11.28 限定某個目錄禁止解析php 11.29 限制user_agent 11.30/11.31 php相關配置

11.28 限定某個目錄禁止php解析

本節內容應用於對靜態文件目錄或可寫的目錄進行優化設置,經過限制解析/訪問權限來避免別惡意攻擊,提升安全性。php

編輯虛擬主機配置文件:html

[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
    <Directory /data/wwwroot/111.com/upload>
        php_admin_flag engine off
        <FilesMatch (.*)\.php(.*)>
        Order allow,deny
        deny from,all
        </FilesMatch>
    </Directory>

添加PHP訪問限制

說明: 若是隻設置禁止PHP解析,用戶訪問PHP文件時會顯示源代碼,添加該參數能夠避免用戶看到服務器PHP源碼,進一步提高安全性。mysql

建立相應的目錄:linux

[root@cham002 ~]# cd /data/wwwroot/111.com/
[root@cham002 111.com]# mkdir upload
[root@cham002 111.com]# ls
123.php  admin  index.php  photo1.jpg  upload
[root@cham002 111.com]# cp 123.php upload/

測試:

[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 16:00:13 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/123.php
on this server.<br />
</p>
</body></html>

說明: 此時訪問123.php的狀態碼爲403,即沒法訪問!web

如今把FilesMatch  PHP訪問限制這幾行去掉sql

[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful
#來看看效果
[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php' 
<?php
echo " hello 123.php";
#直接解析不了,直接顯示源代碼

用瀏覽器打開的話會直接下載,說明沒辦法解析。shell

咱們從新打開,讓它訪問的機會都沒有。apache

從新檢測加載。vim

[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful

來看一看效果,直接Forbidden!!訪問不存在的文件一樣也是Forbidden。瀏覽器

 

11.29 限制user_agent

user_agent(用戶代理):是指瀏覽器(搜索引擎)的信息包括硬件平臺、系統軟件、應用軟件和用戶我的偏好。

 

需求背景:
有時候網站受到CC攻擊,其原理是:攻擊者藉助代理服務器(肉機)生成指向受害主機的合法請求,實現DDOS和假裝。CC攻擊的一個特色就是其useragent是一致的,因此,能夠經過限制攻擊者useragent的方法來阻斷其攻擊。

編輯虛擬主機配置文件:

[root@cham002 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
    
<IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
        RewriteRule  .*  -  [F]
    </IfModule>
說明: NC表示忽略大小寫,OR選項表示或者(不加任何選項表而且)鏈接下一個條件,F=forbidden禁止。

:wq保存

檢測加載
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 111.com]# /usr/local/apache2.4/bin/apachectl graceful

測試:

[root@cham002 111.com]# !curl
curl -x127.0.0.1:80 'http://111.com/upload/123.php' 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/123.php
on this server.<br />
</p>
</body></html>
[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/upload/123.php'  -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 16:22:39 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

[root@cham002 111.com]# curl -x127.0.0.1:80 'http://111.com/123.php'  -I
HTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 16:22:51 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1


[root@cham002 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20171227.log 
127.0.0.1 - - [27/Dec/2017:00:02:50 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:02:57 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 200 29 "-" "curl/7.29.0"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET / HTTP/1.1" 200 18 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:47 +0800] "GET /123.php HTTP/1.1" 200 14 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:56 +0800] "GET /upload/123.php HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:08:06 +0800] "GET /upload/123.php HTTP/1.1" 403 223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
127.0.0.1 - - [27/Dec/2017:00:22:27 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:39 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:51 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
[root@cham002 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20171227.log 
127.0.0.1 - - [27/Dec/2017:00:02:50 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:02:57 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 200 29 "-" "curl/7.29.0"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET / HTTP/1.1" 200 18 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:47 +0800] "GET /123.php HTTP/1.1" 200 14 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:56 +0800] "GET /upload/123.php HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:08:06 +0800] "GET /upload/123.php HTTP/1.1" 403 223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
127.0.0.1 - - [27/Dec/2017:00:22:27 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:39 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:51 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"


說明: curl -A 指定useragent。
[root@cham002 111.com]# curl -A "chamlinux chamlinux" -x127.0.0.1:80 'http://111.com/123.php'  -I
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2017 16:25:36 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8

[root@cham002 111.com]# tail /usr/local/apache2.4/logs/111.com-access_20171227.log 
127.0.0.1 - - [27/Dec/2017:00:02:57 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 200 29 "-" "curl/7.29.0"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET / HTTP/1.1" 200 18 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:36 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://111.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:47 +0800] "GET /123.php HTTP/1.1" 200 14 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:04:56 +0800] "GET /upload/123.php HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.230.1 - - [27/Dec/2017:00:08:06 +0800] "GET /upload/123.php HTTP/1.1" 403 223 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
127.0.0.1 - - [27/Dec/2017:00:22:27 +0800] "GET http://111.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:39 +0800] "HEAD http://111.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:22:51 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [27/Dec/2017:00:25:36 +0800] "HEAD http://111.com/123.php HTTP/1.1" 200 - "-" "chamlinux chamlinux"
[root@cham002 111.com]#

 

11.30 PHP相關配置

查看PHP配置文件:

[root@cham002 php-7.1.6]# /usr/local/php/bin/php -i|grep -i "loaded configuration file" 
Loaded Configuration File => /usr/local/php/etc/php.ini
PHP Warning:  Unknown: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in Unknown on line 0


[root@cham002 php-7.1.6]# /usr/local/php7/bin/php -i|grep -i "loaded configuration file" 
Loaded Configuration File => /usr/local/php7/etc/php.ini
[root@cham002 111.com]# ls
123.php  admin  index.php  photo1.jpg  upload
 
[root@cham002 111.com]# vim index.php 
<?php
#echo "welcome to 111.com";
phpinfo();
#?>
[root@cham002 111.com]# cd /usr/local/src/php-7.1.6/

[root@cham002 php-7.1.6]# cp php.ini-development  /usr/local/php7/etc/php.ini

[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 php-7.1.6]# vim /usr/local/php7/etc/php.ini
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 php-7.1.6]# vim /usr/local/php7/etc/php.ini
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK

PHP參數

設定時區

date.timezone

一些功能選

disable_function=

項:「eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo 」

以上功能選項能夠經過「disable_function」來限制,以達到提升網站安全性的目的:

display_errors=On/Off :設定是否顯示錯誤緣由,須要注意的是,此處設置爲off(防止用戶看到)後必須設置錯誤日誌,設定保存路徑,和錯誤日誌級別,不然將沒法查找錯誤緣由 

display_errors = Off

日誌相關

log_errors=On/Off 開啓/關閉錯誤日誌

log_errors = On
這樣就是打開

定義路徑錯誤日誌記錄路徑

設定錯誤日誌的保存路徑。若是定義好路徑後沒法生產日誌,此時須要檢查日誌文件所在目錄是否有寫(w)權限

error_log = /tmp/php_errors.log

定義error_log錯誤日誌的級別(若是級別太高,很是嚴謹的話,僅僅會記錄一些比較嚴峻的錯誤。像通常警告就不記錄。)」 設定錯誤日誌級別,級別有:E_ ALL 、~E_ NOTICE 、~E_ STRICT 、~E_DEPRECATED(能夠自由組合)。生產環境使用:E_ ALL & ~E_ NOTICE就能夠。

error_reporting = E_ALL

[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 php-7.1.6]# curl -A "a" -x127.0.0.1:80 http://111.com/index.php
[root@cham002 php-7.1.6]# ls /tmp/
mysql.sock      systemd-private-02f767b5881a41e284ed51ccdd17a7e8-vmtoolsd.service-5E7yid
pear            systemd-private-784ef142e2ac49208717f87ed079faeb-vmtoolsd.service-vHephM
php_errors.log
[root@cham002 php-7.1.6]# cat /tmp/php_errors.log 
[26-Dec-2017 17:16:28 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 3
[root@cham002 php-7.1.6]# ls -l /tmp/php_errors.log 
-rw-r--r-- 1 daemon daemon 135 12月 27 01:16 /tmp/php_errors.log
[root@cham002 php-7.1.6]# ps aux |grep httpd
root      2717  0.0  1.3 258996 13680 ?        Ss   12月25   0:06 /usr/local/apache2.4/bin/httpd -k start
daemon    8815  0.0  1.4 613472 14920 ?        Sl   01:16   0:00 /usr/local/apache2.4/bin/httpd -k start
daemon    8816  0.0  1.0 545824 10468 ?        Sl   01:16   0:00 /usr/local/apache2.4/bin/httpd -k start
daemon    8817  0.0  1.0 545824 10456 ?        Sl   01:16   0:00 /usr/local/apache2.4/bin/httpd -k start
root      8918  0.0  0.0 112684   976 pts/0    S+   01:17   0:00 grep --color=auto httpd

再模擬一個錯誤
[root@cham002 php-7.1.6]# vim /data/wwwroot/111.com/2.php
[root@cham002 php-7.1.6]# cat !$
cat /data/wwwroot/111.com/2.php
<?php
echo 123;
adsfasdffsdfsdfsdfsdfsdfsfdsfs
[root@cham002 php-7.1.6]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php
[root@cham002 php-7.1.6]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 26 Dec 2017 17:26:03 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8

[root@cham002 php-7.1.6]# cat /tmp/php_errors.log 
[26-Dec-2017 17:16:28 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 3
[26-Dec-2017 17:25:53 UTC] PHP Parse error:  syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
[26-Dec-2017 17:26:03 UTC] PHP Parse error:  syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
有時候爲了保險一點,不是已經在php.ini裏面定義了error_log
[root@cham002 php-7.1.6]# grep error_log /usr/local/php7/etc/php.ini
; server-specific log, STDERR, or a location specified by the error_log
; Set maximum length of log_errors. In error_log information about the source is
error_log = /tmp/php_errors.log
;error_log = syslog
; OPcache error_log file name. Empty string assumes "stderr".
;opcache.error_log=
[root@cham002 php-7.1.6]# touch /tmp/php_error.log ; chamd 777 /tmp/php_errors.log  ^C
                         能夠先建立好。再給他個777權限

安全參數「open_basedir」

open_basedir = /data/wwwroot/111.com:/tmp

譯:若是設置了open_basedir選項,將會把全部關於文件的操做限制在指定目錄及其子目錄。
將該指令設定在每一個目錄或者虛擬主機web服務器配置文件中很是重要。

[root@cham002 ~]# vim /data/wwwroot/111.com/2.php 咱們把2.php改正確
[root@cham002 ~]# cat /data/wwwroot/111.com/2.php 
<?php
echo 123;

[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl graceful
[root@cham002 ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2017 17:42:32 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
[root@cham002 ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php 
123

說明: php.ini文件中的內容是針對全部虛擬主機進行的配置!!!!!!!!這點要明白。因此咱們取消掉

問題: 一臺服務器運行着不止一臺虛擬主機,因此在該文件下設置該選項並不合適。那麼,該如何設定該配置呢?

辦法: 分別在每一個虛擬主機的配置文件進行相關設置。

編輯虛擬主機配置文件:

[root@cham002 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
 php_admin_value open_basedir "/data/wwwroot/abc.com:/tmp/"


[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@cham002 ~]# /usr/local/apache2.4/bin/apachectl graceful

[root@cham002 ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php 
123[root@cham002 ~]# curl -A "a" -x127.0.0.1:80 http://111.com/2.php -I
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2017 17:53:26 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8

說明: 「php_admin_value」能夠定義php.ini中的參數。使用該辦法分別在每一個虛擬主機設定相關的「open_basedir」便可! 在此開放「/tmp/」目錄是爲了使臨時文件能正常寫入。

相關文章
相關標籤/搜索