8.限定某個目錄禁止解析php&限制user_agent
阿新 • • 發佈:2018-03-12
目錄禁止解析php 限制user_agent [toc]
11.28 限定某個目錄禁止解析php
有這樣一種情況,有些站點和論壇是允許上傳圖片到服務器,但是這就給黑客留下了可進入服務器的大門,他們上傳一些php或者js到服務器,然後被我們執行加載,有些函數可以讓黑客獲取最大的權限,從而對數據造成威脅!
為了避免這種事情的發生,我們需要限制上傳類型。1. 打開配置文件 httpd-vhosts.conf
在虛擬服務器中增加如下配置:
[root@xavi ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 2.凡是在upload目錄中的php均不解析!並且匹配任意.php的文件,全部拒絕訪問!
<Directory /data/wwwroot/xavi.com/upload>
php_admin_flag engine off //禁止php解析,所有訪問都報403錯誤
<FilesMatch (.*)\.php(.*)>//需要轉義字符
Order allow,deny //不加deny,它會訪問源代碼
Deny from all
</FilesMatch>2.-t,-gracful,檢查語法並開啟httpd
[root@xavi ~]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@xavi ~]# /usr/local/apache2.4/bin/apachectl graceful httpd not running, trying to start [root@xavi ~]# /usr/local/apache2.4/bin/apachectl start httpd (pid 2838) already running [root@xavi ~]# /usr/local/apache2.4/bin/apachectl graceful
3.創建upload目錄,以及在upload目錄下創建123.php去測試。但未得到403結果
[root@xavi ~]# mkdir upload [root@xavi ~]# ls 123.txt anaconda-ks.cfg httpd-2.4.29.tar.gz rsync test2 321.txt awk index.php sed upload 556.txt grep initial-setup-ks.cfg split_dir xaa admin httpd-2.4.29 [root@localhost test1 [root@xavi ~]# cp index.php upload/ [root@xavi ~]# curl -x127.0.0.1:80 ‘http://xavi.cpm [root@xavi ~]# curl -x127.0.0.1:80 ‘http://xavi.com/admin.php?adadede‘ -I HTTP/1.1 404 Not Found Date: Sun, 11 Mar 2018 03:33:57 GMT Server: Apache/2.4.29 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1
4.找到犯錯原因,得到驗證結果
這裏之所以沒有得到403 fobiden的提示,是因為在練習測試過程我忽略了,指令執行的環境。[root@xavi xavi.com]上述操作正確的過程是應該在/xavi.comde 文件夾下操作,而不是在默認的文件路徑下
以下是重新操作的過程
[root@xavi ~]# cd /data/wwwroot/xavi.com
[root@xavi xavi.com]# ls
123.php admin index.php xavi.jpg xavi.txt
[root@xavi xavi.com]# mkdir uplaod
[root@xavi xavi.com]# ls
123.php admin index.php uplaod xavi.jpg xavi.txt
[root@xavi xavi.com]# mv uplaod upload
[root@xavi xavi.com]# ls
123.php admin index.php upload xavi.jpg xavi.txt
[root@xavi xavi.com]# cp 123.php /upload
[root@xavi xavi.com]# !vim
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
[root@xavi xavi.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@xavi xavi.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@xavi xavi.com]# !curl
curl -x127.0.0.1:80 ‘http://xavi.com/upload/123.php‘ -I
HTTP/1.1 403 Forbidden
Date: Sun, 11 Mar 2018 05:31:04 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
5.測試下沒有FilesMatch那段話的結果
無法解析,直接顯示內原代碼
[root@xavi xavi.com]# !vim
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
[root@xavi xavi.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@xavi xavi.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@xavi xavi.com]# curl -x127.0.0.1:80 ‘http://xavi.com/upload/123.php‘
<?php
echo "123.php";
總結,如上當你訪問.php文件時,直接拒絕,沒有任何機會去訪問,更別提執行了!如果程序員讓upload可以允許解析,那只有說明他不合格!靜態文件存儲的地方是不允許放php的。沒有考慮到任何數據安全!!!
11.29 訪問控制,限制user_agent
1.什麽是user_agent(瀏覽器標識)
User Agent中文名為用戶代理,簡稱 UA,它是一個特殊字符串頭,使得服務器能夠識別客戶使用的操作系統及版本、CPU 類型、瀏覽器及版本、瀏覽器渲染引擎、瀏覽器語言、瀏覽器插件等。
2.cc攻擊,肉雞
cc攻擊:是我們經常見到的最常見的一種攻擊,幾乎每天每個時段都會存在。CC攻擊就是黑客利用所能利用的肉雞(就是所謂的黑客利用技術手段攻擊下來的他人服務器)去攻擊(正常的訪問)你的站點,導致你的站點不可以被正常的用戶所瀏覽。但是也不是不可防止,在攻擊的時候有一個規律的特征,user_agent是一致的(其referer和訪問頁面是一致的,並且在一秒內發動N次訪問)!
3.核心配置文件
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>代碼解析:
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //匹配Curl的訪問 [NC,OR] NC:忽略大小寫。 OR:是或者的意思,要麽這一條,要麽下一條滿足情況
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F] // F:Forbidden 禁止
4.測試,使用Curl方式訪問直接被禁掉
[root@xavi xavi.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@xavi xavi.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@xavi xavi.com]# curl -x127.0.0.1:80 ‘http://xavi.com/upload/123.php‘ -I
HTTP/1.1 403 Forbidden
Date: Sun, 11 Mar 2018 07:04:12 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
5.使用curl -A :隨意指定自己這次訪問所宣稱的自己的瀏覽器信息。
[root@xavi xavi.com]# curl -A "xavilinux xavilinux" -x127.0.0.1:80 ‘http://xavi.com/123.php‘ -I
HTTP/1.1 200 OK
Date: Sun, 11 Mar 2018 07:21:42 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8- 改變瀏覽方式即可訪問。
6。查看日誌文件: tail /usr/local/apache2.4/logs/xavi.com-access_20180311.log
[root@xavi xavi.com]# tail /usr/local/apache2.4/logs/xavi.com-access_20180311.log
192.168.72.1 - - [11/Mar/2018:14:02:02 +0800] "GET /upload/123.php HTTP/1.1" 200 22 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"
192.168.72.1 - - [11/Mar/2018:14:02:02 +0800] "GET /upload/123.php HTTP/1.1" 200 22 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"
127.0.0.1 - - [11/Mar/2018:15:04:12 +0800] "HEAD http://xavi.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [11/Mar/2018:15:04:12 +0800] "HEAD http://xavi.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [11/Mar/2018:15:05:32 +0800] "GET http://xavi.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [11/Mar/2018:15:05:32 +0800] "GET http://xavi.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [11/Mar/2018:15:21:42 +0800] "HEAD http://xavi.com/123.php HTTP/1.1" 200 - "-" "xavilinux xavilinux"
127.0.0.1 - - [11/Mar/2018:15:21:42 +0800] "HEAD http://xavi.com/123.php HTTP/1.1" 200 - "-" "xavilinux xavilinux"
127.0.0.1 - - [11/Mar/2018:15:22:18 +0800] "GET http://xavi.com/123.php HTTP/1.1" 200 7 "-" "xavilinux xavilinux"
127.0.0.1 - - [11/Mar/2018:15:22:18 +0800] "GET http://xavi.com/123.php HTTP/1.1" 200 7 "-" "xavilinux xavilinux"實用擴展:
apache 禁止trace或track防止xss攻擊
http://ask.apelearn.com/question/1045
8.限定某個目錄禁止解析php&限制user_agent