目錄
一占贫、限定某個目錄禁止解析php
二桃熄、限制user_agent
三、php相關配置
一型奥、限定某個目錄禁止解析php
php中有一些危險的函數(shù)瞳收,網(wǎng)站入侵者可以在網(wǎng)站上傳惡意的php木馬進而獲取服務器的最高權限碉京,這是非常危險的。
應對方法是設置上傳文件目錄禁止解析php文件螟深,上傳的php木馬文件不會被解析谐宙,這樣入侵者無法進一步獲取到更高的權限。
- 禁止解析PHP
[root@minglinux-01 ~] vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
···
<Directory /usr/local/apache2.4/htdocs/ming1/upload>
php_admin_flag engine off //禁止解析PHP
<FilesMatch(.*)\.php(.*)> //禁止訪問(.*)\.php(.*)
Order allow,deny
Deny from all
<FilesMatch>
</Directory>
···
- 測試
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] mkdir /usr/local/apache2.4/htdocs/upload
[root@minglinux-01 ~] cp /usr/local/apache2.4/htdocs/1.php /usr/local/apache2.4/htdocs/ming1/upload/1.php
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php' -I
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 15:03:33 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-
- 注釋掉<FilesMatch>界弧,僅禁止PHP解析
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php' -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 15:05:08 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Last-Modified: Mon, 19 Nov 2018 15:02:40 GMT
ETag: "24-57b05cee94b4e"
Accept-Ranges: bytes
Content-Length: 36
Cache-Control: max-age=0
Expires: Mon, 19 Nov 2018 15:05:08 GMT
Content-Type: application/x-httpd-php
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php'
<?php
echo "hello world \n";
?>
可以看到1.php可以被訪問但無法正常解析凡蜻,返回了源代碼。
二垢箕、限制user_agent
user_agent為瀏覽器標識划栓,針對user_agent可以用來限制一些訪問,比如可以限制一些不太友好的搜索引擎“爬蟲”和cc攻擊条获≈臆瘢“爬蟲”抓取數(shù)據(jù)類似于用戶用瀏覽器訪問網(wǎng)站,當“爬蟲”太多或者訪問太頻繁月匣,就會浪費服務器資源钻洒。cc攻擊是指用很多用戶的電腦同時訪問同一個站點,當訪問量或者頻率達到一定層次锄开,服務器就會無法承受這些訪問而不能正常工作素标。
這些惡意請求的user_agent相同或者相似,那我們就可以通過限制 user_agent發(fā)揮防攻擊的作用萍悴。限制user_agent后头遭,對方在訪問時會收到狀態(tài)碼403,這樣對方對服務器資源不會造成太大影響癣诱,僅僅是對方發(fā)送來了一個請求计维,帶寬消耗也不會太大。
針對user_agent來做訪問控制
[root@minglinux-01 ~] vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
···
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
···
方括號中的OR表示“或者”撕予,NC表示“不區(qū)分大小寫”鲫惶,F(xiàn)相當于Forbidden。當user_agent匹配curl或者baidu.com時实抡,都會觸發(fā)下面的規(guī)則欠母。
- 測試
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] curl -x127.0.0.1:80 www.ming1.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Date: Tue, 20 Nov 2018 13:15:50 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
- 查看日志
[root@minglinux-01 ~] tail -n2 /usr/local/apache2.4/logs/www.ming1.com-access_20181120.log
127.0.0.1 - - [20/Nov/2018:21:15:50 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 403 - "-" "curl/7.29.0"
192.168.162.1 - - [20/Nov/2018:21:19:29 +0800] "GET /upload/1.php HTTP/1.1" 200 36 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
- curl的-A選項指定user_agent
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/upload/1.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 13:32:27 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Last-Modified: Mon, 19 Nov 2018 15:02:40 GMT
ETag: "24-57b05cee94b4e"
Accept-Ranges: bytes
Content-Length: 36
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 13:32:27 GMT
Content-Type: application/x-httpd-php
[root@minglinux-01 ~] curl -e "http://ming2.com" -A "ming" -x127.0.0.1:80 www.ming1.com/upload/1.php -I
[root@minglinux-01 ~] tail -n2 /usr/local/apache2.4/logs/www.ming1.com-access_20181120.log
127.0.0.1 - - [20/Nov/2018:21:32:27 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 200 - "-" "ming"
127.0.0.1 - - [20/Nov/2018:21:35:15 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 200 - "http://ming2.com" "ming"
三、php相關配置
- 查看PHP配置文件位置
- 通過瀏覽器查看
在網(wǎng)站目錄下新建phpinfo的頁面吆寨,然后通過瀏覽器訪問赏淌。
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/index.php
<?php
phpinfo();
image.png
- PHP常用配置
- disable_functions禁用函數(shù)
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
··· //找到disable_function行,在后面寫入禁用函數(shù)
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
···
- date.timezone定義時區(qū)
不定義有時會有警告信息啄清,編輯php.ini六水,找到date.timezone設置如下:
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···
date.timezone = Asia/Shanghai //定義所在時區(qū)為上海
···
- display_errors錯誤顯示
···
display_errors = Off //off表示關閉,不在瀏覽器顯示錯誤。
···
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php //沒有任何輸出
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 14:54:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 14:54:35 GMT
Content-Type: text/html; charset=UTF-8
這樣配置后網(wǎng)頁上不會顯示任何錯誤信息掷贾,curl也不返回錯誤睛榄,那我們無法獲取和分析錯誤信息了,所以我們需要配置一下 error_log錯誤日志想帅。
- error_log錯誤日志
log_errors = On //開啟錯誤日志
error_log = /tmp/php_errors.log //設定錯誤日志路徑
error_reporting = E_ALL //設定錯誤日志的級別
錯誤日志的級別懈费,E_ALL為所有類型的日志,不管是提醒還是警告都會記錄博脑。在開發(fā)環(huán)境下面設置為E_ALL,可以方便程序員排查問題票罐,但也會造成日志記錄很多無意義的內(nèi)容叉趣。
- 測試
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 15:13:56 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 15:13:56 GMT
Content-Type: text/html; charset=UTF-8
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php
[root@minglinux-01 ~] ls -l /tmp/php_errors.log
-rw-r--r-- 1 daemon daemon 157 11月 20 23:13 /tmp/php_errors.log
[root@minglinux-01 ~] cat !$
cat /tmp/php_errors.log
[20-Nov-2018 23:13:56 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
由于配置了display_errors = Off,所以curl命令返回狀態(tài)碼200该押,瀏覽器訪問也沒有報錯信息疗杉,但錯誤日志顯示了phpinfo函數(shù)是被禁用了,訪問沒有成功蚕礼。
若以上配置都完成但始終無法在設定路徑生成錯誤日志文件時烟具,應該去檢查生成文件的目錄的權限信息(daemon是否對該目錄有寫權限),或者手動創(chuàng)建php_errors.log奠蹬,生成后再修改文件屬主為daemon朝聋,權限改為777。
- 再模擬一個錯誤
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
//隨便寫一些東西
<?php
echo 1abc;
wqraw f
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
[root@minglinux-01 ~]
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 20 Nov 2018 15:31:20 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Connection: close
Content-Type: text/html; charset=UTF-8
[root@minglinux-01 ~] !cat
cat /tmp/php_errors.log
[20-Nov-2018 23:13:56 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:21:37 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:22:01 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
[20-Nov-2018 23:31:16 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:31:20 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
可以看到錯誤日志和前面的不一樣了
- open_basedir安全選項
open_basedir的作用是可以在一臺服務器上將網(wǎng)站的目錄間隔離囤躁,入侵者就算黑了其中一個目錄但無法繼續(xù)黑其他網(wǎng)站或目錄冀痕。
- 在php.ini中設置open_basedir
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···
open_basedir = /usr/local/apache2.4/htdocs/ming:/tmp //限制PHP只能在ming和tmp兩個目錄下活動
···
- 測試
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 20 Nov 2018 15:54:02 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Connection: close
Content-Type: text/html; charset=UTF-8
[root@minglinux-01 ~] tail -n5 /tmp/php_errors.log
[20-Nov-2018 23:31:20 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:54:02 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Warning: Unknown: open_basedir restriction in effect. File(/usr/local/apache2.4/htdocs/ming1/2.php) is not within the allowed path(s): (/usr/local/apache2.4/htdocs/ming:/tmp) in Unknown on line 0
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Fatal error: Unknown: Failed opening required '/usr/local/apache2.4/htdocs/ming1/2.php' (include_path='.:/usr/local/php/lib/php') in Unknown on line 0
錯誤日志顯示由于ming1目錄不屬于允許訪問目錄,所以被限制訪問了狸演。
- open_basedir的ming目錄改為ming1
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
open_basedir = /usr/local/apache2.4/htdocs/ming1:/tmp
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 16:03:46 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 16:03:46 GMT
Content-Type: text/html; charset=UTF-8
修改后可以正常訪問了言蛇。
- 如果服務器上跑的站點比較多,那在php.ini中設置就不合適了宵距,因為在php.ini中只能定義一次腊尚,也就是說所有站點都一起定義限定的目錄,那這樣似乎起不到隔離多個站點的目的满哪。我們可以給單個虛擬主機設置open_basedir婿斥。如下所示:
···
php_admin_value open_basedir "/usr/local/apache2.4/htdocs/ming1:/tmp"
···
我們可以給任意虛擬主機設置open_basedir,只需要在虛擬主機相應的區(qū)域加上以上代碼即可翩瓜。
在open_basedir中允許tmp是因為站點的臨時文件會寫在/tmp目錄下受扳,如果tmp目錄禁止了可能會導致上傳不了圖片的問題。
擴展
apache開啟壓縮 http://ask.apelearn.com/question/5528
apache2.2到2.4配置文件變更 http://ask.apelearn.com/question/7292
apache options參數(shù) http://ask.apelearn.com/question/1051
apache禁止trace或track防止xss http://ask.apelearn.com/question/1045
apache 配置https 支持ssl http://ask.apelearn.com/question/1029
