如果引用或轉貼,麻煩註明出處與本網誌連結,否則視為侵權。

2021年4月16日

諸葛亮事必躬親, 企業經理人應引以為戒

作者: Fred F.M. Wang (FW知識瑣記) 日期:2021-4-16

三國志諸葛亮傳提到 "及備殂沒,嗣子幼弱,事無巨細,亮皆專之。", "政事無巨細,咸決於亮。"顯示諸葛亮的事必躬親。

諸葛亮"事必躬親", 是所有企業經理人應該引以為戒的。諸葛亮"事必躬親"的問題與後果整理如下 :

對下屬不信任

因為不信任,所以事必躬親。人的精力是有限的,把精力都放在了瑣碎的事務性工作上,必然無法做更長遠的工作,如培養人才等。

企業經理人要了解管理企業,不能單靠自己的才能,建立強大的團隊是很重要的,事必躬親,剝奪了下屬鍛鍊提高的機會,下屬就很難成才,並且養成對於領導的依賴性,缺乏處理事情的獨立性。蜀國後期的人才凋零,所為“蜀中無大將,廖化作先鋒”,諸葛亮要擔負主要責任。

組織體制缺乏分層負責

丞相主簿楊顒曾對諸葛亮說:「治國和齊家一樣,有一定的體制,一定的分工。以齊家為例,奴僕負責耕種,婢女負責下廚,雞管鳴曉,狗看家防盜,牛隻負載,馬馳遠途,各司其事,條理分明,主人高枕,安心吃住。如果事事親自掌理,不分配工作,只會將自己弄得身心疲勞,終無一成。難道主子的才智不如奴婢雞犬?不,而是他違背當主人的章法。」楊顒再以丙吉、陳平的例子,證明分層負責的重要。(來源: 維基百科"楊顒")

不識人

經理者要了解人才的特點、能力和性格,做到適才適所,才能使其能力得到充分的發揮。 魏延這樣的大將,諸葛亮卻一直打壓;馬謖本是傑出的策士,好的幕僚人才,卻賦予指揮大軍的責任。更多案例請參考"諸葛亮的用人不當,蜀國被埋沒的人才"一文。

對屬下過於嚴苛

諸葛亮缺乏曹操、劉備、孫權、司馬懿的容人氣度,先殺劉封,又殺馬謖與魏延,都造成蜀國人才極大的損失。

過勞

據《魏氏春秋》記載,諸葛亮的使者一次出使到魏國。司馬懿就問蜀使,諸葛亮理政如何?使者回答說:「諸葛丞相為國事日夜操勞,夙興夜寐。只要是處罰二十以上的,諸葛丞相都要親攬自為。」司馬懿又問諸葛亮的飲食如何?使者直言說:「諸葛丞相平日所食,不超過斗升。」司馬懿一聽,深自嘆息道:「諸葛亮命將不久矣。」。最終諸葛亮果然過勞而死。


參考來源: 每日頭條

2021年4月13日

Apache網站安全設定(二) Apache安全性設定筆記

作者: Fred F.M. Wang (FW知識瑣記) 日期: 2021/4/13 

 筆者整理網路上一些Apache安全性設定的文章做為備忘。

基本安全性設定 

httpd.conf (xampp on linux: /etc/httpd/conf/httpd.conf)

#LoadModule info_module modules/

mod_info.so

隱藏Apache版本資訊與其他敏感資訊 

Disable the server-info Directive

#<Location /server-status>

# SetHandler server-status

# Order deny,allow

# Deny from all

# Allow from .your_domain.com

#</Location>

隱藏Apache版本資訊與其他敏感資訊 

Disable the server-status Directive

ServerSignature Off

隱藏Apache版本資訊與其他敏感資訊 

Disable the ServerSignature Directive 

ServerTokens Prod

隱藏Apache版本資訊與其他敏感資訊

Set the ServerTokens Directive to Prod

User <user name>

Group <group name>

ex:

User http-web

Group http-web

設定執行Apache的帳號

預設執行Apache的帳號為daemon user 

and group, 建議使用非預設帳號

<Directory />

 Order Deny,Allow

 Deny from all

 Options None

 AllowOverride None

</Directory>

<Directory 網站根目錄>

 Order Allow,Deny

 Allow from all

</Directory>

設定Apache只能存取網頁根目錄

<Directory  網站根目錄>

Options -Indexes

</Directory>

Disable Directory Listing

停用顯示資料夾清單

<Directory 網站根目錄>

Options -ExecCGI  -Includes

</Directory>

Restrict Unwanted Services


啟用mod_log_config module, 並

設定log格式

LogFormat "%h %l %u %t \"%r\" %>s %b 

\"%{Referer}i\" \"%{User-Agent}i\"" detailed

指定log檔案位置

CustomLog logs/access.log detailed

Enable Logging

停用一些不需要的LoadModule列, 前面加#

只啟用必需的模組, 例如下面這些模組

通常是開啟,但是通常不需要 : 

mod_imap, mod_include, mod_info, 

mod_userdir, mod_autoindex. 


安全模組


Mod_Security

說明 :  ModSecurity WAF是open-source module,是一個web application firewall, 包含filtering, server identity masking, 

and null-byte attack prevention等功能,也可以執行real-time traffic monitoring. 

可以阻擋SQL Injection and Cross-site Scripting攻擊(註一)


此模組是O’Reilly出版”Apache Security”書籍作者Ivan Ristic所開發的


安裝方式(RHEL/CentOS/Fedora/) :

# yum install mod_security

# /etc/init.d/httpd restart


安裝方式(Ubuntu/Debian) :

$ sudo apt-get install libapache2-modsecurity

$ sudo a2enmod mod-security

$ sudo /etc/init.d/apache2 force-reload


ModSecurity相關設定 : 

SecChrootDir /chroot/apache


Run Apache in a Chroot environment

chroot allows you to run a program in its own isolated jail.詳細請見mod_security文件

Mod_evasive

It prevents DDOS attacks from doing as much damage. This feature of mod_evasive 

enables it to handle the HTTP brute force and Dos or DDos attack. This module detects 

attacks with three methods.

  •  If so many requests come to a same page in a few times per second.

  •  If any child process trying to make more than 50 concurrent requests.

  •  If any IP still trying to make new requests when its temporarily blacklisted.

詳細請見 Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security 

and Mod_evasive Modules



其他安全性事項 


1 保持Apache在最新版

a. 檢查Apache版本 

httpd -v

b. 更新Apache到最新版

yum update httpd

apt-get install apache2

2 安裝Apache最新版的security patches 

    Apache Security Vulnerabilities內有bug fix and related update

3 設定只有root帳號可以存取Apache設定與執行的資料夾 Make sure only "root" has 

read access to apache's config and binaries, ex: Apache Server root在/usr/local/apache

chown -R root:root /usr/local/apache

chmod -R o-rwx /usr/local/apache


Apache官網 :

cd /usr/local/apache

chown 0 . bin conf logs

chgrp 0 . bin conf logs

chmod 755 . bin conf logs

4 Securing Apache with SSL Certificates

安裝方式 : 

# openssl genrsa -des3 -out example.com.key 1024

# openssl req -new -key example.com.key -out exmaple.csr

# openssl x509 -req -days 365 -in example.com.com.csr -signkey example.com.com.key

 -out example.com.com.crt


Apache httpd.conf設定, 例 :

<VirtualHost 172.16.25.125:443>

 SSLEngine on

 SSLCertificateFile /etc/pki/tls/certs/example.com.crt

 SSLCertificateKeyFile /etc/pki/tls/certs/example.com.key

 SSLCertificateChainFile /etc/pki/tls/certs/sf_bundle.crt

 ServerAdmin ravi.saive@example.com

 ServerName example.com

 DocumentRoot /var/www/html/example/

 ErrorLog /var/log/httpd/example.com-error_log

 CustomLog /var/log/httpd/example.com-access_log common

</VirtualHost>


資源限制相關設定(可預防DDOS攻擊) 


LimitRequestBody 1048576  

LimitXMLRequestBody 10485760

其他限制設定請參考Apache官方設定文件

LimitRequestFields, LimitRequestFieldSize, 

LimitRequestLine

限制HTTP requests, XML request大小, 不要

超過1MB(1048576 Bytes)

MaxClients

根據記憶體大小, 作業系統與CPU決定這些

限制設定, 其他如 : MaxSpareServers, 

MaxRequestsPerChild, and on Apache2 

ThreadsPerChild, ServerLimit, 

and MaxSpareThreads

限制concirrent requests的最大數量


MaxKeepAliveRequests 預設為100

KeepAliveTimeout 預設為15

調整KeepAlive設定以提高執行效能,可以分

析log來決定設定值

<Directory 網站根目錄>

Order Deny,Allow

Deny from all

Allow from 176.16.0.0/16

Or by IP:

Order Deny,Allow

Deny from all

Allow from 127.0.0.1

</Directory>

可以限制特定範圍的網路或IP Addresses存

取網站



註一 : ModSecurity

ModSecurity is an open-source module that works as a web application firewall. Different

 functionalities include filtering, server identity masking, and null-byte attack prevention

This module also lets you perform real-time traffic monitoring.

We recommend that you follow the ModSecurity manual to install mod_security to improve 

your web server security and protect against a multitude of attacks including distributed 

denial of service attacks (DDOS). You can also temporarily use ModSecurity to protect 

against certain attacks like SQL Injection and Cross-site Scripting until vulnerabilities are 

fixed by the developer.

mod_security is a super handy Apache module written by Ivan Ristic, the author of

 Apache Security from O'Reilly press.




來源:

1 Apache Security – 10 Tips for a Secure Installation

2 20 ways to Secure your Apache Configuration

3 13 Apache Web Server Security and Hardening Tips (***很詳細)

4. Apache官網 Security Tips - Apache HTTP Server Version 2.4 (尚未整理)

5. Apache Web Server Hardening and Security Guide  (尚未整理)

 

Apache網站安全設定(一) 防止跨站攻擊(XSS), SQL注入攻擊等

作者: Fred F.M. Wang (FW知識瑣記) 日期:2021/4/13

要預防您的Apache網站被攻擊,除了將Apache web server更新到最新版本外,也需要進行一些安全性設定以防止常見的跨站攻擊(XSS), SQL注入攻擊等,下面整理幾篇值得參考的Apache安全設定。

防止跨站攻擊

參考 :  如何在 Apache Server 下新增 X-XSS-Protection 於 Response Header 中

( fix Web Server Generic XSS issue )
 

一 設定httpd.conf

httpd.conf內

#LoadModule headers_module modules/mod_headers.so   將 # 去掉

httpd.conf增加下面內容 

#set up response header
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule> 

二 設定 \<網站根目錄>\.htaccess

參考 Prevent XSS[Cross-Site Scripting] Attacks 

RewriteEngine On

RewriteCond %{HTTP_HOST} ^yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [R=301,L]
# Anti XSS protection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]
# Anti cross site tracing – protection
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
# prevent image theft / hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com.com/.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler|cavalla_bot) [NC]
RewriteRule \.(gif|jpg)$ – [F]

 

防止 page-framing and click-jacking

參考 Increase Security with X-Security Headers

httpd.conf增加下面內容

# X-Frame-Options
<IfModule mod_headers.c>
 Header always append X-Frame-Options SAMEORIGIN
</IfModule>



防止 content-sniffing

參考 Increase Security with X-Security Headers

httpd.conf增加下面內容

# X-Content-Type nosniff
<IfModule mod_headers.c>
 Header set X-Content-Type-Options nosniff
</IfModule>

 

防止SQL Injection

參考 : Stop SQL Injection through .htaccess

設定 \<網站根目錄>\.htaccess, 防止SQL Injection,  設定如下:

#####################################################    
# Script: htaccess Security                                                                 
#
# Version: 1.0                                                                                     
#
#  ### Changelog ###                                                                        
#
# v1.0 - 2012-02-14                                                                            
#
#####################################################

# No web server version and indexes
ServerSignature Off
Options -Indexes

# Enable rewrite engine
RewriteEngine On

# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]

RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

RewriteRule . - [S=1]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ - [F,L]

# Deny browser access to config files

Order allow,deny
Deny from all
#Allow from 1.2.3.4