WEB应用防护系统说明书

深信服虚拟化Web应用防火墙云WAF 用户手册产品版本8.0.28文档版本 01发布日期2021-03-12深信服科技股份有限公司版权所有©深信服科技股份有限公司 2020。

保留一切权利。

除非深信服科技股份有限公司（以下简称“深信服公司”）另行声明或授权，否则本文件及本文件的相关内容所包含或涉及的文字、图像、图片、照片、音频、视频、图表、色彩、版面设计等的所有知识产权（包括但不限于版权、商标权、专利权、商业秘密等）及相关权利，均归深信服公司或其关联公司所有。

未经深信服公司书面许可，任何人不得擅自对本文件及其内容进行使用（包括但不限于复制、转载、摘编、修改、或以其他方式展示、传播等）。

注意您购买的产品、服务或特性等应受深信服科技股份有限公司商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，深信服科技股份有限公司对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

除非另有约定，本文档仅作为使用指导，本文档中的所有陈述、信息和建议不构成任何明示或暗示的担保。

前言关于本文档本文档针对深信服虚拟化Web应用防火墙产品，介绍了云WAF的架构、特性、安装和运维管理。

产品版本本文档以下列产品版本为基准写作。

后续版本有配置内容变更时，本文档随之更新发布。

读者对象本手册建议适用于以下对象：⚫网络设计工程师⚫运维人员符号约定在本文中可能出现下列标志，它们所代表的含义如下。

在本文中会出现图形界面格式，它们所代表的含义如下。

修订记录修订记录累积了每次文档更新的说明。

最新版本的文档包含以前所有文档版本的更新内容。

资料获取您可以通过深信服官方网站获取产品的最新资讯：获取安装/配置资料、软件版本及升级包、常用工具地址如下：深信服科技深信服技术服务技术支持用户支持邮箱：*******************.cn技术支持热线电话：400-630-6430（手机、固话均可拨打）深信服科技服务商及服务有效期查询：https:///plugin.php?id=service:query意见反馈如果您在使用过程中发现任何产品资料的问题，可以通过以下方式联系我们。

雷池（SafeLine）Web应用防火墙用户操作手册版本2.1目录1产品概述 (7)1.1产品介绍 (7)1.2核心优势 (7)1.2.1智能语义分析技术 (7)1.2.2 0day漏洞防护能力 (7)1.2.3高度自定义的扩展能力 (8)1.2.4上手简单、管理高效 (8)2登录 (9)2.1上传许可证 (9)2.2登录雷池管理后台 (10)2.2.1密码认证 (10)2.2.2证书认证 (10)3统计信息 (12)3.1防护状态总览 (12)3.1.1防护状态总览查看 (12)3.1.2数据展示详情介绍 (12)3.2防护报告导出 (20)3.2.1定时报告任务 (20)3.2.2防护报告 (22)3.3实时访问监控 (27)3.4攻击检测统计 (28)3.5实时大屏 (28)3.5.1大屏信息 (29)3.5.2大屏配置 (29)4网络管理 (31)4.1网络接口配置 (31)4.1.1网络接口管理 (31)4.1.2工作组管理 (34)4.1.3 19.09版本透明桥/流量镜像模式配置更新说明 (38)4.2管理服务配置 (39)4.2.1 SSH 管理 (40)4.2.2 SNMP 管理 (41)4.2.3 Web 管理 (45)4.2.4 PING 管理 (46)4.2.5管理时间配置 (46)4.3高可用配置 (48)4.3.1高可用配置 (49)4.3.2高可用状态 (49)4.4域名解析配置 (49)4.5路由管理 (51)4.5.1默认网关配置 (51)4.5.2路由表管理 (51)4.6网络诊断工具 (52)5网站防护 (56)5.1防护站点管理 (56)5.1.1防护站点详情 (59)5.1.2防护站点配置 (61)5.2防护策略管理 (69)5.2.1配置说明 (71)5.2.2攻击检测模块说明 (72)5.2.3防护策略管理常用操作指南 (82)5.3自定义规则 (83)5.3.1自定义规则检测说明 (84)5.3.2自定义规则配置说明 (85)5.3.3自定义规则高级选项配置 (89)5.3.4自定义规则操作说明 (90)5.3.5自定义规则的导入导出 (91)5.4访问频率控制 (92)5.4.1访问频率限制规则 (92)5.4.2不限制这些用户 (97)5.5SSL 证书管理 (99)5.6IP组管理 (101)5.6.1添加IP组 (101)5.6.2删除IP组 (102)5.6.3 IP组筛选 (103)5.7扩展插件管理 (104)5.8情报模块 (105)5.8.1情报同步配置 (106)5.8.2情报同步状态 (107)5.8.3情报同步信息 (107)5.8.4威胁情报-自定义规则 (108)6日志管理 (110)6.1攻击检测日志 (110)6.2频率访问日志 (119)6.3扩展插件日志 (120)6.4系统操作日志 (120)6.5日志归档管理 (120)6.5.1攻击检测日志归档 (120)6.5.2访问频率控制日志归档 (123)6.5.3扩展插件日志归档 (123)6.5.4系统操作日志归档 (123)7系统设置 (124)7.1告警收信配置 (124)7.1.1设置告警人接收人 (124)7.1.2设置SYSLOG发信格式 (126)7.1.3告警阈值配置 (132)7.1.4邮件发信配置 (134)7.2系统用户设置 (135)7.2.1查看和编辑用户信息 (135)7.2.2添加一个新用户 (137)7.2.3删除用户 (140)7.2.4用户管理配置 (141)7.3配置备份还原 (145)7.3.1查看及新建备份 (145)7.3.2下载及删除备份 (146)7.3.3还原备份 (147)7.4其他系统设置 (148)7.4.1上传及更新HTTPS证书 (148)7.4.2配置管理后端用户IP的获取方式 (149)7.4.3系统时间设置 (150)7.4.4数据重置 (151)8系统信息 (153)8.1节点状态 (153)8.1.1负载状态 (153)8.1.2网络状态 (153)8.1.3检测状态 (153)8.1.4转发状态 (153)8.1.5磁盘状态 (153)8.1.6历史数据查询 (154)8.2系统固件信息 (155)8.2.1当前固件版本 (155)8.2.2固件升级 (155)8.3许可证信息 (156)8.3.1当前许可证信息版本 (156)8.3.2许可证更新 (156)8.4关于产品 (156)9个人中心 (157)9.1个人信息 (157)9.2使用偏好 (157)9.3OPEN API (158)9.3.1查看和编辑OPEN API TOKEN (158)9.3.2添加OPEN API TOKEN (159)9.3.3删除OPEN API TOKEN (162)1产品概述1.1产品介绍雷池（SafeLine）是由长亭科技自主研发的全球首款基于智能语义分析技术的下一代Web 应用防护产品，曾入围Gartner 2018 《Web应用防火墙魔力象限报告亚太版》。

Version2.8.3版本说明本手册包含了WAF_2.5版本以及后续版本的版本说明，主要介绍了各版本的新增功能、已知问题等内容。

l WAF2.8.3l WAF2.8l WAF_2.7.3l WAF_2.7.1l WAF_2.7l WAF_2.6.5l WAF_2.6l WAF_2.5.1l WAF_2.5WAF2.8.3发布日期：2021年11月19日本次发布主要支持如下功能：l新增WAF国产平台型号SG-6000-W5160-GC，采用飞腾8核处理器，性能更加强大。

l支持识别、转发非HTTP协议流量（HTTP站点）和非SSL协议流量（HTTPS站点），可精准防护HTTP协议流量，同时识别、转发非HTTP协议流量，兼顾用户的安全需求和业务需求。

l基于ARM架构的vWAF以及SG-6000-W5160-GC和SG-6000-W3060-GC支持漏洞扫描功能。

版本发布相关信息：https:///show_bug.cgi?id=25662平台和系统文件新增功能已解决问题已知问题浏览器兼容性以下浏览器通过了WebUI测试，推荐用户使用：l IE11l Chrome获得帮助Hillstone Web应用防火墙设备配有以下手册：请访问https://进行下载。

l《Web应用防火墙_WebUI用户手册》l《Web应用防火墙_CLI命令行手册》l《Web应用防火墙_硬件参考指南》l《Web应用防火墙典型配置案例手册》l《Web应用防火墙日志信息参考指南》l《Web应用防火墙SNMP私有MIB信息参考指南》l《vWAF_WebUI用户手册》l《vWAF_部署手册》l《WAF国产系列_硬件参考指南》服务热线：400-828-6655官方网址：https://WAF2.8发布日期：2021年9月17日本次发布主要支持如下功能：l vWAF支持部署在基于鲲鹏和飞腾架构的虚拟化平台上。

l支持多虚拟路由器模式，站点可通过绑定不同的虚拟路由器对Web网站进行精细化防护。

While web applications are now an integral part of every company’s core business infrastructure, they also provide a high profile target for malicious activities. These malicious activities can range from simple defacement attacks to more damaging denial of service attacks or data harvesting attacks. The more serious malicious activity can result in damage to customer confidence and loyalty, brand reputation, and corporate credibility. Mandated by the Payment Card and Industry Data Security Standard (PCI DSS) regulatory framework, the protection of web applications are a tremendous challenge that traditional security tools are unable to solve.The FortiWeb-1000B appliance protects web applications and web services from attacks and data loss. Using advanced techniques to protect against SQL injection, Cross site scripting and a range of other attacks, FortiWeb appliances help to prevent identity theft, financial fraud, and corporate espionage that can result in significant damage to a corporation’s bottom-line. With Web Application Firewall, XML Firewall, Web Traffic Acceleration, and Application Traffic Balancer capabilities built into one hardware accelerated platform, the FortiWeb-1000B appliance meets data security standards, reduces deployment effort, and offers cost-effective web application security for any medium or large enterprise.FortiWeb ™-1000BMedium Enterprise Large EnterpriseCombined Web Application and XML Firewall••••••••••••••••••Datasheet••••••••••••••••••Inline Reverse Proxy, Transparent, and Offline Deployment ModesAuto-Learning Security ProfilesFortiWeb-1000B (FWB-1000B)FLEXIBLE DEPLOYMENT OPTIONSFortiWeb supports inline reverse proxy, transparent, and offline deployment modes. It provides a totally flexible solution to introduce FortiWeb into existing network implementations without the need for a network-level redesign. The offline mode and transparent mode can monitor and analyze real time web traffic, without requiring changes to the existing web application or network infrastructure.Copyright© 2009 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.FWB1000B-DAT-R1-0909GLOBAL HEADQUARTERS Fortinet Incorporated1090 Kifer Road, Sunnyvale, CA 94086 USA Tel +1-408-235-7700 Fax +/sales EMEA SALES OFFICE-FRANCE Fortinet Incorporated 120 rue Albert Caquot06560, Sophia Antipolis, France Tel +33-4-8987-0510 Fax +33-4-8987-0501APAC SALES OFFICE-SINGAPORE Fortinet Incorporated 61 Robinson Road#09-04 Robinson Centre Singapore 068893Tel: +65-6513-3730Fax: +65-6223-6784。

Executive SummaryFortiWeb Cloud Web Application Firewall-as-a-Service (WAFaaS) deliversfull-featured, cost-effective security for web applications with a minimumof configuration and management. Delivered through major cloud platforms, including AWS, Azure, Google Cloud, and Oracle Cloud, FortiWeb Cloud features a high level of scalability as well as on-demand pricing. While FortiWeb Cloud can protect applications deployed in the data center or in the cloud, customers who host their applications on these public clouds can achieve benefits such as reduced latency, simplified compliance, and lower bandwidth costs. Securing Web ApplicationsCloud service providers and application owners share the responsibility for securing web applications deployed to the cloud. This arrangement has advantages in that providers typically deploy robust security for the platform itself, removing that burden from the application owner. However, securing the application itself rests squarely with the owner, a stipulation that AWS1 and other providers make clear in their service agreements.Best practices for web application security include the deployment of a WAF as the cornerstone of a comprehensive security solution. WAFs use a combination of rules, threat intelligence, and heuristic analysis of traffic to ensure that malicious traffic is detected and blocked before reaching web applications.The task of protecting on-premises application software typically falls to a security architect or other security professional within the CIO or CISO organization.In contrast, the DevOps team often fills this role for cloud-based applications, consistent with DevOps principles of end-to-end responsibility and cross-functional, autonomous teams. As a result, DevOps teams need the right tools to embed effective security controls into their process—simply repurposing traditional workflows and processes will not do the job. Also, the additional workload of managing WAFs consumes valuable time on the part of DevOps teams and can elongate time-to-release cycles and inhibit continuous improvement efforts.FortiWeb Cloud Features nn Advanced protection against OWASP Top 10 threats, zero-day threats, and morenn Purchasing flexibility—buy directly through a cloud marketplace or your preferred resellernn Easy deployment with a setup wizard and predefined policiesnn Streamlined management with an intuitive dashboard for end-to-end security visibility and managementnn Delivered on public cloud, including AWS, Azure, Google Cloud, and Oracle Cloud, which offers low latencyand unmatched elasticity and scalabilityCloud-native Solution for Web Application Security: FortiWeb Cloud WAF-as-a-Service for AWS, Azure, Google Cloud, and Oracle Cloud SOLUTION BRIEFThe Expanding Attack SurfaceThe threat landscape today can be daunting for organizations considering a move to the cloud. More than three-quarters of successful attacks are motivated by financial gain,2 which can take the form of ransomware, exfiltration of valuable personal information, or compromised intellectual property. Furthermore, breaches happen fast—87% take place in just minutes 3—and most go undiscovered for months or more (Figure 1).4Internet-facing web applications pose unique security challenges compared to traditional solutions deployed within theorganization’s network perimeter. Every time a company deploys a new internet-facing web application, the attack surface grows. As DevOps teams accelerate the rate of development and new releases, the attack surface evolves more rapidly than ever. This expanded attack surface challenges traditional approaches to application security.Enhanced Protection With FortiWebTo address the diverse needs of organizations for web application security, Fortinet offers the FortiWeb family of solutions.FortiWeb WAF provides advanced features that defend web applications from known and zero-day threats. Using an advanced multilayered and correlated approach, FortiWeb delivers complete security for external and internal web-based applications from the OWASP Top 10 and many other threats. At the heart of FortiWeb are its dual-layer artificial intelligence (AI)-based detection engines that intelligently detect threats with nearly no false-positive detections.FortiWeb Cloud WAF-as-a-ServiceDesigned for web applications that demand the highest level of protection, FortiWeb Cloud provides robust security that is simple to deploy, easy to manage, and cost effective. With FortiWeb Cloud, DevOps teams and security architects alike have access to the same proven detection techniques used in other FortiWeb form factors without the need for costly capitalinvestments. Unlike solutions that simply spin up virtual machines for each customer and increase the management workload, FortiWeb Cloud delivers a true Software-as-a-Service (SaaS) solution that leverages public cloud to offer highly scalable and low-latency application security.FortiWeb VMFortiWeb VM is an enterprise-class offering that provides the FortiWeb functionality in a virtual form factor. Designed forhybrid environments, the virtual version of FortiWeb includes protection for container-based applications. FortiWeb VM can be deployed in VMware, Microsoft Hyper-V, Citrix XenServer, Open Source Xen, VirtualBox, KVM, and Docker platforms.of breaches are financially removed.76%of compromise take minutes or less.87%30JAN of threats go undiscovered for a month or more.68%Figure 1: Threat statistics from recent published studies.uses machine learning (ML)-enabled technology to minimize false positives while accurately identifying real threats.Figure 3: FortiWeb Cloud dashboard.Attacks/ThreatsApplication C o r r e l a t i o n U s e r /D e v i c e T h r e a t S c o r i n gFigure 2: Common attack vectors and remediation techniques.Easy to Deploy and Manage FortiWeb Cloud enables rapid application deployments in the public cloud while addressing compliance standards and protecting business-critical web applications. To facilitate use by nonsecurity professionals, FortiWeb Cloud comes with a setup wizard and a default configuration that can be easily modified to meet individual requirements. FortiWeb Cloud delivers cloud-native application security that can be deployed in minutes. After going through the setup wizard, simply update your DNS setting and your web application is protected.Busy DevOps staff have no time for extensive WAF training. To address this issue, FortiWeb Cloud features an intuitive real-time dashboard that allows DevOps staff and other nonsecurity professionals to see and understand quickly the security status of their web applications (Figure 3).Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.April 6, 2021 11:46 PMInternet Data transfer fees included in FortiWeb subscription Intra-region data transfer feesCost-effective SecurityAs a cloud-native SaaS solution, FortiWeb Cloud features lower capital expenditures (CapEx) and operational expenditures (OpEx) compared to on-premises solutions. AWS, Azure, Google Cloud, and Oracle Cloud provide the hardware and software components of the infrastructure, virtually eliminating the need for capital investments as well as the operating costs associated with platform maintenance. By removing the burden of maintaining and upgrading the platform, customers can focus on improving the application and delivering business value to their organizations.The SaaS business model—pay only for what you use—gives customers flexibility in managing their security budgets as well as the ability to institute chargebacks and other cost-control measures. Customers who host their applications on these clouds can reduce costs significantly because they must only pay data transfer fees for traffic from the application to the WAF—as the data transfer costs for outbound traffic are included in the FortiWeb subscription (Figure 4).Figure 4: Data transfer fees for applications hosted on public clouds.Conclusion Utilizing a comprehensive, correlated, multilayer approach to web application security, FortiWeb Cloud protects web-based applications from all of the Top 10 OWASP security risks and many more. Unique among WAFs on the market, FortiWeb Cloud leverages ML capabilities to detect both known and unknown exploits targeting web applications with almost no false positives. Delivered via public cloud providers including AWS, Azure, Google Cloud, and Oracle Cloud, FortiWeb Cloud features low latency and high elasticity and can easily and quickly scale to accommodate changes in traffic. Further, FortiWeb Cloud keeps web applications safe from vulnerability exploits, bots, malware uploads, DDoS attacks, APTs, and zero-day attacks.1 “Shared Responsibility Model ,” AWS, accessed June 20, 2019.2 “2018 Data Breach Investigations Report ,” Verizon, accessed June 18, 2019.3Ibid.4 Ibid.5 “OWASP Top 10-2017: The Ten Most Critical Web Application Security Risks ,” OWASP, accessed May 25, 2018.。

H3C SecPath Web应用防火墙安全手册杭州华三通信技术有限公司资料版本：APW100-20150612Copyright © 2015 杭州华三通信技术有限公司及其许可者 版权所有，保留一切权利。

未经本公司书面许可，任何单位和个人不得擅自摘抄、复制本书内容的部分或全部，并不得以任何形式传播。

H3C 、、H3CS 、H3CIE 、H3CNE 、Aolynk 、、H 3Care 、、IRF 、NetPilot 、Netflow 、SecEngine 、SecPath 、SecCenter 、SecBlade 、Comware 、ITCMM 、HUASAN 、华三均为杭州华三通信技术有限公司的商标。

对于本手册中出现的其它公司的商标、产品标识及商品名称，由各自权利人拥有。

由于产品版本升级或其他原因，本手册内容有可能变更。

H3C 保留在没有任何通知或者提示的情况下对本手册的内容进行修改的权利。

本手册仅作为使用指导，H3C 尽全力在本手册中提供准确的信息，但是H3C 并不确保手册内容完全没有错误，本手册中的所有陈述、信息和建议也不构成任何明示或暗示的担保。

技术支持用户支持邮箱：***************技术支持热线电话：400-810-0504（手机、固话均可拨打）网址：资料获取方式您可以通过H3C 网站（ ）获取最新的产品资料：H3C 网站与产品资料相关的主要栏目介绍如下：•[服务支持/文档中心]：可以获取硬件安装类、软件升级类、配置类或维护类等产品资料。

•[产品技术]：可以获取产品介绍和技术介绍的文档，包括产品相关介绍、技术介绍、技术白皮书等。

•[解决方案]：可以获取解决方案类资料。

• [服务支持/软件下载]：可以获取与软件版本配套的资料。

资料意见反馈如果您在使用过程中发现产品资料的任何问题，可以通过以下方式反馈：E-mail ：************感谢您的反馈，让我们做得更好！环境保护本产品符合关于环境保护方面的设计要求，产品的存放、使用和弃置应遵照相关国家法律、法规要求进行。

密级：限定发布南墙WEB应用防火墙使用手册V1.8“不撞南墙不回头”版权声明© 2005-2022，有安科技本文中出现的任何文字叙述、文档格式、插图、照片、方法、过程等内容，除另有特别注明，版权均属有安科技所有，受到有关产权及版权法保护。

任何个人、机构未经书面授权许可，不得以任何方式复制或引用本文件的任何片断。

目录1产品概述 (1)1.1产品介绍 (1)1.2技术优势 (2)1.2.1先进语义引擎 (2)1.2.2智能0day防御 (2)1.2.3高级规则引擎 (2)2使用介绍 (3)2.1登录管理 (3)2.1.1登录界面 (3)2.1.2安全态势 (4)2.2功能介绍 (5)2.2.1规则管理 (5)2.2.2攻击查询 (6)2.2.3站点管理 (7)2.2.4用户设置 (7)2.2.5系统信息 (8)3规则介绍 (9)3.1高级规则 (9)4关于我们 (16)4.1技术能力 (16)4.2团队力量 (17)1产品概述1.1产品介绍南墙WEB应用防火墙（简称：uuWAF）是有安科技推出的一款全方位网站防护产品。

通过有安科技专有的WEB入侵异常检测等技术，结合有安科技团队多年应用安全的攻防理论和应急响应实践经验积累的基础上自主研发而成。

协助各级政府、企/事业单位全面保护WEB应用安全，实现WEB服务器的全方位防护解决方案。

手册适合的对象:《南墙WEB应用防火墙使用手册》适用于希望了解本产品功能，并熟练掌握产品的配置及日常操作维护的运维人员。

公司联系方式 :用户可以通过如下的联系方式详细了解该产品：⚫市场销售：邮箱：***************⚫支持服务：邮箱：***************⚫官方站点：网址：1.2技术优势1.2.1先进语义引擎南墙采用业界领先的SQL、XSS、RCE、LFI 4种基于语义分析的检测引擎，结合多种深度解码引擎可对base64、json、form-data等HTTP内容真实还原，从而有效抵御各种绕过WAF的攻击方式，并且相比传统正则匹配具备准确率高、误报率低、效率高等特点，管理员无需维护庞杂的规则库，即可拦截多种攻击类型。

网站防护体系说明书随着IT技术的革新，各种病毒层出不穷，服务器和网站受到的攻击方式也越来越多。

为了确保“XXXX”网站的安全运行，在维护时主要从网站源码、防火墙设置、安全软件等方面来加强网站的安全性和自主防御能力。

一、网站源码自身防御体系网站的防御需要从源码开始做起，在代码开发时，开发人员要根据常见的Web攻击原理，在源码中添加有针对性的防御代码，做好网站防御体系的最后一道防线。

（一）、SQL注入防护措施：1.对用户的输入进行校验，可以通过正则表达式，或限制长度；对单引号和双"-"进行转换等。

2.尽量少使用动态拼装sql语句，可以使用参数化的sql或者直接使用存储过程进行数据查询存取。

3.不要直接使用管理员权限的数据库连接，为每个应用使用单独的权限有限的数据库连接。

4.不要把机密信息直接存放，加密存放密码和敏感的信息。

5.应用的异常信息应该给出尽可能少的提示，最好使用自定义的错误信息对原始错误信息进行包装6.sql注入的检测方法一般采取辅助软件或网站平台来检测，比如MDCSOFTSCAN等。

使用国产服务器安全软件“服务器安全狗”可以有效的防御SQL 注入。

（二）、跨站脚本攻击(XSS)防护措施：1.对信息进行过滤和验证对用户提交的数据进行有效性验证，仅接受指定长度范围内并符合我们期望格式的的内容提交，阻止或者忽略除此外的其他任何数据。

比如：电话号码必须是数字和中划线组成，而且要设定长度上限。

过滤一些些常见的敏感字符，例如：<>‘“&#\javascriptexpression"onclick=""onfocus"；过滤或移除特殊的Html 标签，例如:<script>，<iframe>，&lt;for<，&gt;for>，&quotfor；过滤JavaScript事件的标签，例如"onclick="，"onfocus"等。