac h~ thong phong thu, giup n~aj~,uil.n.!!:l,.,c:{)':"i ~ ,,~~', :'cach nhin t6ng quan v€ toan bO rna hinh m~~bYFg!trflng*[~DT cua minh, •qua do t6 chtrc rna, hinh ,m~~J1gpdy ~~~lr t~;et.~~?:~h~ th~ng p~ong t~u quan trQng nhu tU~~[1~et b! phat hl~n/phong, chong xam nh~p (IDS/IPS), tUSm8 3 3, NOI DUNG cAe BI:tN PHAp KY THU~ T co BAN DAM BAo ATTT ~ 3.1. Xae dinh du true eua web ,. " . .,' ~~_ MQt ~ng dVng web khi triSnkhai, v~ co ban se co 3 lOp nhu sau: lOp tdnh '- . ----..- ~h'fu~lOp ling dVng va lOp co sa dfr li~u. . -"=-" , .'~,~;:,~;,) 1; nm rnAm'y ,hu di .at '" t;,dnng phn"'n cae yeu diu ve' .. £;;~~~ khae; lOp trinh di~n, la may ehli phve vv web . (co thS,la: ~IS Se~,-Apaehe ~,;.:~eg.:~~~~o~.~at ~erver,.;.) .. j Lop ung d{mg (Web ApplIcatIOn) Jar-cae '. ban hay rniinguon pMt ? ~~ . ? ,---.... trien ra ling dVng web thlJe thi (co the la: ASP.NET; PHP, -r .' erl, Pytho'n, ...). LOp CO' So' dCi:li?u (Database SerVer) la nui rna ling dvng'we .'~ W.;.va----. ,'. . ._. ~ tha~ ta.'e vai dfr li~u (thuang dlJa tren .nen cae h~ quan tri co sa dfr li~u (CS 'b)~! nhu. Oracle, SQL Server, MySQL, ... ). . ~'. Vi~e ho;:tch dinh t6t cac lOp t~ong d.u true web kho~g nhfrng giup ngu(yi I ..quan trj d~ v~n hanh rna can chli oQng trong phong, ch6ng cac nguy co t&ncong tu.tin' 4c. MQt s6 each b6 tri lOp thuong g~p trong thlJc tS nhu tren hinh ve 2. ..M6i lOp nen kh6i t;:tornQt co chS phOng tM rieng eho rriinh dS eh6ng l;:ti .' ••. '1,.. • . ~ . i:'? nhfrng hanh dQng khong duqc pbep va khOng nen "tin tuang" nhfrng lOp khac de tranh tinh tr;:tngtin cong leo thang. MQt s6 kjeh ban thong dVng: --=--__ ~ _. _., _ 0 ~'o . -- - . . '- LOp trinh dienco, the ap d~t co che d\eu khien troy e~p tren rnQt tai ~.' '~" ~"~'. ~.f,"._;.. , .. ,:- . ".Ct; .~. - ---. _.~,..,...... ~~ nguyen. Vi dv khi l~p ehinh sach troy c~p rnQt tai nguyen nao do tren h~ thong, o i '. '0 . : ~ , . ' ' •• 1:-1 ""~: t' , chang h<:tTInhu thu rnve /admin, co the cai d~t diu hinh lOp trinh diel1 yeu diu xac thlJe vai quy~n quan trj (adrninistrator).Di~~nay ~e h;:tnehS i'mh hu&ng tu lOp ling dVng co thS su dVng nhi~u kjch ban dS troy c~p dSn tM nguyen tren. ,- LOp co s6 dfr li~u co thS cung ciip cae tai khoan khac nhau vai nhGng quy~n hanh dQng khae nhau. Vi dV nhu vai nhorn ngu(yi su dVng co ten tai khoan chua duqe chUng thlJc thi thiSt d~tquy~n th&p nh&t la chi co thS dQc, can cae thao tac ghi, thay dBi, thlJc thi la khong duqc phep. NSu tai khoan duqc chUng thlJc thi cling chi duqc ghi, thay dBi, thlJe thi tren CSDL dii duqc chi djnh ,va chi co tae dvng trong ph;:trnvi CSDL dii duqc ciiu hinh tu truac . . - Cae lOp khac nhau khong nen cho pbep troy c~p dQe ho~c ghi Mi lOp khae. Vi dv: lOp trinh di~n khong co kha nang troy e~p dSn t~p tin v~t ly duqe su dVng luu trfr dfr li~u t;:ti lOp CSDL rna chi co kha nang troy c~p dfr li~u nay thOng qua cae troy v&nvai cae tai khoan phil hqp (tIUYc~p a ciip dQ Ung dvng). i i Cam djch vv giao tiSp gifra cae lOp tren ciip dQ rn;:tngcling nen duqe lQc dS chi ., eho ~hep cac djch vv c~n thiSt duqe thlJe thi. Vi"V: chi cho phep kSt n6i dSn h~ quan trj co s6 dfr li~u SQL Server tren eBng TCP 1433, can cae eBng khie thi . . phai duqe lQcho~e khong cho pbep. . 4 ., , , \~, I l' \ 'I f"; / Mo hinh1 lo'p Mo hinti 210'11, 1VI0 hlnh3 16'11, I.Mo hinhN l6'p I'I Web Server Web Server Web Alllllication WebAllplicatiotl ' I Web Server I Database Server ., I~ I Web Server I ~~ Vl \ """1 • ~ I , i -q Dati'lbase Server !i Web Application ii~ Weh Apillication '~'. t ---1------I~ Database S\ ~ ~:jID •• ".~ ,,~, ~l\ f ,;", it . . }iJi Hinh 2. Cae rna hinh trien khai ean~ltrang TTDT .~I. . ~ iii l III Vi~c phan tich cac ma hinh tren cho th~y, n~u gifra cac lap khang co sv tach bi~t r5 rang thi khi mQt lap bi tin tij.ct~n cang va chi~m quySn ki€m soat co th€ dan d~n cac lap khac cling bi anh hUOng theo. Vi dl) truemg hgp t~t ca t'rng dl)ng web, co sa dfr li~u dSu dugc dij.ttren may chu phl)c VI) web thi khi tin tij.c t~n cang vao may Chll phl)c VI) web co th€ dan d~n ma ngu6n va co sa dfr li~u cua t'rng dl)ng do bi xam ph:;tm.Do v~y, khi tri€n khai thvc ti~n nen thi~t k~ tach bi~t dQCl~p theo ma hinh 3 lap d€ tranh tinh tr:;tngmQt lap bi t~n cang va chi~m quy~n ki€m soat dan d~n cac lap khac bi anh huang. Vi~c phan lo:;tiGQcI~p 3 lap nhu tren se t:;todiSu ki~n thu~n 19i cho vi~c v~n himh, bao tri h~ th5ng ding nhu d~ dang ap d\mg cac bi~n phap bao v~ d5i vai m6i lap rieng bi~t. Trong truemg hgp co kho khan, h~mch~ vS ngu6n Ivcxay dvng c6ng/trang TTDT thi van nen ap dl)ng t5i thi€u ma hinh hai lap vai lap co sa dfr li~u dugc tach bi~t dQCI~p. 3.2. Tri~n khai h~ th8ng phOng thii 3.2.1. Ta chirc mo hinh m(lng htfp Ij Sl! - -~_Vi~ct6~chuc ma hinh m:;tnghgp I;' co anh hUOng IOn d~n an toan cho cac c6ng/trang'TTDT. Day la co sa d~u tien cho vi~c xay dvng cac h~ th5ng phOng thu va bao v~. Ngoai ra, vi~c t6 chuc mo hinh m:;tnghgp I;' co th€ h:;tnch~ dugc cac t<1ncong til ben trong va ben ngoai mQt cach hi~u qui!. INTERNET PRIVATE NETWORK D--I.T.-\H..\S'E SER\"'ER Prl ter DMZ NETWORK SWITCH FIREWALL ~~~ Comput.r computer Computer liJ Flr~pp SWITCH 0;; Web Suver Hinh 3. M6 hinh mt;mgt6ng quan 6 Trong mQt mo hinh m~ng hQJJIy dn phai phan bi~t ro rang gifra cac vung m~ng theo chuc nang va thi~t I~p cac chinh saeh an toan thong tin rieng cho timg vung m~ng theo yeu du thlJc t~: - Vung m~ng Internet (hay Untrusted Network): con gQi la m~ng ngoai. - Vung m~ng DMZ Network: D;:itcac may chli cung cap djch V\ltrlJc ti~p ra m~ng Internet nhu web server, mail server, FTP Server, v.v ... - Vung m~ng Server Network (hay Server Farm): D;:itcae may chli khong tl1Jcti~p cung d.p djch V\lcho m~ng Internet. :-. Vung m~ng Private Network: D;:itcac thi~t bj m~ng, may tr[ 7 chinh sach an ninh clla mi)t ca nhan hay mi)t t6 chuc. M\lc dich Cllavi~c su d\lng Firewall la: - Bao v~ h~ th6ng khi bi t~n congo - LQccac k€t n6i dlJa tren chinh sach truy c~p ni)i dung. - Ap d~t cac chinh sach truy c~p d6i vai nguai dung ho~c nh6m nguai dung. - Ghi l~inMt ky dS h6 trq phat hi~n xam nh~p va di€u tra SIJc6. dn thi€t I~p lu~t cho Firewall tir ch6i tM ca cac k€t n6i tir ben.trong Web S~,;r ra ngoai Internet ngo~i ,trir cac k€t n6i da duqc thi€t I~p - tuc hl chi tir ='=,.----cfi6(t~t c' cac goi tin TCP khi xu~t hi~n ca SYN. Di€u mly se ngan ch~n vi~c n€u nhu tint~ co kha nang ch~y cac kich ban rna di)c tren Web Server thi cling khong thS cho cac ~ d~c n6i nguqc tir Web Se:v"ertra v€ may Hnh clla,tin t,~c. Tuy nhien, h~n Ch'e. .clla Firewall la co the lam ch~m qua trinh kSt noi vi trong ~i)t s6 tru~g , ,? , ~~:... , - ' ,I •. ~ va chiem quyen kiem soat va do do bi vo hi~uhoa Mi tin t~c, Vi v~y canthiet ~ dam bao thlJc hi~n mi)t s6 tieu chikhi triSn khai va v~n 1}anh,g6m:. - Xac dinh cong ngM IDS/IPS da, dang ho~c dlJ dinh triSn khaL. , Xac dinh cac thinh ph~n clla IDS/IPS. - Thi€t d~t va du hinh an toan cho IDS/IPS. - Xac dinh vi tri hqp Iy dS d~tIDS/IPS. - Co ca ch€ xay dlJilg,t6 chlrc, quan Iy h~ th6ng lu~t (rule). - H~n ch€ th~p nh~t cac tinh hu6ng canh bao nh~m (false positive) ho~c khong canh bao khi co xam nMp (false negative). I 3,2,2.3. WAF (Tuimg lua i:rngdl;mg web) , Mi)t WAF thuang la mi)tph~n m€m:'hay mi)t thanh ph~n nhung duqc cal ngay tren may Chllph\lc V\l web. Doi khi WAF cling duqc cung d.p nhu mi)t thi€t bi phk cling co cai d~t s~n ph~n m€m ben' trong. WAF ho~t di)ng b~ng cach su d\lng mi)t bi) IQcvai cac "Iu~t" duqc dinh nghla truac ho~c do nguai dung them vao dS giam sat cac dfr li~u trao d6i vai trng d\lng web thong qua giao thuc HTTP. Nhfrng quy t~c nay co thS giup p~at hi~n vi ch~n cac truy v~n nh~m t~n cong vao cac 16iph6 bi€n nhu Cross-site Scripting (XSS), SQL Injection, OS command Injection, Path Travesal, ... cling nhu mQt s6 !6i khac 8 duqc neu trong danh ml)c "OW ASP Top 10" (http://en. wikipedia.org/wiki/ Application firewall) Cac dfr li~u di VaGho~c di ra khoi tmg dl)ng web se duqc WAF ki€m tra so sanh voi cac diu hi~u duqc djnh nghla s~n va quy~t djnh cho phep dfr li~u di qua hay ch~n cac dfr li~u do I~i. Day la m(lt qua trinh IQCrna cac thi~t bj tUOng lua lOp duoi khong thvc hi~n duqc. Vi~c tri€n khai WAF se ph~n nao h~n ch~ duqc cac sai sot cila nguai I?p trinh tmg dl)ng web. Cac WAF nen duqc cM d~t gifra m6i lOp trong ki~n truc web. Xem thong tin tham khao vS cac WAF t~i PhI) Il)c II. 3.3. Thi~t d~t va ciiu hinh h~ th&ngmay chu an toan D~ v?n h<'mhm(lt may chil an toan, vi~c e&nIWl y d~u tien la luon C?P nh?t phien ban va b<'mva moi nhit cho h~ thang. Ngoai ra, voi m6i lo~i may chil khac nhau se co nhfrng bi~n phap thi~t d~t va Giu hinh Cl)th~ d€ dam bao v?n hanh an toano 3.3.1. H? thang may chit Linux - Dai voi M thang cai d~t moi thi phai dam bao m(lt sa yeu e&usau: + Kha nang h6 trq tir cac ban phao phai (thong tin va 16i, thai gian C?P nh?t, nang cip, kenh thOng tin h6 trq ky thu?t). + Kha nang tuang thfch voi cac san phAm cila ben thu 3 (tuang thich gifra nhan h~ diSu hanh voi cac tmg dl)ng, cho phep rna r(lng module). + Kha nang v?n hanh va su dl)ng h~ th6ng cila nguai quan trj (thoi quen, ky nang su dl)ng, tinh ti~n d\mg). T6i Uti hoa h~ diSu hanh vS cac m~t sau: + Chinh ~ach m?t khAu: su dl)ng co ch~ m?t khAu phuc t~p (tren 7 ky tI! va bao gam: ky tI! hoa, ky tI! thuOng, ky tv d~c bi~t va ehfr s6) nh~m chang I~i cac ki€u tin eong brute force. + Tinh chinh cae thong sa m~ng: t6i uu hoa m(lt s6 thong tin trong t?P w, ictclsysctl.conf. + Cho phep h0~<: khong eho ph<,:_'cae djeh VI)truy C?P d~n h~ th6ng "' thong qua hai t?P tin fete/hosts. allow ,'?J /ete/host.deny. + Gcr b6 cae djch VI)khong c~n thi~t: vi~c ga ~:{lcac goi, djeh VI)khong c~n thi~t se h~n eh~ kha nang tiSp e?n cila kd .t~ong va cai thi~n hi~u nang eila M thong. -- - -- + DiSu khi€n truy e?p: ehi djnh cae truy e?p duqc phep d~n h~ thang thong qua t?P tin /etc/seeurity/aeeess.eonf, /ete/security/time.eonf, 9 /ete/seeurity/limits.eonf, giai h~n tai khoan duqe phep Slr dVng quy€n sudo thong qua t~p tin /ete/pam.d/su. + Slr dVng kSt n6i SSH thay eho cae kenh kSt n6i khong an toan nhu Telnet, FTP, v.v ... + Quan Iy h~ th6ng ghi nh~t ky (log) m(lt each t~p trung va nh~t quan nh&mphl)e Vl)eho mve dieh di€u tra khi co sv e6 xay ra. 3.3.2. Hf thang may chu Windows May ehil Windows duqe Slr dl)ng kha ph6 biSn, vi~e bao v~ eho may ehil Windows la thve sv e~n thiSt. D€ dam ba~ eho h~ th6ng cftn thve hi~n m(lt s6 bi~n phap sau: - D6i vai cae djeh Vl)va e6ng: + Cae djeh Vl)dang eh~y thiSt I~p vai tai khoan co quy€n t6i thi€u. + VO hi~u hoa cae djeh Vl) DHCP, DNS, FTP, WINS, SMTP, NNTP, Telnet va cae djeh V1) khong cftn thiSt khae nSu khong co nhu e~u Slr dl)ng. + NSu la tmg dl)ng web thi chi ma e6ng 80 (va c6ng 443 nSu co SSL). - D6i vai cae giao thue: + VO hi~u hoa WebDAV nSu khong Slrdl)ng bai tmg dl)ng nao ho~e nSu no duqe yeu cftu thi no phai duqe bao m~t. + VO hi~u hoa NetBIOS va 5MB (dong cae e6ng 137, 138, 139, va 445). - Tai khoan va nhOm ngU<1idung: + GiJ bo cae tai khoan chua SlrdVng khoi may ehil. + VO hi~u hoa tai khoan Windows Guest. + D6i ten tai khoan Administrator va thiSt l~p m(lt m~t kh~u m~nh. + VO hi~u hoa tai khoan IUSR_MACHlNE nSu no khong duqe Slrdl)ng bai tmg dl)ng khac. + NSu m(lt ung dl)ng khae yeu e~u truy e~p anonymous, thi thiSt I~p tili khoan anonymous co quy€n t6i thi€u. + Chinh saeh v€ tai khoan va m~t kh~u phai dam bao an toan, Slr dVng C 10 + T~p tin va thu m\lc phai n~m tren phan vung dinh d:~mgNTFS. + T~p tin nh~t ky (log) khong n~m tren phan vung NTFS h~ th5ng. + Cac nhom Everyone bi giai h"m (khong co quy~n truy c~p vao \Windows\system3 2). .+ MQi tai khoan anonymous bi dm quy~n ghi (write) vao thu m\lc g5c. - Tai nguyen chia se: + GO-b6 tat ca cac chia se khong su d\lng (bao g6m ca chia se m?c dinh). + Cac chia se khac (n€u co) d.n duQ'c giai h;:tn(nhom Everyone khong dugc phep truy c~p). - Cac phien bfm va 16i: + C~p nh~t cac phien bfm m&inhat. + Theo d5i thong tin c~p nh~t tir nhi~u ngu6n khac nhau. + Nen tri€n khal qip nh$t tren he th5ng thu nghi~m truac khi c~p nh~t vao h~ th5ng tMt. 3.3.3. May chu web 3.3.3.1. May chi:l lIS: May chu lIS duQ'c Slr d\lng kha ph6 bi€n hi~n nay tren cac may chu Windows. D€ bao v~ cho may chu IIS d.n thvc hi~n mQt s6 bi~n phap sau: - Nen su d\lng cac giao thuc rna hoa nhu SSL ho?c TLS nh~m rna h6a cac k€t n5i an toano - C&n thi€t I~p cac thuQc tinh trong Audit Policy tren may chu lIS trong moi truOng lam vi~c dam bao toan bQ thong tin cua nguai dung khi diing nh~p vao h~ th5ngse d~u dugc ghi l;:ti.Tat ca nhiing dfr li~u khi troy c~p d~u dugc ghi l;:tinh~t kyo ~ C&Ii. thi~tI~p"Deny access to this computer from the network", YlH li1J~t I~p nay se quy~t dinh nhiing tai khoan nao bi dm truy c~p tai may chu lIS tir m;:tngva cac tai khoan nguai dung se bi h;:tnch~ va dam bao tinh bao m~t cao han. Sau day la nhiing tai khoan nguai dung c&nphii thi~t I~p ch~ dQ dm neu tren: ANONYMOUS LOGON, Built-in Administrator va Guest. - Nen t~t tat ca chi ti~t thong bao 16i rna co khi nang dua ra qua nhi~u thong tin. Vi~c dua ra qua chi ti~t cac thong bao 16i se d~n d~n vi~c cac tin t?C co th€ Igi d\lng d€ tim hi€u thong tin v~ h~ th5ng. - Nen cai d?t thu m\lc g5c cua trng d\lng web tren phan vung dla co dinh d;:tngNTFS, boi vi kha nang ki~m soat quy~n truy c~p tren M th6ng t~p tin vai phiin vUng dinh d;:tngNTFS m;:tnhhan so vai cac dinh d;:tngFAT, FAT32. Khi 11 da cai d~t thu mvc g5c tren phan vung NTFS thi cling phai thi~t l(ip quy~n truy c(ip thip nhit cho thu mvc g5c nay, tranh truemg hgp thu mvc g5c cila ung dVng web duqc m~c dinh la Everyone: Full Control. - Trang lIS co rit nhi~u thanh ph~n (module) b6 trq. Nen go bO nhfrng thanh ph~n khong c~n thi~t ra khoi lIS duqc cai d~t, vi nhfrng thanh ph~n nay khi bi 16i co kha nang dful d~n lIS bi tin cong va chi~m quy~n ki@msoat mQt cach gian ti~p. - Nen cai d~t URLScan d@b6 sung them nhi~u tinh nang baa m(it cho lIS. 3.3.3.2. Apache HTTP: MQt s5 bi~n phap c~n thvc hi~n nh~m baa v~ may chil Apache HTTP mQt cach an toan: - T5i Uti hoa vi~c su dVng cac thanh ph~n (module) bkg vi~c go bo nhfrng thanh ph~n khong dn thi~t. MQt s5 thanh ph~n khuy~n cao nen go bo ra khoi Apache la: mod_userid, mod_info, mod_status. mod_include. - Gi6'i hl1lncae quy~n truy c{lp:Tl1Iocac tai kho{m, nhOm nguai dung rieng (khac root) d@thvc thi apache. Khong cho phep su dVng cac tai khoan nay d@ dang nh{lpb~ng cach chinh sua nQi dung trong t(ip tin passwd. - f)i~u khi@ntruy c(ip: SU dVng cac chi mvc (Directory) d@di~u khi@nqua trinh truy c(ip d~n cac thu mvc h~ th5ng dn hl1lnch~ quy~n tham nh(ip (vi dv nhu cac thu mvc: root, admin, administra~or). !.. - Hl1Inch~ t5i da vi~c su dVng cac h}"aCh<.lD(option) sau: MultiViews, ExecCGI, FollowSymLinks, SymLinksIfDwnerMatch. Go bo tit ca cac trang html m~c dinh, huang d~n su dVng, thOng tin lien quan v~ web server, di~u khi@nServer Status, Server Information. T~t chuc nang HTTP TRACE. Baa v~ cac t(ip tin du hinh .htaccess. - T6 chuc qua trinh ghi nh(it J # LogLevel: Control the number of messages logged to the error log. # Possible values include: debug, info, notice, warn, error, crit, : # alert, emerg. ------.. ------_. - _. - - - _. - - _. - - _. ------' 12 - -Ii ------ LogLevel notice LogForrnat "%h %1 %u %t \"%r\" %>5 %b \"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog log/access_log combined -----~-D6i -~&i-;';';~i-~6-t~~ng-th6~g-t-i~-a~- "m-~-h6;; -t~iiy-c~p-~6--ills-;&-dV~g-(iii;; SSL/TLS nha module mod ssl. -..:H~n ch~ cac thong tin v~ Web Server: ------~------j j ServerTokens Prod ------.-_.------~------.. --- : ServerSignature Off , ------~-Dis{; ~hjnh -cic- th6ng -i{;-i6-i--Uti:-;';';6t-~6-thiStj~p-il1a;';'; "kJ;;io:------' + Thong s6 timeout: :- -Timeout------10------_. _. ------. -.------+--Th6~g-~-6-K~~pAii"~~~------:.:.:.------=-~~---:~-=-~:-----'-----,. - _. -. _ .._ ....------., :--KeepAli------~,v~+--Th6-~gOn. -~-6-'M~;d(~~pAii~~R~q~~~t-;~------..-....------i- -MaxKeepAliveRequests------100------0------. ------+--Th6-~g-~-6-K~~pAii~~Ti~~~~t-:--.------..------.-- ..------ ,------.- - - - _. _ .._. ------: KeepAliveTimeout.+-ThS~-~~~15-th6~g-~6-~-~~~------~------~ \-Li-~i-tR~q~;~~-ti-i~~--5-12------~~-~._.._.._..------, .1 :LimitRequestFields 100 .. . -~-: LimitRequestFieldsize 1024 !.~~_1l1i_~~:_~~_~s_~~~~~__~_~2_~?_? ...... __. _ 3.3.3.3. Apache Tomcat: MQt s6 bi~n philp dn th\Tchi~n nh~m bilOv~ may chil Apache Tomcat mQt cach an toan: - G5' bi'>cac tai nguyen khong lien quan: Trang qua trinh cai d?t co thS xu~t hi~n cac tmg d\lng m5u, tai li~u huang dful va mQt s6 cac thu m\lc khong d.n thi~t khac. Vi v~y dn g5' bi'>cac t~p tin, thu ml)c nay nh~m h~n ch~ th~p nh~t nguy CCJ bi khai thac thong tin lien quan d~n tmg d\lng dang su dl)ng: - - - _. ------_. _ ..------_ ...- - _. ------$ rm ~rf $CATALINA_HOME/webapps/js~examples \ $CATALINA_HoME/webapps/servlet~example \ $CATALINA_HOME/webapps/webdav \ $CATALINA_HOME/webapps/tomcat~docs \ $CATALINA_HOME/webapps/balancer \ $CATALINA_HoME/webapps/ROOT/adrnin \ -$CATALINA_HOME/webapps/examples------~. Oi6i-h~~-ci~-th6-~g-tin~S-h~-iI16~g:------.------.------ + Thay d6i thOng tin serveLinfo. + Ti~n hanh dong goi l~i t~p tin CATALINA_HOME/server/lib/catalinajar sau khi dii sua d6i nQi dung file ServerInfo.properties. Vi d\l: 13 •• w ------:-~d--c-ATALi NA -HOME)~-~;:,:;;;~Ii-il,------1 jar xf catalina. jar org/apache/catalina/util/Serverlnfo.properties , • ~ •• • w - -;------~ ------+ Trang t~p tin Serverlnfo.properties thay doi gia trj server.info thaOO . gia trj server.info=Apache Tomcat, sau do dong goi I?i catalina.jar: :-j- ~-~~-~-f-~~-t~'ii-~~~-j- ~.~. -~;gi~p~-~h~/~~t~~i-i;';~-;~-ti-iiS~~~~-~I-~f~-.-p-;~-p~-~t.i~~------~ '-----,------+-Th~y--(16-i--th6~-?:-ti~-tr~~g--~~~~~;.-~~~b~;'--Th~~~--ti~ -th~y -d6i-~rr~g-~ tuang tv nhu thong s6 server.info. Vi d\l: :-~d-- c-AT'ALiNA -HOME-;~-~~-,:;;;~/i-il,------.------,------, l__j_ ~_~ __~~ _ ::~_~~ ~ ~w~~.:?_~_~__~~?!.~~~_~~_~!_~~~.~~w~~_~I_~_~~_~!_~~~~~_~~_~~~_._~_~~_~e_r~_~~~ ~ + Trang t~p tin Serverlnfo.properties them thuoc tiOO ______server.number= + Apache Tomcat Slr d\lng c6ng 8005 dS tiSp nh~n cac'''yeu" du shutdown. C~p nMt thuQc tinh shutdown trong t~p tin server.xml & $CATALINA HOME/conf/server.xml: '- '. '. j~ i-~s-~~-~~-~~-p~~~t::I~~' i',;..~t;~t.d~~~~.';s-HuTDowN-;;:.. -.. -.. --.--.-.. -.-----~ ------.--.--.---.-.-.--.--.--: ~_. - _~- __ : - w. ~ ••• _. _ ~ •• _ w - _. -r .••.••• _.. _. __. _. _~. __. __. __. __..'__. __. __.. _..•• ~-: . .. __.. . __. ~ 0. _: _. • ..: Bao v~ diu hiOOApache Tomcat: + Gi&i h?n truy c~p dSn $CATALINA_HOME: Gan quySn sa huu cho tai khoan tomcat_admin:tomcat; go b6 cac quySn dQc, ghi, th\l'c thi; go b6 quySn ghi d6i vai rihom: !~i;~;;~'-t;;~-~~-t:':~~i;;'-t-~;;~-;;t--iicATAi."i NAjiOME ------' ---- -" ------, ------;# chrnod g-w,o-rwx $CATALINA_HOME .,--"-,-----+--0[&[--h~-t~~y-~~p''d~~-$CATALINAj3A'-SE:; -G~~-q~yS~~&.h~ -~h~- tM khoan tomcat_ admin:tomcat; go b6 cac quySn dQc, ghi, th\l'Cthi; go b6 quySn ghi d6i vai nhom: -'i .~h~;';~--t-~;;~~-t:':~~-i;;'-t-~;;~-;;t--$-cATAi::iN-A:':sAs-Ii ------. ------.. ' ..:-- -. ------# chrnod g-w,o-rwx $CATALINA_BASE 14 + Gi6i h;:ln truy C?P dSn thu mvc du hinh Tomcat: Gan quySn sa hfru cho tai khoan tomcat_admin.tomcat; go bi) cac quySn dQc, ghi, thl!c thi; go bi) quySn ghi dbi v6i nh6m: ------# chown------tomcat------admin:------tomcat------$CATAL-iNA~HOM-Ei~~~f------# chmod g-w,o-rwx $CATALINA_HOME/conf ....------+--0;6;--h~~-t~y-~~p-dS~-th~-~-V~-~h{;~-~-i~-t~pti~-~~t -ky -(i~gj:-Gi;; quySn sO' hfru cho tai khoan tomcat_admin:tomcat; go be cac quySn dQc, ghi, thl!c thi: -"# - -~;;,;;.;~- -1o;;~;~;;t~~~i;:'-;t-';~~~10--;'-CATAi.::iiiA~HOM"Eii;;g;; ------# chmod o-rwx $CATALINA_HOME/logs ------:+:-0;6;-hi~-t~y-~~p-dS~-th~-;;.;V~-~h{;~-~i~-t~p-t-i~-th~~thi-:-G~~q;-;y~~-;~,: hfru cho tai khoan tomcat_admin:tomcat; go bi) cac quySn dQc, ghi, thl!c thi: •• 9 _. •• ______------_ ••• ------# chown tomcat_admin:tomcat $CATALINA_HOME/bin # chmod g-w,o-rwx $CATALINA_HOME/bin ------+--0;6;-hi~-t~y ~?P-dS~-th~-;;.;v-~-~h-(;~-~g -dV~g-~~b~-cii~ -q~yS~-~6-hfu:." cho tal khoan tomcat_admin:tomcat; go bi) cac quySn dQc, ghi, thl!C thi: - - _ ...------_. ------_ ..------. # chown tomcat_admin:tomcat $CATALINA_HOME/webapps # chmod g-w,o-rwx $CATALINA_HOME/webapps ------+--Oi6;-h~~-t~y-~-~p-dS-~--i~p-t;~-~~;;t~~t:~~i--o~~-q~yS~-~-6-hifu-~h~-tii khoan tomcat_admin:tomcat; go bi) cac quySn dQc, ghi, thl!C thi; go bi) quySn ghi dbi v6i nhom: - _. _. _ ••• _ •• - - _ •• - __ - _. - _ •• _. _. - _. - _. - - __ - • - _. - _. - •• _. - - • - _. _ •• _. - _ •• _. - - _ •• - _w ••••• • • - _. _. # chown tomcat_admin:tomcat $CATALINA_HOME!conf/context.xml # chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml ------+--0;6;--h~~-t~~y-~~p--dS~-t~p-t;~--l~ggi~g'-p;~p~rti~~~--oi;;-q~yS~;;;-hfu:." . " . cho tai k.~oan tomcat_admin:tomcat; go b6 cae qCiySn dye, ghi, th\fc thi; go bi) quySn ghi dbi v6i nhem: -- _. -_.- - _. - _. - _. - - -- _. - -- - _. _. ------_. _. - - _. -- - _. - -- _ ..------_. -.- -- - -_. _. - - _. - _ ..------_. _. - _ .. - _. - - - _. --- # chown tomcat_admin:tomcat $CATALINA_HOME/conf/logging.properties # chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties ------+--0;6;--h~~-t~y-~ip--d~~-t~p-ti~-;~~~~:~;;';l:--Gi~--q~y~-~--~&-hfu;-~h~--t~-i khoan tomcat_ admin:tomcat; go b6-cac quySn dQc, ghi, thl!c thi; go bi) quySfi ghi dbi vai nh6m: .- -- - _. _ .. - _. - _. - _ .. - - - - - _ ... - - - - - _. _. - - _. _ .. _. - - _. _. - - - - _. - _. _. - _ ....- _. _ .._. - _. - - - - _ .. - - - - - _ .. - - -' - _. ------_. - - - - - _. - _. # chown tomcat_admin:torncat $CATALINA_HOME/conf/server.xrnl # chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml ------+--0;6;-h~~-t~y-~~p-dS~-t~p-il;;t~;;';~~t~-~-~~;~:~;;';l:--oi~q~y~;;-~&-h~-~h~- tal khoan tomcat admin:tomcat; go bi) cac quySn dQc, ghi, thl!C thi; go bi) quySn ghi dbi v6i nh6m: -' - _. - _ ..- _. _ _ .. _. -'" _. - - _ .. _. - - - - _. - _. - - _. _ .. - _. _ .. _ .. _ .._ _ - _. _ ..- - _. - - _. - _. - - - -' _. - - - _. _. _. _ _ .._. _.- ~ chown tomcat_admin:torncat $CATALINA_HOME/conf/tomcat-users.xml # chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml ._. _. _. - - _. _ .. - -- _. _. _. - _. _. - _. - -- _. ------_. - - - _. - - -- _. - _. - _ .._. _ .. _ .._. - -- - _. - -- _. ------" - - - -- _. - _. - - -' - _. - - - - _. --- 15 + Giai h<;mtruy c~p d€n t~p tin web.xml: Gan quy@n sa hfru cho tai khoi'm tomcat_admin:tomcat; go bo cac quy@ndQc, ghi, thvc thi; go bo quy@nghi d5i vai nhom: ~------_ ..------..#..~h~;.;;; .. t;;;;;~;;t~~~'i;;;t~~~.~t..$.CATAL.:i;.iA~HO;:iE/canf Iweb. xml ..~..~~.m?d.. ?~w., a- rwx ..$~.A:r.A~~.N~.-oH.?~E!c.~~.fI.,,!e.~ xml _ 3.4. V~n hlmh u'ng dl}ng web an tOlm 3.4.1. KiJm tra hO(lti/{mg web an tolln DS dam bao cho tmg d\lng web v~n hanh an toan, tranh dUQ"ccac nguy C(J t~n cong tu ben ngoai h~ th5ng co thS ti€n hanh cac buac co ban sau: - KiSm tra vi~c IQthong tin nh:;tycam qua cac cong C\ltim ki€m, buac nay nh~m dam bao tmg d\lng web se khong hiSn thi cac thong tin rieng nhu phien ban, cfiu truc thu m\lc, v.v ... len k€t qua clla cac cong C\ltim ki€m. - KiSm tra chuc nang dang xu~t, dang nh~p co hoan thanh dung nhi~m V\l hay khong. - Thi€t d~t cac quy@ntruy c~p thich hqp vao cac t~p tin va thu m\lc nh:;ty cam. Xoa cac t~p tin sao luu dt,rphong ra khoi h~ th5ng. - Sir d\lng CAPTCHA va ch€ dQ m~t kh~u m:;tnhnh~m tranh truang hqp vuqt qua CAPTCHA hay doan dUQ"cm~t kh~u ng~n (khong cho phep nguo-i dung d~t m~t kh~u y€u). - KiSm tra qua trinh quan I;' tai khom va phien cua tmg d\lng, vi~c truy~n giri nhfrng thong tin quan trQng nhu ten dang nMp va m~t kh~u dn dUQ"crna hoa nh~m tranh tinh tr:;tngnghe len dfr li~u tren duang truy~n. Ben c:;tnhdo vi~c c~p phat va rna hoa phien dang nMp cho nguo-i dung cung dn dam bao an toan nh~m tranh tinh tr:;tngtin t~c doan hay gia m:;tophien. - Xac dinh lo:;ti rna ngu6n h6 trQ"web (JSP, ASP, PHP, ... ) va kiSu framework phat triSn web (rna ngu6n rna, tt,rphat triSn, ... ) dS co bi~n phap bao v~ hqp I;' cling nhu c~p nh~t kh~c ph\lc cac 16h6ng dUQ"cphat hi~n. - Xay dt,rng ho~c tri~n khai mQt h~ th5ng may chu Proxy dung dS ch~c ~ '- r~ng cac k€t n5i tu ben ngo~;-~110v~ tu ben trong ra se dUQ"cgiam sat dS tranh cac m5i de dQa cling nhu di~u tra nguy'tii: rihan khi M th6-;;gbi t~n congo , , \ , - Neu co nhieu website dUQ"cd~t chung tren may chu web, can co bi~n phap cach Iy cac website nay ra, nh~m dam bao n€u co mQt website bi t~ cong va chi€m quy~n kiSm soat thi cac website con l:;tise it bi anh huang. - Thi€t k€ trang bao 16i chung dS tra v@cho t~t ca cac 16i rna h~ th5ng co thS g~p phai, Bi~n phap nay nh~m giam nguy ca bi t~n cong dva theo thong bao 16iclla tmg d\lng, 16 3.4.2. Khiic phlJc cac fBi phii biin tren web Trong trang web thucmg co cac di~m cho nguai dung nh~p dfr li~u vao nhu ml,lc "dang nh~p", ml,lc "tim ki~m", ml,lc ID bai vi~t tren URL, V.v... Ngoai vi~c giup cho nguai dung d~ dang tUOllgtac vai (mg dl,lng web, cac ml,lc nay n~u khong duqc qu:'m Iy chi;itche se tnJ thanh mQt nguy C(JIan d~ thl!c hi~n cac cUQc t~n cong vao (mg dl,lng web. Cac dfr li~u b~t hqp phap nen duqc IQctruac d~ b6 qua khong dua vao truy v~n trong C(Jsa dfr li~u nhu cac sieu ky tl!, cac bi~u thuc chinh quy, cac ky W duqc ma hoa, ... nh~m tranh cho (mg dl,lng truac nhfrng nguy co t~n congo Co th~ su dl,lng bi~u thuc chinh quy (ap dl,lng cho t~t ca cac ngon ngfr I~p trinh) d~ thl!C hi~n cac cong vi~c nay. Vi dl,l,su dl,lng bi~u thuc chinh quy d~IQc cac sieu ky W: ,------_. - - ~._. ------_. ------. ------_. - - _. ------., : w* I (\ I ) 1 1\ % 7 c) 1 1\<) 1 1\ % 3c) 1 1\% 3e) 1> I (. ) 1 (\ %60) 1 (& &) I 1\ %26 \ %26) ) ...... 'Ho~c'd~'q{;yJ,llii 'gi~'i~!'~~i'kh1~'~h~p'~i~':~i'd~~.cho'ph6p'~~i'kh~~'iif'4" d~n 8 ky W g6m chfr thuCnigva chfr hoa: ______••• _ •• _. _. • ••• L. _ : '(?~.*\d) 1?~.*[a-zJ) 1?~.*[A-ZJ).{4,8j$ ...... ,.",,"~'.'::':'€iini~6'ih~'~&'d\i~g'b'i~~'ih{ic'~hiJili'q~y'd'fi9C't'&~'~6;i'D;t'h'T;~~;:~~~i:'' ;"\;.;;'1'i,%'5~'j'1'i"/.).i'i,'% 2';")'i'i,,\,'i')'ii '. ,',-i'i'i, %2~,'% 2'~.).; : '------_. ------7------.,,------' Hoi;icIQctan cong chia nh6 hoi dap HTTP (HTTP Response Splitting): ;.. (.(. (' % 0'd'; ~'j.(.('%O'~)';'-ii'';'':;;;'1";' i _ ----_.. - ~ .- 'T~o~g"56''~'u6-i''16i'ATTT' -ph'a''b'i'~~''t~~~''c6~g;trang-tTDT:'~6; -Ibise co nhfrng bi~n phap rieng d~ kh~c phl,lCnhu sau: - TAn cung injection (bao g6m cac kidu tdn cong nhu- SQL Injection, as Injection, LDAP Injection): + Giai h:;m quy€n truy c~p CSDL va phan quy~n gifra cae tai khoan nguai dung, di€~ nay giup giaffi kha nang khai thae CSDL cua tin ti;ic ngay ca khi da thl!c hi~n thanh cong I~nh Injection. + Su dl,lng thu tl,lCluu tm d~ dam bao cac cau I~nh SQL tiI (mg dl,lng duqc luu trfr va tri~n khai a may cM CSDL, di€u nay giup cho dfr li~u do nguai dung nh~p vao khong th~ duqc tuy chinh duai d<).ngffiQtcau I~nh SQL. D~ lam duqc di€u nay, (mg dl,lng ph:'li duqc dinh d<).ngd~ su dl,lng nhfrng thu tl,lCluu trfr vai giao di~n an toan nhu cau I~nh Callable cua IDBC hay I~nh Object cua ADO. + Su dl,lngbi~u thuc chinh quy d~ phat hi~n t~n cong SQL Injection: D6i vai cac sieu kY W: --il' (,'% 3D')'i'(::'i')' i'i ('\i'3(;'; '1'('\<'j i'i'i i'\i'3Di '1'(' ;'}';'j 'r';";.; j';'I' i,'%2'7.).i'(,';i'i'i ,.:,.: . - ) I (\ %\1'61'3B) Iii;;(; ) 'c6~g) 'sfr'dvng- iiT'kh6~' liNYoN' ~ -- - . 17 ------_.------, :--i-(-,i-2-..,-;-1- (-, ~-)- i-("\¥i)- ~-~;;i::'n _ '------V&i-i~;;-c6~g-v~~-m~y-ch~-t.,,{S-SQC -.------ ------_. - - - - _ ..- - - - _ ..------; ;- ;;~-~;; ("\ ~-1-,-; i-;-(-~I- ~-)-p\ w+ '------:;--Sfr-dV~g-bis~-thfr~-~hirih-q~yis-iQ~-t~~-~6~giiiAj- i~j~~ti~~~------j::i':;!:~:(~:'i:1:~:}::::::::::::::: -::::::: - : -:::::: -:::::::::::::::::::: :::::::::::::::::::::::: _::: -:::::::::: _:::::::::! - Cross Site Scripting (XSS): + LQc tit ca cac dfr li~u chua tin tu6ng mi;)tcach phu hqp dva tren ni;)i dungHTML. + T~o mi;)t"danh sach tr~ng" d@ki@mtra dfr li~u d~u vao mi;)tcach phu hqp. + St'r dVng bi@uthuc chinh quy trong vi~c ki@mtra dfr li~u d~u vao d@ phM hi~n tin cong xSS: :::(!:~i:3~; :1:~:}::[:; ~;. i:+:i:(-, i:~~U;-)--::::::::::::-:::::::::::::::::::::::::::-:::::::::::--:::::::::::-::_:::::::::: - Insecure Direct Object References (Tham chiiu trlfC tiip d6i tur;mg khOng an toim): Ki@mtra qua trinh tham~h.i~~'t~l!c'ti€p d€n cac tai nguyen h~n ch€ tren h~ thtmg d~ dam bao r~ng ngm'Ji dung binh thuemg khong th~ truy C?P UlfQ'Ccac ngu6n tai nguyen rna hQ khong co quy~n truy C?p. Nen su dVng mi;)tC - Be giiy s/! chUng th/!c va quan If; phien: Thi€t d1).tmi;)t phuang phap chling thl!C va di~u khi~n phien nguai st'rdVng du m~nh d~ tranh kh6i bi nhUng 16i XSS rna co th~ bi danh c5p phien st'r dVng ho1).cco th~ giai rna phien mi;)t cach dS dang. - cau hinh baa mgt khOng an toan: Bao m?t mi;)tM thtmg noi chung phV thui;)cvao vi~c du hinh bao m?t cho cac thanh ph~n rieng Ie trong h~ th6ng nhu ling d\lng web, may chu web, h~ diSu hanh may chu, cac thiSt bi V?t Iy,... T~t ca cac thiSt d1).tbao m?t nay dn duQ'c xac dinh, thvc hi~n, bao tri va tuy~t d6i khong nen su d\lng cac du hinh bao m?t m1).cdjnh co s~n. 18 - Chuydn huang va chuydn tidp kh6ng dur;c kidrn tra: H:1n chS su dl)ng chuy€n tiSp va chuy€n huang, nSu su dl)ng thi phai co co chS chUng thvc. - Luu tru. rna hoa khOng an toan: Nh?n biSt nguy co va len phuang an bao v~ d6i vai dii li~u tir nhiing tan cong ben trong hay ben ngoai, dii li~u nh?y cam phai luon luon ma hoa. - Thidu Sl;C baa v~ lOp w;ln chuydn: Cung ciip mQt co chS bao v~ cho lap v?n chuy€n b~ng vi~c ciiu hinh SSL/TLS phil hgp. 3.5. Thi~t d~t va c~u hinh cO'sir dfr li~u an toan Vi~c thiSt d~t va ciiu hinh co sa dv li~u an toan la mQt qua trinh phuc t?P, doi h6i ngueri quan trj phai hi€u ro v~ co sa dii li~u dang su dl)ng. DS bao v~ cho co sa dii li~u an toan dn thvc hi~n mQt s6 bi~n phap sau: - Luon C?p nh?t phicn b€m va 16i cho co sa dii li~u mai nhat nh~m tranh cac 16ida dugc cong b6 va khai thac. - Gcrb6 cac co sa dii li~u khong su dl)ng. - Gcr b6 ho~c va hi~u hoa cac thil t\lc luu till ho~c nhiing ham nh?y cam co tuang tac vai h~ th6ng nh~m tranh vi~c tuang tac dSn h~ th6ng tir co sa dii li~u. - Tach bi~t cac co sa dii li~u su dl)ng cho ml)c cac dich khac nhau. - Khoa tiit ca cac kSt n6i tir h~ th6ng ho~c tir Ung dl)ng khac ngoai (mg dl)ng web va may chll web, khong cho phep bat ky k~t n6i trvc ti~p nao tu Internet d~n database. - ciiu hinh ghi nh?t ky va theo doi nh?t ky la!TIvi~c clla co sa dfr li~u mQt . - cach hgp Iy. - Giai h?n truy C?P d6i vai cac tai khoan su dl)ng (khong co quy~n xoa ho~c thay d6i ciiu truc co sa dii li~u). - Phan quy~n cho cac tai khoan va cac t?P tin h~ th6ng. - Gcr b6 ho~c thay d6i cac tai khoan m~c djnh va thi~t I?p m?t khiiu ml;lnh cho cac tai khoan dang su d\lng. - Co co ch~ sao luu dfr li~u va ma hoa cac dii li~u sao luu. - SU dl)ng cac cong C\ld€ tim kiSm 16h6ng tren may chu SQL nhu MBSA (MS SQL). 3.6. Cai d~t cac ".ng d\lng bao v~ 3.6.1. Chang virus (Anti-Virus) wi biio vi an toan may tinh ea nhan Vi~c cM d~t cac (mg d\lng bao v~ nhu Anti-Virus co tac dl)ng riit Ian trong vi~c bao v~ h~ th6ng. ChUng co th€ h?n chS dugc vi~c bi cai them ma dQc trong truang hgp ke tan cong da xam nh?p dugc vao h~ th6ng, ho~c h?n chS vi~c 19 upload d.c rna dQc khi ling d\lng web bj 16i. Cac chuang trinh Anti-Virus phai thoa man yeu du sau: - Luon a tn;mg thai dang ho~t dQng nh~m dam bao h~ thfmg luon dugc bao v~. - Dam bao tinh toan vyn cua t~p tin va tai nguyen. - Quet cac rna dQc dinh kern trong e-maiL - C~p nMt d~u hi~n nh~n di~n virus mai nhk D6i vai may tinh ca nhan co th~ xem xet cai d~t phftn m~m bao v~ an toan may tinh tich hgp thUOng bao g6m ca chuc nang ch6ng virus, IQctUOng lira ca nhan. Xem Ph\l I\lc 3 thOng tin tham khao v~ cac phftn m~m ch6ng virus va bao v~ an toan may tinh ca nhan. 3.6.2. H~ thang phlit hi~n xiim nhijp may tinh (Host Based IDS) Host Based IDS la h~ th6ng phat hi~n xam nh~p may tinh (thuOng hay ap d\lng d6i vai cac may chu), d6ng thai dua ra canh bao v~ cac hanh dQng b~t thuOng d6i vai tai nguyen tren h~ th6ng. Sir d"mg Host Based IDS nh~m: - Canh bao khi co Sl!thay dbi d6i vai rna ngu6n ling d"mg. - Canh bao khi co Sl!thay dbi d6i vai cac t~p tin h~ th6ng. - Canh bao khi co Sl!thay dbi d6i vai cac t~p tin h~ th6ng. 3.7. Thi~t I~p CO'ch~ sao Iffu va ph\lC hai 3.7.1. CO'chi sao lu:u Sao lUll dfr li~u la di~u ki~n khong th~ thi~u khi tri~n khai cac giai phap kg thu~t nh~m dam bao tinh s~n sang cua dfr li~u. Vi v~y khi thl!c hi~n sao lUll dn xac djnh mQt s6 yeu cfm sau: - Phr;tm vi sao lUll: + Sao lUll toan bQ dfr li~u cua h~ th6ng. Co ch~ nay dam bao dugc tinh toan vyn cua dfr li~u va co th~ ph\lc h6i toan bQ dfr li~u mQt cach nhanh chOng khi h~ th6ng bj Sl! c6. Tuy nhien, doi hoi phai xay dvng mQt h~ th6ng sao lUll quy rna Ian. + Sao lUll tung phftn rieng trong h~ th6ng. Co ch~ nay nh~m ph\lc h6i nhUng phftn g~p Sl!e6 va khong cftn mQt h~ th6ng sao lUllquy rna Ian. - ThiJi gian sao lUll: Cftn thi~t I~p mQt C(J ch~ sao lUll theo djnh ky (ngay, tuftn, thang, ... ) mQt cach tl! dQng, nh~m dam bao vi~c sao lUlldfty du cac dfr li~u theo yeu duo - Nt5i dung sao luu: + Sao lUllh~ di~u hanh may chu. + Sao lUllmay eM web, Co sa dfr li~u, V.V ... 20 + Sao luu thu m\lc va t~p tin. 3.7.2. Co' chi phflC hJi Tuy thu(>c vao tinh tn;mg hi~n t:;!icua h~ th6ng va C(J ch~ sao luu da dugc thi~t I~p rna Iva chQn C(J ch~ ph\lc h6i dfr li~u cho h~ th6ng m(>tcach thich hgp: - Khoi ph\lc nguyen tr:;!ngh~ th6ng. - Khoi ph\lc tUng ph~n rieng bi~t (h~ di€u hanh, C(J sa dfr li~u, cac tmg d\lng kMc). - Thuimg xuyen ki~m tra ban sao luu d~ dam bao kha nang ph\lc h6i thanh cong khi dn thi~t. 4. DOl PRO VOI TAN CONG Til" CROI DlCR Vl) 4.1 T~n cong tir ch8i dich VI}: - T&n cong tu ch6i dich V\l (DoS) la ki~u tin cong V~IOh~ th6ng m:;!ngb~ng cach lam tang d(>tbi~n luu lugng bang thong, s6 lugng yeu du k~t n6i su d\lng dich vv vugt qua kha nang rna h~ th6ng co th~ dap tmg xu Iy, dan d~n dich V\l cua h~ th6ng ho:;!td(>ngbi ch~m, mit kha nang dap tmg ho~c mit ki~m soat. - T&n cong tu ch6i dich V\l phan tan (DDoS) la d:;!ngtin cong DoS nguy hi~m nh&t khi ngu6n t&o cong nhi€u va phan b6 tren di~n r\;lng tren m:;!ng Internet toan du, r&tkho ngan ch~n tri~t d~. Thong thuOng cac cUQctin cong DDoS dugc gay ra bai mQt s6 lugng kha 16n cac may tinh tren m:;!ngInternet bi di€u khi~n bai tin t~c do nhiSm rna dQLthuOng gQi la m:;!ngbotnet. - Nguyen t~c ch6ng tin cong DoS la can phai IQc va g:;!tb6 dugc cac lu6ng tin tin cong, va t6t han nfra la ngan ch~n dugc car ngu6n tin congo D~ ch6ng .~ DDoS phai vo hi~u hoa dugc ho:;!tdQng cua cac m:;!ng:~.~tnet.D~ lam dugc di€u .....' hay mQt cach hi~u qua thuOng doi h6i cac bi~n phap di€u pi;!}; U:lg ';;:'-u 0,'; ~.:, ,"; quy mo qu6c gia hay th~m chi ph6i hgp nhi€u nuac. Do do khi phat hi~n co cac cUQctin cong DoS hay DDoS, cac dan vi quan Iy c6ng/trang TTDT dn bao cho Trung tam Vng CUukh~n e&p may tinh Vi~t Nam (VNCERT) dng sam cang t6t. M~t khac, vi~c ap d\lng cac bi~n phap va cong C\l ky thu~t t:;!ich6 d~ nang cao nang Ivc bao v~ cac c6ng/trang TTDT cling co hi~u qua ro r~t. 4.2. Mi}t s8 bi~n phap ky thu~t phong ch8ng t~n cong tir ch8i dich VI}: - Tang wang kha nang xu Iy cua h~ th6ng: + T6i uu hoa cac thu~t toan xu Iy, rna ngu6n clla may chu web, + Nang e&ph~ th6ng may chu, 21 + Nang dp dw'mg truySn va cac thiSt bi lien quan, + Cai d~t d~y du cac ban va cho h~ diSu hanh va cac ph~n mSm khac d~ phong ngira kha nang bi 16itran bQ d~m, cuOp quySn diSu khi~n, v.v ... - H:~mchS s5 luqng kSt n5i t;:1ithiSt bi tUOng lila tui muc an toan h~ th5ng cho phep. Sil dl,mg cae tUOng lila cho phep 19CnQi dung thong tin (t~ng ling dl,lng) d~ ngan ch~n cac kSt n5i nh~m tAn cong h~ th5ng. - Phiin ttch lu6ng tin (traffic) d~phit hien cac dAu hi~u tAn cong vacai d~t I cac tUOng !ua cho phep 19CnQi dung thong tin (tkg ling dl,lng) ngancMn-----: theo cac diiu hi~u------'-.dii phit hi~n. i 4.3.Mi}t slfcBng cli ky'";h-u~t.phOngchang t~n cong ti•.chai djch V\I: TUy kha nang d~u tu, cac c5ng/trang TTDT co th~ trang bi giai phap ho~c su dl,lngdich VI,Ich5ng DoS/DDoS vui cac cong CI,Ikg thu~t sau: Sil dl,lng h~ th5ng thiSt bi, ph~n mSm ho~c dich VI,Igiam sat an toan m;:1ng (d~c bi~t vS luu luqng) d~ phit hi~n sam cac t:in cong tir ch5i dich VI,I. _Sil dl,lng thiSt bi bao v~ m;:1ngco dich VI,Ich5ng t:in cong DDoS ~huyen nghi~p kern theo, vi dl,lnhu: Arbor, Checkpoint, Imperva, Perimeter, ... ..•.... '- ) f' '.' 1-~.'..(' ~ : -, . . i • ,'. .j j •• ., '. 22 , PHV LVC I. MUm LOI ATTT PHO BIEN TREN CONG/TRANG TTDT I. Tan cong Injection: bao g6m cac 16i cho phep thgc hi~n thanh cong cac kiSu tin cong nhu SQL Injection, OS Injection, LDAP Injection. KiSu tin cong inay xay ra khi ngu6-i dung gui cac du li~u khong tin c~y d~n fuIg dVng web, InhUng du li~u nay co tac dVng nhu cac diu I~nh vai h~ di€u hanh hoi[tccac diu 'truy vin vai casa du li~u nh~m phvc vv cho mvc dich xiu. 2. Cross Site Scripting (XSS): L6i XSS xay ra khi fuIgdVng web nh~n cac du li~u dQc h\li va chuySn no d~n trinh duy~t cho nguai dung rna khong xac nh~n . l\li du li~u do co hqp I~ hay khong. KiSu tin cong nay cho phep ke tin cQngthg<:.-_ thi cac dO\ln mad9c'ti'orig'fnii.h--diiy~t'ita n\ln nh~r: va c6'tl1~ wOp p~ien nguai- _. - dung hoi[tcchuySn huang nguai dung d~ri cac trang dQc h\li khac. 3. Insecure' Direct Object References (Tharn chiiu tr,!,c tiip ilai tU:(fng kh6ng an toan): Vi~c tham chi~u xay ra khi nha phat triSn fuIg dVng web dua ra tham chi~u d~n mQt d6i tugng ben trong fuIg dVng nhu la mQt t~p tin, mQt thu mvc hay mQt khoa ca sa du li~u. N~u vi~c ki~m tra qua trinh tham chi~u nay khong an toan, ke tin cong co th~ dga theo dS tham chi~u d~n cac dfr li~u rna hQ khong co quy€n truy c~p. j ,,' 4. Cross Site Request Forgery (CSRF): la ki~u tin cong rna nguai dung bi Iqi dVng dS thgc thi nhUng hanh dQng khong mong mu6n ngay tren phi en dang nh~p cua hQ. Thong qua vi~c gui nguai dung mQt lien k~t qua email hay chat, tin ti[tcco thS huang nguai dung thgc thi mQt s6 hanh dQng ngay tren trinh duy~t cua nguai dung (nhu gui bai vi~t, xoa bai vi~t, V.v... ) ~ . ..••..~~ 5. Failure to Restrict URL Acces~: (That b{li trong virc h{ln chi truy clj.p cac URL quiin tr/): Thong thuang dS vao duqc cac duang d&nquan tri thi fuIg dvng phai kiSm tra nguai dung co du quy€n dS truy c~p vao do hay khong r6i mai hiSn thi URL va cac giao di~n quan trj tuong fuIg khac. DS tranh tinh tr\lng nguai dung binh thuang cling truy c~p vao cac URL quan trj, m6i I~n truy c~p vao cac URL nay c~n duqc kiSm tra quy€n kg cang, n~u khong tin ti[tcco th~ truy c~p vao cac URL nay nh~m thgc hi~n cac hanh vi dQc h\li. 6. Be goy s,!, chlmg th,!,Cva quiin Iy phien: NhUng chuc nang cua fuIg dVng lien quan d~n sg chfuIg thgc va sg quan Iy phien lam vi~c thuang khong khai t\lO dung, cho phep tin ti[tctin cong m~t kh.1u, khoa va token cua phien lam vi~c hoi[tckhai thac 16h6ng tir nhung sg khai t\lOnay d~ gan dinh danh mQt nguai su d1,mgkhac. 1 . I I . , 7.Cflu hinh boo mfj.t khfmg an toan: la 16i ]jen quan dSn vi~c di}.tc~u hinh cho ling d1,rng,framework, may chli web, Ung d1,rngmay chli va platform su dl)ng nhfrng gia trj thiSt di}.tmi}.cdinh hoi}.ckh&i t~o va duy tri nhfrng gia tri .. e . .khong an toano .., . ••. ? ~ "';':- ,.; .:".;'".,. > ,.",;" "'. 8~ Chuyen hU'O'ngva chuyen tiep khfmg ilU'(1ckiem tra: Nhieu Ung dl)ng thuimg xuyen chuy€n tiSp hOi}.cclmy€n hu6ng nguai su dl)ng dSn nhfrng trang " i ? .hoi}.cnhfrng website va su dl)ng nhfrng dfr 1i~u chua tin tu6ng de xac dinh nhfrng ,. , ,- > ~. trang dich. Khong co SlJki€m tra phil hqp, tin ti}.cco th€ chuy€n hUOngn~n nhan dSn citc trang gia m~o hoi}.ccactrang co chua rna dQc, hoi}.cchuy€n tiSp dSn cac trang :...rebdoi lam tM tl)Cxac thlJc'nh~m danh c~p thong tin ca nhan. -0 . ..' ...; .-~<'", '. .' . ..; !; "..,.•- '. ~,.': ,..': .:: < -~.. .; ~ ~ ~ ,ilwW ::-'r+s _.. - '" '- ' -~~ __._.- .-:-...•9~Liili;.(rii'.miihoa;khong"an;toan:":.TJng.d~pg.webkhong co CCJ cM bao v~ hoi}.ctuy co CCJ chS m'a hoa va hashi~g(biim) dfr-ii~~ d€~ trfr nhungsu dl)ng khong dung cach dBi vai nhfrng dfr li~u quan tn;mg, nhu la thong tin the tin dl)ng, . thong tin ca nhan va nhfrng thong tin chUng thlJc. Do do tin ti}.cco th€ Iqi dl)ng nhfrng ke h&nay d€ dinh c~p nhfrng' (Iii li~u dn dugc bao v~. ~;~ " ,. _ _ ",;'''',J :~. _~: '" ,'-z _.'" _ _~.:;~ 1 .10. !hieu s{l' biio v~ lOp vfj.n .c~uyen: Cac, Ung .dl)ng khong rna bOa"gfr li~u. khi truyen nhfrng thong tin quan tn;mg, hoi}.cneu co rna hoa thi I~i chi eoth€ su dl)ng cac chUng thlJc hSt h~n hoi}.ckhong hqp I~. j ...'.....~"J' jO:" .. .-: "",,-,.;Ii ~~. : I. , ,. J • . .~ , , . • "'1 .•. .:'. y' . 2 .' PHl) Ll)C 2. THONG TIN THAM KHAo VE CAC TU"ONG LUA , 1. Firewall ckng + Checkpoint (http://www.checkpoint.com) + Juniper (http://www.;uniper.net) + Cisco (http://www.cisco.com) + Endian (http://www.endian.com) + Astaro (http://www.astaro.com) 2. Firewall mJm .•• ~ •••.••• - ..••._-io,." •••.., Ban thuang rn;:!i: . ~. - + .Microsoft Internet Security and Acceleration (ISA) Server (http://www.microsoft.com ) - Ban rni@nphi (rna ngu6n rna): + netfilter/iptables (http://www.netfilter.org) + pfSense (http://www.pfsense.org) + IPCop (http://www.ipcop.org) + Shorewall (http://shorewall.net) + Smooth Wall (http://www.smoothwall.org) + Vyatta (http://www.watta.org) 3. Web Applic~tion FJ~ (WAF) --'"-0,. ., '> , Cac phi en Dim rna nguon,ma WAF pho bien: --.' + WebKnight (http://www.aq ••FOnix.com/?PageJD=99) + ModSecurity (http://www.mod~m':ity.org) + URLScan (http://www.iis.net/downl;~idscan) '" , . , . z~, NgoaJ ra con cac ban WAF thuang rn;:!lno! tIeI:g sau: " + Hyperguard (http://www.artofdefence.com/en/;;;;;.fcts/hvperguard.htm/) ~AWebDefend (http://www.breach.com/products/webdet~rul.htM£;I~."'" . =....====~ + DotDefender (http://www.applicure.com{) ~ + NetScaler application firewalls (http://www.citrix.com) + Eeye' s SecureIIS (http://www.eeye.com/Products/SecurellS- Web-Server- Security. aspx) + Appwall (http://www.radware.com) 3 ModSecurity: la ph~n mSm ngu6n rna co thS ho;:tt dQng nhu mQt module trong may chu Apache ho?c la mQt thanh ph~n dQc I~p. ModSecurity su d\lng biSu thuc chinh quy trong vi~c bao v~may chu web tiT cac cUQctfrn cong duqc xac djnh truac dva theo cac dfru hi~u ho?c cac cUQctfrn cong bfrt thuemg khac. Ben c;:tnhdo, ModSecurity cung co kha nang IQc cac sieu ky tv do ngueri dung chen vao tmg d\lng web. Toan bQ qua trinh cai d?t va cfru hinh co thS tham khao them t;:ti:http://www.modsecurity.org/documentation URLScan: la mQt san ph~m cua Microsoft danh rieng cho cac may cM web lIS. URL scan khong chi bao v~ may cM lIS 6 khoi cac diSm y~u tiT cac phien ban cu han rna con cung cfrp them cac bi~n phap bao v~ khac nhu IQcdfr Ii~u rna _~"'. __ hoa.trenURLho?c'Ii;>c.cac.sieu.ky tv do ngueri dung chen vao dS chdng I;:ticac lo;:titfrn cong nhu XSS, SQL Injection, v.v ... Tham khao cach cai d?t va SIT d\lng URLScan t;:ti:http://www.iis.net/download~urlscan i I •• " 'I( '".'.'.'i'. \: .,~'\_.:,... t.'~ , .,,," 4 .'. • PHl) Ll)C 3. THONG TIN THAM KHAo VE cAc pHAN MEM CHONG VIRUS vA BAo VJ!:AN ToAN MAY TiNH cA NHAN ,I. Ban san xuiit trong nU'uc: + BKA V (http://www.bkav.com.vn) + CMC AntiVirus (http://www3.cmcinfOsec.com) 2. Ban thU'O'ngm{li nu'uc ngoai: + AirScanner (www.airscanner.com) + BitDefender (www.bitdetender.com) + Computer Associates (wwlv.ca.com) _'''-••i'-' '.' -- -_.~.;::.::..- -- - + F-Secure (www.fsecure.com) + Kaspersky (www.kaspersky.com) + McAfee (www.mcatee.com ) + Symantec (www.svmantec.com) + Trend Micro (trendmicro.com) + Avast (www.avast.com) + Avira (www.avira.com) 3. Ban miin phi: + Avast Free AntiVirus (http://www.avast.com) + Avira AntiVir Personal Free (http://www.avira.com) + Microsoft SecurityEssentials (http://www.microsoft.com) + Panda Cloud AntiVirus (http://www.pandasecurity.com) + Comodo Internet Security (http://comodo.com) + AVG AntiVirus (http://wwwfree.avgcom) ~. -- -. 5