2021-12-05

Practical Experience in Network Security Protection

I have summarized practical experience for information security protection based on real‑world operations. Only when facing real attacks do you realize that most systems that seem intelligent and secure are actually poorly designed and full of vulnerabilities.

It usually boils down to these five things:

1. Weak passwords account for 40% of all attack methods

  • Always change default accounts and passwords immediately, especially administrator accounts (such as admin/admin).

  • Even if default passwords are related to personal information (e.g., student ID, last X digits of ID card), they can still be cracked through leaked social‑engineering data.

  • Password strength must be high. Simple passwords like 123456 can even be used to reverse‑enumerate usernames.

2. Can you hide a server by only accessing it via IP, using an uncommon port, and placing services in a custom directory?

  • Cyberspace search engines (e.g., fofa.so) + port scanning tools (e.g., nmap) can detect publicly exposed IPs, ports, and corresponding services.

  • Directory scanning tools (e.g., dirsearch) can enumerate common paths and find hidden APIs.

  • Sensitive services must have access restrictions, such as allowing only internal IPs or closing non‑public service ports (e.g., 21, 22, 1433, 3306).

  • You can also limit access frequency per IP to prevent large‑scale IP, port, and directory scanning in a short time.

3. However, no school internal network is truly secure

  • Many internal services assume safety just because they are inside the network: ports are fully open, weak passwords are ignored, and outdated vulnerabilities remain unpatched. Such systems are easily breached.

  • Is restricting access to internal IPs enough? Attackers can use a compromised external system as a pivot, or even phish or bribe insiders for VPN accounts to directly access the internal network.

4. Most outsourced projects only care if the program runs, not about security

  • Can you imagine a government website — one that has passed information security level‑protection certification — still having basic SQL injection flaws that even beginners can exploit, leaking massive amounts of sensitive data?

  • Permissions! Unauthorized access must be blocked by business logic, not just by hiding the entry point. This exact issue was found on the same government website.

5. Phishing and information leakage account for 15% of all attack methods

  • Using advanced search functions in search engines can reveal large amounts of useful social‑engineering data, important documents, and code snippets.

  • Always be alert to phishing emails and messages, especially fake links and Trojans disguised as documents.

  • Think you’re safe from phishing just because you have antivirus software or PC managers? There is a technique called “evasion” that bypasses such tools.

Summary

Personal information and other sensitive data are extremely vulnerable when exposed to these poorly secured, bug‑ridden systems.