| Summary: | 碩士 === 朝陽科技大學 === 資訊管理系 === 104 === Since the advent of the networks, website attacks have been a major concern for site managers. Although experts have developed a number of good solutions, some web developers are not good at writing secure code, which results in vulnerable websites. To solve these problems, the academia and the industry have poposed a number of solutions, such as intrusion detection systems, intrusion prevention systems, web application firewalls, and so on. Websites can be broadly divided into two categories: The first is static websites, which are mostly built using content management systems (CMS) to build, such as WordPress, Drupal, Joomla, and Mezzanine. The other is dynamic websites. These sites have system functions, and therefore is also known as web systems. At present, a lot of developers use frameworks for building web systems, for example Laravel, Symfony, Django, Flask, and .NET, etc. Frameworks generally provide good site security mechanisms, which can relief a lot of burden of developers.
Among the famous frameworks, Django is based on the Python programming language and was created in 2003 with the goal for facilitating the fast-paced process of news publishing. In addition, Django is open-sourced and equipped with such features as rapid development, high performance, and Do not Repeat Yourself (DRY). So, more and more web systems are built on top of it. To name a few famous and great-scale websites: Youtube, DropBox, Instagram, Disqus, Instagram, and Mozilla, etc. Mezzanine is a CMS, which is also built on top of Django. In this research, Mezzanine is studied and security enhancing techniques are developed to further elevate the security level of Mezzanine websites. This research is divided into two parts: (1) designing an IP reputation evaluation algorithm to evaluate if the behavior of the requests from an IP address satisfies a certain security condition. (2) developing a Mezzanine plugin which shares a list of IP reputations with other Mezzanine websites in the whole world in order to form a world-wide fence against malicious IPs. Each Mezzanine site may therefore decide to grant permissions, block requests, denial registrations or sign-ins, and so on, according to the IP reputations. All Mezzanine websites in the world work together and once an IP is determined to be malicious, it will propagated to other Mezzanine websites almost instantly so that the IP can no longer do any harm to other Mezzanine websites. The Mezzanine security plugin will be placed on Github such that other website managers may use and other developers may evaluate and contribute.
|
|---|
