11.28 限定某个目录禁止解析php (防止被人上传php文件,php文件中有比较危险的函数,被上传木马,容易被拿到服务器权限,
静态文件的目录是不允许放php)
核心配置文件内容
<Directory /data/wwwroot/
www.123.com/upload>(upload目录下的所有php禁止解析)
php_admin_flag engine off
</Directory>
curl测试时直接返回了php源代码,并未解析
[root
@test ~]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/
abc.com"
ServerName
abc.com
ServerAlias
www.example.com
ErrorLog "logs/
abc.com-error_log"
CustomLog "logs/
abc.com-access_log" common
<Directory /data/wwwroot/abc.com/upload>
php_admin_flag engine off
<FilesMatch
(.*)\.php(.*)> (
(.*)
\.php(.*) 表示.php后缀名 这里表示所有访问php都403,与上一台是重复作用)
Order allow,deny (先
allow后deny )
Deny from all (所有都deny,防止阻止了访问PHP后显示源代码)
</FilesMatch>
</Directory>
<Directory /data/wwwroot/
abc.com/>
<FilesMatch "admin.php(.*)">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
</VirtualHost>
[root
@test ~]# /usr/local/apache/bin/apachectl -t
Syntax OK
[root
@test ~]# /usr/local/apache/bin/apachectl graceful
测试:
[root
@test ~]# mkdir /data/wwwroot/
abc.com/upload
[root
@test ~]# touch /data/wwwroot/
abc.com/upload/1.php
[root@test ~]# curl -x127.0.0.1:80 '
http://abc.com/upload/1.php' -I
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 13:39:09 GMT
Server: Apache/2.4.37 (Unix) PHP/7.2.12
Content-Type: text/html; charset=iso-8859-1
如果没有deny效果
<Directory /data/wwwroot/
abc.com/upload>
php_admin_flag engine off
# <FilesMatch (.*)\.php(.*)>
# Order allow,deny
# Deny from all
# </FilesMatch>
</Directory>
[root@test ~]# curl -x127.0.0.1:80 '
http://abc.com/upload/1.php'
gjdfsjjfdhskfhds
[root@test ~]# curl -x127.0.0.1:80 '
http://abc.com/upload/1.php' -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 13:42:20 GMT
Server: Apache/2.4.37 (Unix) PHP/7.2.12
Last-Modified: Mon, 19 Nov 2018 13:40:39 GMT
ETag: "11-57b04a9a3bf62"
Accept-Ranges: bytes
Content-Length: 17
Content-Type: application/x-httpd-php
11.29 限制user_agent
(cc攻击网站(规律:user_agent一致用浏览器或者、curl 一秒钟访问n次 访问地址一致) 肉机别人服务器或者电脑被黑客拿到权限,所有的肉机运用起来同时去访问一个网站 php网站并发不高,资源有限带宽有限)
user_agent可以理解为浏览器标识 (
限制user_agent,状态码变为403,变为仅仅一个请求不牵涉MySQL和PHP)
核心配置文件内容
<IfModule mod_rewrite.c>
RewriteEngine on
定义条件:
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] (OR两个条件中间的连接符,或者的意思(不加OR就是并且意思),意思:USER_AGENT匹配第一条或者第二条 NC表示忽略大小写)
RewriteCond %{HTTP_USER_AGENT} .*
baidu.com.* [NC]
RewriteRule .* - [F] (F表示
Forbidden)
</IfModule>
curl -A "123123" 指定user_agent
[root@test ~]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/
abc.com"
ServerName
abc.com
ServerAlias
www.example.com
ErrorLog "logs/
abc.com-error_log"
CustomLog "logs/
abc.com-access_log" common
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
<Directory /data/wwwroot/
abc.com/upload>
php_admin_flag engine off
# <FilesMatch (.*)\.php(.*)>
# Order allow,deny
# Deny from all
# </FilesMatch>
</Directory>
<Directory /data/wwwroot/
abc.com/>
<FilesMatch "admin.php(.*)">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
</VirtualHost>
[root@test ~]# /usr/local/apache/bin/apachectl -t
Syntax OK
[root@test ~]# /usr/local/apache/bin/apachectl graceful
[root@test ~]# curl -x127.0.0.1:80 '
http://abc.com/1.php' -I
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 14:02:15 GMT
Server: Apache/2.4.37 (Unix) PHP/7.2.12
Content-Type: text/html; charset=iso-8859-1
自定义user_agent curl -A
[root@test ~]# curl -A "HDKSAH DSHAKDHSA" -x127.0.0.1:80 '
http://abc.com/upload/1.php' -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 14:04:05 GMT
Server: Apache/2.4.37 (Unix) PHP/7.2.12
Last-Modified: Mon, 19 Nov 2018 13:40:39 GMT
ETag: "11-57b04a9a3bf62"
Accept-Ranges: bytes
Content-Length: 17
Content-Type: application/x-httpd-php
[root@test ~]# curl -A "
BAIDU.COM/1.PHP" -x127.0.0.1:80 '
http://abc.com/upload/1.php' -I
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 14:04:22 GMT
Server: Apache/2.4.37 (Unix) PHP/7.2.12
Content-Type: text/html; charset=iso-8859-1
指定refer
curl -e "http://
11.30/11.31 php相关配置
查看php配置文件位置
/usr/local/php/bin/php -i|grep -i "loaded configuration file"
date.timezone
disable_functions eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close
error_log, log_errors, display_errors, error_reporting
open_basedir
php_admin_value open_basedir "/data/wwwroot/
111.com:/tmp/"(
之所以加上/tmp/目录,是因为网站会有临时文件写入到/tmp/目录下来)
查看php配置文件位置
两种方式:
第一种
[root@test ~]# /usr/local/php/bin/php -i (但是不准确,Apache调用PHP模块,网站和PHP程序不是一个php.ini)
![d6f25053d17665ad82b6bced459c6177a5d.jpg](https://i-blog.csdnimg.cn/blog_migrate/5b7cb411e2de251b3900d44b4d0dfe07.jpeg)
第二种 phpinfo浏览器查看(网站的php.ini最准确,在指定网站目录下装建phpinfo查看是最准确)
[root@test ~]# vim /data/wwwroot/
abc.com/index.php
<?php
phpinfo();
?>
![789d2f9ee54e7885ff2d56519adfc75f999.jpg](https://i-blog.csdnimg.cn/blog_migrate/c1dc5b4ae861d914369cc3cdc8732d06.jpeg)
配置文件所在路径
![e13812d5c37ec94bfccca7fbfdb535951bc.jpg](https://i-blog.csdnimg.cn/blog_migrate/08205c126866a58e49a6efec608bb674.jpeg)
是否加载配置文件
![4151371197d5808cf73a57fff04d450c578.jpg](https://i-blog.csdnimg.cn/blog_migrate/0f6b35c50a016f599a4b9ade51bce866.jpeg)
如何加载
[root@test ~]# cp /usr/local/src/php-7.2.12/php.ini-development /usr/local/php7/etc/php.ini
配置PHP定义禁止
[root@test ~]# vim /usr/local/php7/etc/php.ini
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
![394de1547085c3307d9b2d3237bac7684a1.jpg](https://i-blog.csdnimg.cn/blog_migrate/5b8d82afe676c630ad5a98fc2756b782.jpeg)
[root@test ~]# /usr/local/apache/bin/apachectl -t
Syntax OK
[root@test ~]# /usr/local/apache/bin/apachectl graceful
![fa8c73d06466ff5b0f5a9804b72a9becb2a.jpg](https://i-blog.csdnimg.cn/blog_migrate/c029b664c88f7aa5a5c2b4f345f797ca.jpeg)
配置定义时区(会出现告警信息)
[root@test ~]# vim /usr/local/php7/etc/php.ini
[Date]
; Defines the default timezone used by the date functions
;date.timezone = Asia/Shanghai
![e71595d51e633dc0df452b3704e90a24316.jpg](https://i-blog.csdnimg.cn/blog_migrate/ae449cb063b3792659928af3ae844d7d.jpeg)
配置定义日志(不把错误日志显示在浏览器上)
display_errors = Off
![6d19c419a797f4423e7a19ce334bbac5f39.jpg](https://i-blog.csdnimg.cn/blog_migrate/7540dbf76495b7bf5619d4a31906d2f3.jpeg)
指定错误日志
[root@test ~]# vim /usr/local/php7/etc/php.ini
log_errors = On开启错误日志
![b544bb334c1da3b9618598aabc94d5fbbdf.jpg](https://i-blog.csdnimg.cn/blog_migrate/8dcb07fa8b5e584a22c306c49cc9ea91.jpeg)
error_log = /tmp/php_errors.log 自定义php日志路径
![a813abaea6698d48d12f5dd19c686527945.jpg](https://i-blog.csdnimg.cn/blog_migrate/72fafec8f5b631ea48ac9b2e4e36490d.jpeg)
定义error_log级别(级别决定日志记录是否记录严谨)
; Common Values:
; E_ALL (Show all errors, warnings and notices including coding standards.) (
等级最低,最不严谨,所有都记录(所有错误、代码标准记录)
; E_ALL & ~E_NOTICE (Show all errors, except for notices) (
生产环境中使用)
; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
; Development Value: E_ALL
; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
error_reporting =E_ALL & ~E_NOTICE
![4018901ee7d54a4bea029dd6f7e5915ab66.jpg](https://i-blog.csdnimg.cn/blog_migrate/5d615b5c77435642852f3d7e00573ba2.jpeg)
写日志的权限是Apache程序本身
[root@test ~]# ps aux |grep httpd
root 9971 0.0 0.3 254596 13016 ? Ss 11月14 0:26 /usr/local/apache/bin/httpd -k restart
daemon 24204 0.0 0.1 541424 7340 ? Sl 22:58 0:00 /usr/local/apache/bin/httpd -k restart
daemon 24205 0.0 0.1 541424 7340 ? Sl 22:58 0:00 /usr/local/apache/bin/httpd -k restart
daemon 24206 0.0 0.1 541424 7340 ? Sl 22:58 0:00 /usr/local/apache/bin/httpd -k restart
root 24289 0.0 0.0 112724 980 pts/1 S+ 22:58 0:00 grep --color=auto httpd
建议:[root@test ~]# touch /tmp/php_errors.log; chmod 777 /tmp/php_errors.log
open_basedir安全选项
背景:服务器上跑了多个站点,某个站点漏洞比较多,站点被黑拿到权限,继续渗透,有可能拿到其他站点权限,如果增加
open_basedir
,
A
网站在
A
目录下,
B
网站在
B
目录下,两个目录做隔离,即使
A网站被黑也就影响
A
目录,不会影响到其他目录,黑客进不去。
open_basedir
它的作用就是把
php
限定在指定的目录下面,不让它去别的目录读写文件
1.
只适合服务器上跑了一个站点(针对所有站点)
[root@test ~]# vim /usr/local/php7/etc/php.ini
open_basedir =/data/wwwroot/
abc.com:/tmp(
默认的临时文件是在/tmp目录下,如果限制了/tmp,连临时文件也写不了,网站上传图片会临时把图片放在/tmp下然后放到指定位置,如果限制了就不能上传图片了)
![65f3d2b20f22126be9c2793e5f9cb59ef73.jpg](https://i-blog.csdnimg.cn/blog_migrate/1799c9b5a62b75f73abe25b8e3c2f0f0.jpeg)
[root@test ~]# /usr/local/apache/bin/apachectl -t
Syntax OK
[root@test ~]# /usr/local/apache/bin/apachectl graceful
-
跑多个站点
针对网站去做
虚拟主机配置文件
[root@test ~]# vim /usr/local/apache/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
ServerName
abc.com
ServerAlias
www.example.com
php_admin_value open_basedir "/data/wwwroot/
abc.com:/tmp/" (
php_admin_value也可以定义error_log和error_reporting错误级别)
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteRule .* - [F]
</IfModule>
php_admin_flag engine off
# <FilesMatch (.*)\.php(.*)>
# Order allow,deny
# Deny from all
# </FilesMatch>
</Directory>
<FilesMatch "admin.php(.*)">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>
</Directory>
</VirtualHost>
[root@test ~]# /usr/local/apache/bin/apachectl -t
Syntax OK
[root@test ~]# /usr/local/apache/bin/apachectl graceful