諸葛亮事必躬親, 企業經理人應引以為戒

作者: Fred F.M. Wang (FW知識瑣記) 日期:2021-4-16

三國志諸葛亮傳提到 "及備殂沒，嗣子幼弱，事無巨細，亮皆專之。", "政事無巨細，咸決於亮。"顯示諸葛亮的事必躬親。

諸葛亮"事必躬親", 是所有企業經理人應該引以為戒的。諸葛亮"事必躬親"的問題與後果整理如下 :

對下屬不信任

因為不信任，所以事必躬親。人的精力是有限的，把精力都放在了瑣碎的事務性工作上，必然無法做更長遠的工作，如培養人才等。

企業經理人要了解管理企業，不能單靠自己的才能，建立強大的團隊是很重要的，事必躬親，剝奪了下屬鍛鍊提高的機會，下屬就很難成才，並且養成對於領導的依賴性，缺乏處理事情的獨立性。蜀國後期的人才凋零，所為“蜀中無大將，廖化作先鋒”，諸葛亮要擔負主要責任。

組織體制缺乏分層負責

丞相主簿楊顒曾對諸葛亮說:「治國和齊家一樣，有一定的體制，一定的分工。以齊家為例，奴僕負責耕種，婢女負責下廚，雞管鳴曉，狗看家防盜，牛隻負載，馬馳遠途，各司其事，條理分明，主人高枕，安心吃住。如果事事親自掌理，不分配工作，只會將自己弄得身心疲勞，終無一成。難道主子的才智不如奴婢雞犬？不，而是他違背當主人的章法。」楊顒再以丙吉、陳平的例子，證明分層負責的重要。(來源: 維基百科"楊顒")

不識人

經理者要了解人才的特點、能力和性格，做到適才適所，才能使其能力得到充分的發揮。 魏延這樣的大將，諸葛亮卻一直打壓；馬謖本是傑出的策士，好的幕僚人才，卻賦予指揮大軍的責任。更多案例請參考"諸葛亮的用人不當，蜀國被埋沒的人才"一文。

對屬下過於嚴苛

諸葛亮缺乏曹操、劉備、孫權、司馬懿的容人氣度，先殺劉封，又殺馬謖與魏延，都造成蜀國人才極大的損失。

過勞

據《魏氏春秋》記載，諸葛亮的使者一次出使到魏國。司馬懿就問蜀使，諸葛亮理政如何？使者回答說：「諸葛丞相為國事日夜操勞，夙興夜寐。只要是處罰二十以上的，諸葛丞相都要親攬自為。」司馬懿又問諸葛亮的飲食如何？使者直言說：「諸葛丞相平日所食，不超過斗升。」司馬懿一聽，深自嘆息道：「諸葛亮命將不久矣。」。最終諸葛亮果然過勞而死。


參考來源: 每日頭條

Apache網站安全設定(二) Apache安全性設定筆記

作者: Fred F.M. Wang (FW知識瑣記) 日期: 2021/4/13 

 筆者整理網路上一些Apache安全性設定的文章做為備忘。

基本安全性設定 

httpd.conf (xampp on linux: /etc/httpd/conf/httpd.conf)

#LoadModule info_module modules/ mod_info.so	隱藏Apache版本資訊與其他敏感資訊  Disable the server-info Directive
#<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from .your_domain.com #</Location>	隱藏Apache版本資訊與其他敏感資訊  Disable the server-status Directive
ServerSignature Off	隱藏Apache版本資訊與其他敏感資訊  Disable the ServerSignature Directive
ServerTokens Prod	隱藏Apache版本資訊與其他敏感資訊 Set the ServerTokens Directive to Prod
User <user name> Group <group name> ex: User http-web Group http-web	設定執行Apache的帳號 預設執行Apache的帳號為daemon user  and group, 建議使用非預設帳號
<Directory />  Order Deny,Allow  Deny from all  Options None  AllowOverride None </Directory> <Directory 網站根目錄>  Order Allow,Deny  Allow from all </Directory>	設定Apache只能存取網頁根目錄
<Directory  網站根目錄> Options -Indexes </Directory>	Disable Directory Listing 停用顯示資料夾清單
<Directory 網站根目錄> Options -ExecCGI  -Includes </Directory>	Restrict Unwanted Services
啟用mod_log_config module, 並 設定log格式 LogFormat "%h %l %u %t \"%r\" %>s %b  \"%{Referer}i\" \"%{User-Agent}i\"" detailed 指定log檔案位置 CustomLog logs/access.log detailed	Enable Logging
停用一些不需要的LoadModule列, 前面加#	只啟用必需的模組, 例如下面這些模組 通常是開啟，但是通常不需要 :  mod_imap, mod_include, mod_info,  mod_userdir, mod_autoindex.

安全模組

Mod_Security 說明 :  ModSecurity WAF是open-source module，是一個web application firewall, 包含filtering, server identity masking,  and null-byte attack prevention等功能，也可以執行real-time traffic monitoring.  可以阻擋SQL Injection and Cross-site Scripting攻擊(註一) 此模組是O’Reilly出版”Apache Security”書籍作者Ivan Ristic所開發的 安裝方式(RHEL/CentOS/Fedora/) : # yum install mod_security # /etc/init.d/httpd restart 安裝方式(Ubuntu/Debian) : $ sudo apt-get install libapache2-modsecurity $ sudo a2enmod mod-security $ sudo /etc/init.d/apache2 force-reload ModSecurity相關設定 :  SecChrootDir /chroot/apache Run Apache in a Chroot environment chroot allows you to run a program in its own isolated jail.詳細請見mod_security文件

Mod_evasive It prevents DDOS attacks from doing as much damage. This feature of mod_evasive  enables it to handle the HTTP brute force and Dos or DDos attack. This module detects  attacks with three methods.  If so many requests come to a same page in a few times per second.  If any child process trying to make more than 50 concurrent requests.  If any IP still trying to make new requests when its temporarily blacklisted. 詳細請見 Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security  and Mod_evasive Modules

其他安全性事項 

1 保持Apache在最新版 a. 檢查Apache版本  httpd -v b. 更新Apache到最新版 yum update httpd apt-get install apache2

2 安裝Apache最新版的security patches      Apache Security Vulnerabilities內有bug fix and related update

3 設定只有root帳號可以存取Apache設定與執行的資料夾 Make sure only "root" has  read access to apache's config and binaries, ex: Apache Server root在/usr/local/apache chown -R root:root /usr/local/apache chmod -R o-rwx /usr/local/apache Apache官網 : cd /usr/local/apache chown 0 . bin conf logs chgrp 0 . bin conf logs chmod 755 . bin conf logs

4 Securing Apache with SSL Certificates 安裝方式 :  # openssl genrsa -des3 -out example.com.key 1024 # openssl req -new -key example.com.key -out exmaple.csr # openssl x509 -req -days 365 -in example.com.com.csr -signkey example.com.com.key  -out example.com.com.crt Apache httpd.conf設定, 例 : <VirtualHost 172.16.25.125:443>  SSLEngine on  SSLCertificateFile /etc/pki/tls/certs/example.com.crt  SSLCertificateKeyFile /etc/pki/tls/certs/example.com.key  SSLCertificateChainFile /etc/pki/tls/certs/sf_bundle.crt  ServerAdmin ravi.saive@example.com  ServerName example.com  DocumentRoot /var/www/html/example/  ErrorLog /var/log/httpd/example.com-error_log  CustomLog /var/log/httpd/example.com-access_log common </VirtualHost>

資源限制相關設定(可預防DDOS攻擊) 

LimitRequestBody 1048576   LimitXMLRequestBody 10485760 其他限制設定請參考Apache官方設定文件 LimitRequestFields, LimitRequestFieldSize,  LimitRequestLine	限制HTTP requests, XML request大小, 不要 超過1MB(1048576 Bytes)
MaxClients 根據記憶體大小, 作業系統與CPU決定這些 限制設定, 其他如 :　MaxSpareServers,  MaxRequestsPerChild, and on Apache2  ThreadsPerChild, ServerLimit,  and MaxSpareThreads	限制concirrent requests的最大數量
MaxKeepAliveRequests 預設為100 KeepAliveTimeout 預設為15	調整KeepAlive設定以提高執行效能，可以分 析log來決定設定值
<Directory 網站根目錄> Order Deny,Allow Deny from all Allow from 176.16.0.0/16 Or by IP: Order Deny,Allow Deny from all Allow from 127.0.0.1 </Directory>	可以限制特定範圍的網路或IP Addresses存 取網站

註一 : ModSecurity

ModSecurity is an open-source module that works as a web application firewall. Different

 functionalities include filtering, server identity masking, and null-byte attack prevention. 

This module also lets you perform real-time traffic monitoring.

We recommend that you follow the ModSecurity manual to install mod_security to improve 

your web server security and protect against a multitude of attacks including distributed 

denial of service attacks (DDOS). You can also temporarily use ModSecurity to protect 

against certain attacks like SQL Injection and Cross-site Scripting until vulnerabilities are 

fixed by the developer.

mod_security is a super handy Apache module written by Ivan Ristic, the author of

 Apache Security from O'Reilly press.

來源:

1 Apache Security – 10 Tips for a Secure Installation

2 20 ways to Secure your Apache Configuration

3 13 Apache Web Server Security and Hardening Tips (***很詳細)

4. Apache官網 Security Tips - Apache HTTP Server Version 2.4 (尚未整理)

5. Apache Web Server Hardening and Security Guide  (尚未整理)

 

Apache網站安全設定(一) 防止跨站攻擊(XSS), SQL注入攻擊等

作者: Fred F.M. Wang (FW知識瑣記) 日期:2021/4/13

要預防您的Apache網站被攻擊，除了將Apache web server更新到最新版本外，也需要進行一些安全性設定以防止常見的跨站攻擊(XSS), SQL注入攻擊等，下面整理幾篇值得參考的Apache安全設定。

防止跨站攻擊

參考 :  如何在 Apache Server 下新增 X-XSS-Protection 於 Response Header 中

( fix Web Server Generic XSS issue ) 

一 設定httpd.conf

httpd.conf內

#LoadModule headers_module modules/mod_headers.so   將 # 去掉

httpd.conf增加下面內容 

#set up response header
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule> 

二 設定 \<網站根目錄>\.htaccess

參考 Prevent XSS[Cross-Site Scripting] Attacks 

RewriteEngine On

RewriteCond %{HTTP_HOST} ^yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [R=301,L]
# Anti XSS protection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]
# Anti cross site tracing – protection
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
# prevent image theft / hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com.com/.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler|cavalla_bot) [NC]
RewriteRule \.(gif|jpg)$ – [F]

 

防止 page-framing and click-jacking

參考 Increase Security with X-Security Headers

httpd.conf增加下面內容

# X-Frame-Options
<IfModule mod_headers.c>
 Header always append X-Frame-Options SAMEORIGIN
</IfModule>

防止 content-sniffing

參考 Increase Security with X-Security Headers

httpd.conf增加下面內容

# X-Content-Type nosniff
<IfModule mod_headers.c>
 Header set X-Content-Type-Options nosniff
</IfModule>

 

防止SQL Injection

參考 : Stop SQL Injection through .htaccess

設定 \<網站根目錄>\.htaccess, 防止SQL Injection,  設定如下:

#####################################################    
# Script: htaccess Security                                                                 
#
# Version: 1.0                                                                                     
#
#  ### Changelog ###                                                                        
#
# v1.0 - 2012-02-14                                                                            
#
#####################################################

# No web server version and indexes
ServerSignature Off
Options -Indexes

# Enable rewrite engine
RewriteEngine On

# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]

RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

RewriteRule . - [S=1]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ - [F,L]

# Deny browser access to config files

Order allow,deny
Deny from all
#Allow from 1.2.3.4