HTTP 认证安全
我的客户需要一个简单的数据库 CMS,其速度比我能够更快地处理寄存器全局变量、sql 注入和 cookie 过滤的细节和安全缺陷。
我安装了 phpMyEdit 并使用 .htaccess 保护编辑页面。对于安全专家来说,这是否至少提供了中等级别的安全性?
My client needs a simple database CMS faster than I can tackle the ins and outs and security flaws of register globals, sql injection, and cookie filtering.
I installed phpMyEdit and secured the edit page with .htaccess. For the security experts, does this provide at least a moderate level of security?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
是的,这是中等级别的安全性。
您需要注意的攻击是一种暴力攻击,坏人会一遍又一遍地尝试不同的用户名和密码组合。要解决此问题,您可以在 n 次(合理的情况是 10 次)登录尝试失败后将用户锁定。
就有效用户而言,配置 htaccess 文件的方法有很多,但根据您使用的源,请格外小心 htaccess 允许进入的任何默认或访客类型用户。
It is a moderate level of security, yes.
The attack you need to be aware of is a brute-force attack where a bad guy tries different username and password combinations over and over. To fix this you can lock a user out after n (10 is reasonable) failed login attempts.
There are lots of ways to configure htaccess files as far as valid users go but depending on the source you are using be extra careful of there being any default or guest-type users that your htaccess would let in.
这一切都取决于这里没有人知道的事情,比如密码是否安全,或者你是否搞砸了。如果您想确保 HTTP 身份验证有效,那么它确实有效。您可以通过多种方式对其进行设置,因此仅将其称为“htaccess 安全性”是不明确的。总而言之,只需确保您没有留下任何可供公众访问的部分,并且密码不是“123”或“qwerty”,就可以了(可能)。
It all comes down to things that no one here has a way of knowing, like whether the passwords are secure or if you've bungled up somehow. If you want assurance that HTTP authenticating works, then yes, it does work. There's also more than way you can set it up, so just calling it "htaccess security" is ambiguous. All in all, simply make sure you haven't left any parts accessible to the public and that the passwords aren't "123" or "qwerty", and you'll be fine (probably).
我还建议管理员对受保护的目录或文件进行 IP 保护。
另外,我不能接受自动化程序,只是你需要更多的练习,你必须了解最常用的黑客技巧,只需阅读越来越多的关于 sql 注入等等......
祝你好运
I also recommend to ip protect your protected directories or files for admin.
Also I can't be OK with the automated programs, just you need more practice, you have to be aware about most used hacking tricks, just read more and more about sql injection and so forth...
Good luck