lamp架构
限定某个目录禁止解析php
当黑客攻击你的服务器时,在你的静态目录下添加一个木马脚本,这时服务器将会很大风险,这时需要限制哪些目录不能解析php,提高安全性。
1、新增内容
[root@centos7 local]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<Directory /data/wwwroot/111.com/upload>
php_admin_flag engine off
</Directory>
#将对/data/wwwroot/111.com/upload目录做禁止解析
[root@centos7 local]# mkdir /data/wwwroot/111.com/upload
2、[root@centos7 upload]# /usr/local/apache2.4/bin/apachectl graceful
验证:
[root@centos7 upload]# curl -x127.0.0.1:80 ‘http://111.com/upload/123.php‘
<?php
echo ‘123.php‘;
[root@centos7 upload]# curl -x127.0.0.1:80 ‘http://111.com/upload/baidu.png‘ -I
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2017 14:15:19 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Last-Modified: Thu, 09 Nov 2017 14:15:19 GMT
ETag: W/"1ec5-55d9b44caaac0"
Accept-Ranges: bytes
Content-Length: 7877
Cache-Control: max-age=86400
Expires: Fri, 10 Nov 2017 14:15:19 GMT
Content-Type: image/png
验证结果:当访问.php文件则显示文件内容,访问其他就显示正常
扩展:
不能显示php的内容,直接将其禁用
1、[root@centos7 upload]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<Directory /data/wwwroot/111.com/upload>
php_admin_flag engine off
<FilesMatch (.*)\.php(.*)>
Order Allow,Deny
Deny from all
</FilesMatch>
</Directory>
2、[root@centos7 upload]# /usr/local/apache2.4/bin/apachectl graceful
验证结果:
[root@centos7 upload]# curl -x127.0.0.1:80 ‘http://111.com/upload/123.php‘ -I
HTTP/1.1 403 Forbidden
Date: Thu, 09 Nov 2017 14:18:32 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
限制user_agent
user_agent(用户代理):是指浏览器(搜索引擎)的信息包括硬件平台、系统软件、应用软件和用户个人偏好。
当黑客用CC攻击你的服务器时,查看下日志发现user_agent是一致的,而且一秒钟出现多次user_agent,这样就必须限制user_agent
1、
[root@centos7 upload]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*Chrome.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
#当含有curl、Chrome、baidu.com这样的user_agent时将禁用;NC:忽略大小写;OR选项表示或者(不加任何选项表并且)连接下一个条件;[F]:forbidden禁止
验证:
1、用curl访问时
[root@centos7 upload]# curl -x127.0.0.1:80 ‘http://111.com/upload/baidu.png‘ -I
HTTP/1.1 403 Forbidden
Date: Thu, 09 Nov 2017 14:30:22 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
-A:指定user_agent
[root@centos7 upload]# curl -A ‘LINUX LINUX‘ -x127.0.0.1:80 ‘http://111.com/upload/baidu.png‘ -I
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2017 14:30:50 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Last-Modified: Thu, 09 Nov 2017 14:30:50 GMT
ETag: W/"1ec5-55d9b44caaac0"
Accept-Ranges: bytes
Content-Length: 7877
Cache-Control: max-age=86400
Expires: Fri, 10 Nov 2017 14:30:50 GMT
Content-Type: image/png
探索发现新事物http://shenj.blog.51cto.com/5802843/1980653
限定某个目录禁止解析php、限制user_agent、php相关配置
lamp架构
原文:http://shenj.blog.51cto.com/5802843/1980653
来源: http://www.bubuko.com/infodetail-2389212.html