限定某個目錄禁止解析php、限制user_agent、php相關(guān)配置

目錄

一、限定某個目錄禁止解析php
二、限制user_agent
三、php相關(guān)配置

一、限定某個目錄禁止解析php

php中有一些危險的函數(shù),網(wǎng)站入侵者可以在網(wǎng)站上傳惡意的php木馬進而獲取服務(wù)器的最高權(quán)限,這是非常危險的。

應(yīng)對方法是設(shè)置上傳文件目錄禁止解析php文件,上傳的php木馬文件不會被解析,這樣入侵者無法進一步獲取到更高的權(quán)限。

  • 禁止解析PHP
[root@minglinux-01 ~] vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
···
 <Directory /usr/local/apache2.4/htdocs/ming1/upload>
        php_admin_flag engine off   //禁止解析PHP
        <FilesMatch(.*)\.php(.*)>    //禁止訪問(.*)\.php(.*)
        Order allow,deny
        Deny from all
        <FilesMatch>
    </Directory>
···
  • 測試
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] mkdir /usr/local/apache2.4/htdocs/upload
[root@minglinux-01 ~] cp /usr/local/apache2.4/htdocs/1.php /usr/local/apache2.4/htdocs/ming1/upload/1.php
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php' -I
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 15:03:33 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-
  • 注釋掉<FilesMatch>,僅禁止PHP解析
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php' -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 15:05:08 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Last-Modified: Mon, 19 Nov 2018 15:02:40 GMT
ETag: "24-57b05cee94b4e"
Accept-Ranges: bytes
Content-Length: 36
Cache-Control: max-age=0
Expires: Mon, 19 Nov 2018 15:05:08 GMT
Content-Type: application/x-httpd-php

[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php'
<?php
    echo "hello world \n";
?>

可以看到1.php可以被訪問但無法正常解析,返回了源代碼。

二、限制user_agent

  • user_agent為瀏覽器標識,針對user_agent可以用來限制一些訪問,比如可以限制一些不太友好的搜索引擎“爬蟲”和cc攻擊?!芭老x”抓取數(shù)據(jù)類似于用戶用瀏覽器訪問網(wǎng)站,當(dāng)“爬蟲”太多或者訪問太頻繁,就會浪費服務(wù)器資源。cc攻擊是指用很多用戶的電腦同時訪問同一個站點,當(dāng)訪問量或者頻率達到一定層次,服務(wù)器就會無法承受這些訪問而不能正常工作。

  • 這些惡意請求的user_agent相同或者相似,那我們就可以通過限制 user_agent發(fā)揮防攻擊的作用。限制user_agent后,對方在訪問時會收到狀態(tài)碼403,這樣對方對服務(wù)器資源不會造成太大影響,僅僅是對方發(fā)送來了一個請求,帶寬消耗也不會太大。

  • 針對user_agent來做訪問控制

[root@minglinux-01 ~] vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
···
<IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
        RewriteRule .* - [F]
    </IfModule>
···

方括號中的OR表示“或者”,NC表示“不區(qū)分大小寫”,F(xiàn)相當(dāng)于Forbidden。當(dāng)user_agent匹配curl或者baidu.com時,都會觸發(fā)下面的規(guī)則。

  • 測試
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] curl -x127.0.0.1:80 www.ming1.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Date: Tue, 20 Nov 2018 13:15:50 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
  • 查看日志
[root@minglinux-01 ~] tail -n2 /usr/local/apache2.4/logs/www.ming1.com-access_20181120.log 
127.0.0.1 - - [20/Nov/2018:21:15:50 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 403 - "-" "curl/7.29.0"
192.168.162.1 - - [20/Nov/2018:21:19:29 +0800] "GET /upload/1.php HTTP/1.1" 200 36 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
  • curl的-A選項指定user_agent
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/upload/1.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 13:32:27 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Last-Modified: Mon, 19 Nov 2018 15:02:40 GMT
ETag: "24-57b05cee94b4e"
Accept-Ranges: bytes
Content-Length: 36
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 13:32:27 GMT
Content-Type: application/x-httpd-php
[root@minglinux-01 ~] curl -e "http://ming2.com" -A "ming" -x127.0.0.1:80 www.ming1.com/upload/1.php -I
[root@minglinux-01 ~] tail -n2 /usr/local/apache2.4/logs/www.ming1.com-access_20181120.log 
127.0.0.1 - - [20/Nov/2018:21:32:27 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 200 - "-" "ming"
127.0.0.1 - - [20/Nov/2018:21:35:15 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 200 - "http://ming2.com" "ming"

三、php相關(guān)配置

  • 查看PHP配置文件位置
  • 通過瀏覽器查看
    在網(wǎng)站目錄下新建phpinfo的頁面,然后通過瀏覽器訪問。
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/index.php 

<?php
phpinfo();
image.png
  • PHP常用配置
  1. disable_functions禁用函數(shù)
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···            //找到disable_function行,在后面寫入禁用函數(shù)
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
···
  1. date.timezone定義時區(qū)
    不定義有時會有警告信息,編輯php.ini,找到date.timezone設(shè)置如下:
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···
date.timezone = Asia/Shanghai   //定義所在時區(qū)為上海
···
  1. display_errors錯誤顯示
···
display_errors = Off //off表示關(guān)閉,不在瀏覽器顯示錯誤。
···
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php     //沒有任何輸出
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 14:54:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 14:54:35 GMT
Content-Type: text/html; charset=UTF-8

這樣配置后網(wǎng)頁上不會顯示任何錯誤信息,curl也不返回錯誤,那我們無法獲取和分析錯誤信息了,所以我們需要配置一下 error_log錯誤日志。

  1. error_log錯誤日志

log_errors = On   //開啟錯誤日志

error_log = /tmp/php_errors.log  //設(shè)定錯誤日志路徑

error_reporting = E_ALL //設(shè)定錯誤日志的級別

錯誤日志的級別,E_ALL為所有類型的日志,不管是提醒還是警告都會記錄。在開發(fā)環(huán)境下面設(shè)置為E_ALL,可以方便程序員排查問題,但也會造成日志記錄很多無意義的內(nèi)容。

  • 測試
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 15:13:56 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 15:13:56 GMT
Content-Type: text/html; charset=UTF-8
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php
[root@minglinux-01 ~] ls -l /tmp/php_errors.log 
-rw-r--r-- 1 daemon daemon 157 11月 20 23:13 /tmp/php_errors.log
[root@minglinux-01 ~] cat !$
cat /tmp/php_errors.log
[20-Nov-2018 23:13:56 Asia/Shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2

由于配置了display_errors = Off,所以curl命令返回狀態(tài)碼200,瀏覽器訪問也沒有報錯信息,但錯誤日志顯示了phpinfo函數(shù)是被禁用了,訪問沒有成功。

若以上配置都完成但始終無法在設(shè)定路徑生成錯誤日志文件時,應(yīng)該去檢查生成文件的目錄的權(quán)限信息(daemon是否對該目錄有寫權(quán)限),或者手動創(chuàng)建php_errors.log,生成后再修改文件屬主為daemon,權(quán)限改為777。

  • 再模擬一個錯誤
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
//隨便寫一些東西
<?php
echo 1abc;
wqraw f
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php 
[root@minglinux-01 ~] 
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 20 Nov 2018 15:31:20 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Connection: close
Content-Type: text/html; charset=UTF-8

[root@minglinux-01 ~] !cat
cat /tmp/php_errors.log
[20-Nov-2018 23:13:56 Asia/Shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:21:37 Asia/Shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:22:01 Asia/Shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:31:16 Asia/Shanghai] PHP Parse error:  syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:31:20 Asia/Shanghai] PHP Parse error:  syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2

可以看到錯誤日志和前面的不一樣了

  1. open_basedir安全選項

open_basedir的作用是可以在一臺服務(wù)器上將網(wǎng)站的目錄間隔離,入侵者就算黑了其中一個目錄但無法繼續(xù)黑其他網(wǎng)站或目錄。

  • 在php.ini中設(shè)置open_basedir
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···
open_basedir = /usr/local/apache2.4/htdocs/ming:/tmp  //限制PHP只能在ming和tmp兩個目錄下活動
···
  • 測試
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 20 Nov 2018 15:54:02 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Connection: close
Content-Type: text/html; charset=UTF-8

[root@minglinux-01 ~] tail -n5 /tmp/php_errors.log
[20-Nov-2018 23:31:20 Asia/Shanghai] PHP Parse error:  syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:54:02 Asia/Shanghai] PHP Parse error:  syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Warning:  Unknown: open_basedir restriction in effect. File(/usr/local/apache2.4/htdocs/ming1/2.php) is not within the allowed path(s): (/usr/local/apache2.4/htdocs/ming:/tmp) in Unknown on line 0
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Fatal error:  Unknown: Failed opening required '/usr/local/apache2.4/htdocs/ming1/2.php' (include_path='.:/usr/local/php/lib/php') in Unknown on line 0

錯誤日志顯示由于ming1目錄不屬于允許訪問目錄,所以被限制訪問了。

  • open_basedir的ming目錄改為ming1
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
open_basedir = /usr/local/apache2.4/htdocs/ming1:/tmp
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 16:03:46 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 16:03:46 GMT
Content-Type: text/html; charset=UTF-8

修改后可以正常訪問了。

  • 如果服務(wù)器上跑的站點比較多,那在php.ini中設(shè)置就不合適了,因為在php.ini中只能定義一次,也就是說所有站點都一起定義限定的目錄,那這樣似乎起不到隔離多個站點的目的。我們可以給單個虛擬主機設(shè)置open_basedir。如下所示:
···
php_admin_value open_basedir "/usr/local/apache2.4/htdocs/ming1:/tmp"
···

我們可以給任意虛擬主機設(shè)置open_basedir,只需要在虛擬主機相應(yīng)的區(qū)域加上以上代碼即可。

在open_basedir中允許tmp是因為站點的臨時文件會寫在/tmp目錄下,如果tmp目錄禁止了可能會導(dǎo)致上傳不了圖片的問題。

擴展

apache開啟壓縮 http://ask.apelearn.com/question/5528
apache2.2到2.4配置文件變更 http://ask.apelearn.com/question/7292
apache options參數(shù) http://ask.apelearn.com/question/1051
apache禁止trace或track防止xss http://ask.apelearn.com/question/1045
apache 配置https 支持ssl http://ask.apelearn.com/question/1029

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容