限定某个目录禁止解析php限制user_agentphp相关配置
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了限定某个目录禁止解析php限制user_agentphp相关配置相关的知识,希望对你有一定的参考价值。
限定某个目录禁止解析php
当黑客攻击你的服务器时,在你的静态目录下添加一个木马脚本,这时服务器将会很大风险,这时需要限制哪些目录不能解析php,提高安全性。
1、新增内容
[[email protected] local]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<Directory /data/wwwroot/111.com/upload>
php_admin_flag engine off
</Directory>
#将对/data/wwwroot/111.com/upload目录做禁止解析
[[email protected] local]# mkdir /data/wwwroot/111.com/upload
2、[[email protected] upload]# /usr/local/apache2.4/bin/apachectl graceful
验证:
[[email protected] upload]# curl -x127.0.0.1:80 ‘http://111.com/upload/123.php‘
<?php
echo ‘123.php‘;
[[email protected] upload]# curl -x127.0.0.1:80 ‘http://111.com/upload/baidu.png‘ -I
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2017 14:15:19 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Last-Modified: Thu, 09 Nov 2017 14:15:19 GMT
ETag: W/"1ec5-55d9b44caaac0"
Accept-Ranges: bytes
Content-Length: 7877
Cache-Control: max-age=86400
Expires: Fri, 10 Nov 2017 14:15:19 GMT
Content-Type: image/png
验证结果:当访问.php文件则显示文件内容,访问其他就显示正常
扩展:
不能显示php的内容,直接将其禁用
1、[[email protected] upload]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<Directory /data/wwwroot/111.com/upload>
php_admin_flag engine off
<FilesMatch (.*)\.php(.*)>
Order Allow,Deny
Deny from all
</FilesMatch>
</Directory>
2、[[email protected] upload]# /usr/local/apache2.4/bin/apachectl graceful
验证结果:
[[email protected] upload]# curl -x127.0.0.1:80 ‘http://111.com/upload/123.php‘ -I
HTTP/1.1 403 Forbidden
Date: Thu, 09 Nov 2017 14:18:32 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
限制user_agent
user_agent(用户代理):是指浏览器(搜索引擎)的信息包括硬件平台、系统软件、应用软件和用户个人偏好。
当黑客用CC攻击你的服务器时,查看下日志发现user_agent是一致的,而且一秒钟出现多次user_agent,这样就必须限制user_agent
1、
[[email protected] upload]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/111.com"
ServerName 111.com
ServerAlias www.111.com www.example.com
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*Chrome.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
#当含有curl、Chrome、baidu.com这样的user_agent时将禁用;NC:忽略大小写;OR选项表示或者(不加任何选项表并且)连接下一个条件;[F]:forbidden禁止
验证:
1、用curl访问时
[[email protected] upload]# curl -x127.0.0.1:80 ‘http://111.com/upload/baidu.png‘ -I
HTTP/1.1 403 Forbidden
Date: Thu, 09 Nov 2017 14:30:22 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
-A:指定user_agent
[[email protected] upload]# curl -A ‘LINUX LINUX‘ -x127.0.0.1:80 ‘http://111.com/upload/baidu.png‘ -I
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2017 14:30:50 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Last-Modified: Thu, 09 Nov 2017 14:30:50 GMT
ETag: W/"1ec5-55d9b44caaac0"
Accept-Ranges: bytes
Content-Length: 7877
Cache-Control: max-age=86400
Expires: Fri, 10 Nov 2017 14:30:50 GMT
Content-Type: image/png
本文出自 “探索发现新事物” 博客,请务必保留此出处http://shenj.blog.51cto.com/5802843/1980653
以上是关于限定某个目录禁止解析php限制user_agentphp相关配置的主要内容,如果未能解决你的问题,请参考以下文章
限定某个目录禁止解析php 限制user_agent php相关配置
LAMP(7限定某个目录禁止解析php 限制user_agent PHP相关配置PHP扩展模块
限定某个目录禁止解析php 限制user_agent php的配制文件PHP的动态扩展模块