审计
auditctl -l
auditctl -S
auditctl -D
auditctl -w /etc/passwd -p rwxa -k 名称
vim /etc/audit/rule.d/audit.rules
-w /etc/passwd -p rwxa -k 名称
-w /bin/程序 -p rwxa -k 名称
vim /var/log/audit/audit.log
tailf
ausearch -k 名称 -if 文件
Nignx是模块化设计的软件,需要什么功能与模块以及
不需要哪些模块,都可以在编译安装软件时算定义,使用
--with参数可以开启某些模块,使用--without可以禁用某些
模块。最小化安装永远是对的方案!
nmcli connection modify eth0 ipv4.method manual ipv4.address “192.168.4.1/24” connection.autoconnect yes
nmcli connection up eth0
Ifconfig eth0
hostname set-hostname proxy
[root@rootroom9pc01 ~]# ssh -X root@192.168.4.1
[root@rootroom9pc01 ~]# scp -r '/root/桌面/nginx-1.12.2.tar.gz' 192.168.4.1:/root
[root@proxy ~]# tar -xf nginx-1.12.2.tar.gz
[root@proxy nginx-1.12.2]# ./configure --without-http_autoindex_module --without-http_ssi_module
[root@proxy nginx-1.12.2]# vim /etc/yum.repos.d/local.repo
[name]
name=rhel7
baseurl=http://192.168.4.254/rhel7
enabled=1
gpgcheck=0
[root@proxy nginx-1.12.2]# yum repolist
[root@proxy nginx-1.12.2]# yum -y install gcc pcre-devel openssl-devel
[root@proxy nginx-1.12.2]# useradd -s /sbin/nologin nginx
[root@proxy nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module
[root@proxy nginx-1.12.2]# make
[root@proxy nginx-1.12.2]# make install
[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx
[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s stop
[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s reload
[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module
[root@proxy nginx-1.12.2]# ln -s /usr/local/nginx/sbin/nginx /sbin/
[root@proxy nginx-1.12.2]# nginx
[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
http {
server_tokens off; //隐藏版本号
[root@proxy nginx-1.12.2]# curl -I http://192.168.4.1 //查看服务器响应的头部信息
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 31 Jul 2018 09:59:20 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 31 Jul 2018 09:50:53 GMT
Connection: keep-alive
ETag: "5b6030fd-264"
Accept-Ranges: bytes
//隐藏软件版本信息
[root@proxy nginx-1.12.2]# vim +48 src/http/ngx_http_header_filter_module.c
static u_char ngx_http_server_string[] = "Server: nginx" CRLF;
static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
修改如下:
static u_char ngx_http_server_string[] = "Server: test" CRLF;
static u_char ngx_http_server_full_string[] = "Server: test" CRLF;
static u_char ngx_http_server_build_string[] = "Server: test" CRLF;
[root@proxy nginx-1.12.2]# ./configure
[root@proxy nginx-1.12.2]# make && make install
[root@proxy nginx-1.12.2]# killall nginx
[root@proxy nginx-1.12.2]# nginx
[root@proxy nginx-1.12.2]# curl -I http://192.168.4.1
HTTP/1.1 200 OK
Server: test
Date: Tue, 31 Jul 2018 10:06:47 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 31 Jul 2018 09:50:53 GMT
Connection: keep-alive
ETag: "5b6030fd-264"
Accept-Ranges: bytes
限制并发量
DDOS攻击者会发送大量的并发连接,占用服务器资源(包括连接数、带宽等),这样会导致正常用户处于等待或无法访问服务器的状态。
Nginx提供了一个ngx_http_limit_req_module模块,可以有效降低DDOS攻击的风险
[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
listen 80;
server_name localhost;
limit_req zone=one burst=5;
//limit_req_zone语法格式:
//limit_req_zone key zone=name:size rate=rate;
//将客户端IP信息存储名称为one的共享内存,内存空间为10M
//1M可以存储8千个IP信息,10M可以存储8万个主机连接的状态,
容量可以根据需要任意调整
//每秒中仅接受1个请求,余的放入漏斗
//漏斗超过5个则报错
[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s reload
[root@rootroom9pc01 ~]# ab -c 100 -n 100 http://192.168.4.1/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.4.1 (be patient).....done
Server Software: test
Server Hostname: 192.168.4.1
Server Port: 80
Document Path: /
Document Length: 612 bytes
Concurrency Level: 100
Time taken for tests: 5.003 seconds
Complete requests: 100
Failed requests: 94
(Connect: 0, Receive: 0, Length: 94, Exceptions: 0)
Write errors: 0
Non-2xx responses: 94
Total transferred: 72984 bytes
HTML transferred: 54150 bytes
Requests per second: 19.99 [#/sec] (mean)
Time per request: 5002.765 [ms] (mean)
Time per request: 50.028 [ms] (mean, across all concurrent requests)
Transfer rate: 14.25 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 1 2 0.5 2 3
Processing: 2 159 727.7 10 4998
Waiting: 1 159 727.8 10 4998
Total: 5 161 727.9 12 5001
Percentage of the requests served within a certain time (ms)
50% 12
66% 14
75% 16
80% 17
90% 19
95% 1001
98% 4001
99% 5001
100% 5001 (longest request)
[root@rootroom9pc01 ~]#
拒绝非法的请求
网站使用的是HTTP协议,该协议中定义了很多方法,可以让用户连接
服务器,获得需要的资源。但实际应用中一般仅需要get和post。
| 请求方法 | 功能描述 |
| GET | 请求指定的页面信息,并返回实体主体 |
| HEAD | 类似于get请求,只不过返回的响应中没有具体的内容,用于获取报头。 |
| POST | 向指定资源提交的数据进行处理请求(例如提交表单或者上传文件) |
| DELETE | 请求服务器删除指定的页面 |
| PUT | 向服务器特定位置上传资料 |
| .. | 其他 |
未修改服务器配置前,客户端使用不同请求方法测试:
[root@rootroom9pc01 ~]# curl -i -X GET http://192.168.4.1
[root@rootroom9pc01 ~]# curl -i -X HEAD http://192.168.4.1
//curl命令选项说明:
//-i选项:访问服务器页面时,显示HTTP的头部信息
//-X选项:指定请求服务器的方法
设置可以让Nginx拒绝非法的请求方法:
server {
listen 80;
if ($request_method !~ ^(GET|POST)$ ) {
return 444;
}
server_name localhost;
[root@p[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s reload
roxy nginx-1.12.2]# curl -i -X GET http://192.168.4.1
HTTP/1.1 200 OK
[root@proxy nginx-1.12.2]# curl -i -X HEAD http://192.168.4.1
curl: (52) Empty reply from server //报错
防止buffer溢出
当客户端连接服务器时,服务器会启用各种缓存,用来
存放连接的状态信息。
如果攻击发送大量的连接请求,而服务器不对缓存做限制的话,内存数据就有
可能溢出
修改Nginx配置文件,调整各种buffer参数,可以有效降低溢出风险。
[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
http {
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s reload
2055
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
