限定某個目錄禁止解析php
阿新 • • 發佈:2018-11-26
[toc]
限定某個目錄禁止解析php&限制user_agent
一、 限定某個目錄禁止解析php
有這樣一種情況,有些站點和論壇是允許上傳圖片到伺服器,但是這就給黑客留下了可進入伺服器的大門,他們上傳一些php或者js到伺服器,然後被我們執行載入,有些函式可以讓黑客獲取最大的許可權,從而對資料造成威脅! 為了避免這種事情的發生,我們需要限制上傳型別。
1. 開啟配置檔案 httpd-vhosts.conf
在虛擬伺服器中增加如下配置:
[[email protected] ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
2.凡是在upload目錄中的php均不解析!並且匹配任意.php的檔案,全部拒絕訪問!
<Directory /data/wwwroot/xavi.com/upload>
php_admin_flag engine off //禁止php解析,所有訪問都報403錯誤
<FilesMatch (.*)\.php(.*)>//需要轉義字元
Order allow,deny //不加deny,它會訪問原始碼
Deny from all
</FilesMatch>
2.-t,-gracful,檢查語法並開啟httpd
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[[email protected] ~]# /usr/local/apache2.4/bin/apachectl graceful
3.建立upload目錄,以及在upload目錄下建立123.php去測試。但未得到403結果
[[email protected] ~]# mkdir upload
[[email protected] ~]# ls
123.txt anaconda-ks.cfg httpd-2.4.29.tar.gz rsync test2
321.txt awk index.php sed upload
556.txt grep initial-setup-ks.cfg split_dir xaa
admin httpd-2.4.29 [ 4.找到犯錯原因,得到驗證結果
這裡之所以沒有得到403 fobiden的提示,是因為在練習測試過程我忽略了,指令執行的環境。[root@xavi xavi.com]上述操作正確的過程是應該在/xavi.com 資料夾下操作,而不是在預設的檔案路徑下
以下是重新操作的過程
[[email protected] ~]# cd /data/wwwroot/xavi.com
[[email protected] xavi.com]# ls
123.php admin index.php xavi.jpg xavi.txt
[[email protected] xavi.com]# mkdir uplaod
[[email protected] xavi.com]# ls
123.php admin index.php uplaod xavi.jpg xavi.txt
[[email protected] xavi.com]# mv uplaod upload
[[email protected] xavi.com]# ls
123.php admin index.php upload xavi.jpg xavi.txt
[[email protected] xavi.com]# cp 123.php /upload
[[email protected] xavi.com]# !vim
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] xavi.com]# !curl
curl -x127.0.0.1:80 'http://xavi.com/upload/123.php' -I
HTTP/1.1 403 Forbidden
Date: Sun, 11 Mar 2018 05:31:04 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
5.測試下沒有FilesMatch那段話的結果
無法解析,直接顯示內原始碼
[[email protected] xavi.com]# !vim
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] xavi.com]# curl -x127.0.0.1:80 'http://xavi.com/upload/123.php'
<?php
echo "123.php";
總結,如上當你訪問.php檔案時,直接拒絕,沒有任何機會去訪問,更別提執行了!如果程式設計師讓upload可以允許解析,那只有說明他不合格!靜態檔案儲存的地方是不允許放php的。沒有考慮到任何資料安全!!!
二、 訪問控制,限制user_agent
1.什麼是user_agent(瀏覽器標識)
User Agent中文名為使用者代理,簡稱 UA,它是一個特殊字串頭,使得伺服器能夠識別客戶使用的作業系統及版本、CPU 型別、瀏覽器及版本、瀏覽器渲染引擎、瀏覽器語言、瀏覽器外掛等。
2.cc攻擊,肉雞
cc攻擊:是我們經常見到的最常見的一種攻擊,幾乎每天每個時段都會存在。CC攻擊就是黑客利用所能利用的肉雞(就是所謂的黑客利用技術手段攻擊下來的他人伺服器)去攻擊(正常的訪問)你的站點,導致你的站點不可以被正常的使用者所瀏覽。但是也不是不可防止,在攻擊的時候有一個規律的特徵,user_agent是一致的(其referer和訪問頁面是一致的,並且在一秒內發動N次訪問)!
3.核心配置檔案
<IfModule mod_rewrite.c> //rewrite跳轉,並建立規則
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
程式碼解析:
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //匹配Curl的訪問 [NC,OR] NC:忽略大小寫。 OR:是或者的意思,要麼這一條,要麼下一條滿足情況
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F] // F:Forbidden 禁止
4.測試,使用Curl方式訪問直接被禁掉
[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[[email protected] xavi.com]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] xavi.com]# curl -x127.0.0.1:80 'http://xavi.com/upload/123.php' -I
HTTP/1.1 403 Forbidden
Date: Sun, 11 Mar 2018 07:04:12 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
5.使用curl -A :隨意指定自己這次訪問所宣稱的自己的瀏覽器資訊。
[[email protected] xavi.com]# curl -A "xavilinux xavilinux" -x127.0.0.1:80 'http://xavi.com/123.php' -I
HTTP/1.1 200 OK
Date: Sun, 11 Mar 2018 07:21:42 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
- 改變瀏覽方式即可訪問。
6。檢視日誌檔案: tail /usr/local/apache2.4/logs/xavi.com-access_20180311.log
[[email protected] xavi.com]# tail /usr/local/apache2.4/logs/xavi.com-access_20180311.log
192.168.72.1 - - [11/Mar/2018:14:02:02 +0800] "GET /upload/123.php HTTP/1.1" 200 22 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"
192.168.72.1 - - [11/Mar/2018:14:02:02 +0800] "GET /upload/123.php HTTP/1.1" 200 22 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"
127.0.0.1 - - [11/Mar/2018:15:04:12 +0800] "HEAD http://xavi.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [11/Mar/2018:15:04:12 +0800] "HEAD http://xavi.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [11/Mar/2018:15:05:32 +0800] "GET http://xavi.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [11/Mar/2018:15:05:32 +0800] "GET http://xavi.com/upload/123.php HTTP/1.1" 403 223 "-" "curl/7.29.0"
127.0.0.1 - - [11/Mar/2018:15:21:42 +0800] "HEAD http://xavi.com/123.php HTTP/1.1" 200 - "-" "xavilinux xavilinux"
127.0.0.1 - - [11/Mar/2018:15:21:42 +0800] "HEAD http://xavi.com/123.php HTTP/1.1" 200 - "-" "xavilinux xavilinux"
127.0.0.1 - - [11/Mar/2018:15:22:18 +0800] "GET http://xavi.com/123.php HTTP/1.1" 200 7 "-" "xavilinux xavilinux"
127.0.0.1 - - [11/Mar/2018:15:22:18 +0800] "GET http://xavi.com/123.php HTTP/1.1" 200 7 "-" "xavilinux xavilinux"
實用擴充套件:
apache 禁止trace或track防止xss攻擊 http://ask.apelearn.com/question/1045
三、PHP相關配置
1.尋找PHP相關配置檔案
每次再次開啟虛擬機器,要注意當前所在檔案目錄的位置
[[email protected] ~]# cd /data/wwwroot/xavi.com
[[email protected] xavi.com]# ls
123.php admin index.php upload xavi.jpg xavi.txt
編輯當前位置的index.php檔案
[[email protected] xavi.com]# !vim
vim index.php
<?php
phpinfo();
開啟網頁,檢視其載入情況 Loaded Configuration File沒有載入
2.查詢php配置檔案
[[email protected] php-7.1.6]# /usr/local/php7/bin/php -i | grep -i 'loaded configuration file'
Loaded Configuration File => /usr/local/php7/etc/php.ini
3.複製配置檔案,在gracful重新整理配置檔案後,重新整理index.php
[[email protected] xavi.com]# cd /usr/local/src/php-7.1.6/
[[email protected] php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini
[[email protected] php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
4.編輯配置檔案:/usr/local/php7/etc/php.ini
[[email protected] php-7.1.6]# vim /usr/local/php7/etc/php.ini
在vim內搜尋 /disable_functions
如下就是通常被認為比較危險的函式:
disable_functions =
eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,
system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,
proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,
readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
其中第一個eval函式就是上個文章提到的木馬檔案所呼叫的函式。如果禁掉了這個函式,就算可以上傳php檔案也是不能執行的。
關於phpinfo可以展現所有關於php的資訊,如果被黑客看到就不堪設想了。所以好多企業為了更加安全會把phpinfo也會禁止掉!
- 但是當我們禁掉PHP的時候,當你訪問phpinfo他也還是會在瀏覽器中顯示錯誤資訊:
- 本次測試我並未得到該結果,而是正常顯示phpinfo介面
找到錯誤原因:phpinfo前面未被識別,也無報錯,因為自己把所有函式自行分段了,而不是整體複製
黑客比較嚴謹,也還是會通過此路徑找到相關配置,所以為了防止在瀏覽器中顯示,我們也可以把這些資訊全部關掉!
5.在php.ini中定義time.zone如果不定義,會出報警資訊
[[email protected] php-7.1.6]# vim /usr/local/php7/etc/php.ini
找到time.zone 
6.在瀏覽器中顯示,我們也可以把這些資訊全部關掉!
6.1搜素 /display ,改為off即可。
display_errors = Off
6.2然後再去配置一下log_error
log_errors = On
6.3 然後再次去定義錯誤日誌的路徑:
搜尋 /error_log, 修改到/tmp下。
error_log = /tmp/php_errors.log
6.4 為了更加直觀的看到日誌內容,我們需要設定日誌的等級:
搜尋 /error_reporting
error_reporting = E_ALL & ~E_NOTICE 在生產環境中,最常用的就是這個!有時候出現notice並不是出錯
沒有許可權訪問
7.測試
[[email protected] php-7.1.6]# curl -x127.0.0.1:80 http://xavi.com/index.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 11 Mar 2018 09:34:23 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[[email protected] php-7.1.6]# curl -A "xavi" -x127.0.0.1:80 http://xavi.com/index.php -I
HTTP/1.1 200 OK
Date: Sun, 11 Mar 2018 09:36:57 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
[[email protected] php-7.1.6]# touch /tmp/php_errors.log
[[email protected] php-7.1.6]# chmod 777 /tmp/php_errors.log
[[email protected] php-7.1.6]# ls -l /tmp/php_errors.log
-rwxrwxrwx 1 root root 0 3月 11 17:52 /tmp/php_errors.log
[[email protected] php-7.1.6]# cat /tmp/php_errors.log
[[email protected] php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected] php-7.1.6]# curl -A "xavi" -x127.0.0.1:80 http://xavi.com/index.php -I
HTTP/1.1 200 OK
Date: Sun, 11 Mar 2018 09:57:50 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
[[email protected] php-7.1.6]# vim /data/wwwroot/xavi.com/2.php
[[email protected] php-7.1.6]# curl -A "xavi" -x127.0.0.1:80 http://xavi.com/2.php -I
HTTP/1.1 200 OK
Date: Sun, 11 Mar 2018 10:00:42 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Content-Type: text/html; charset=UTF-8
- 沒有500錯誤程式碼??????
[[email protected] php-7.1.6]# curl -x 192.168.72.130:80 xavi.com/2.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 11 Mar 2018 10:15:00 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[[email protected] php-7.1.6]# curl -x 192.168.72.130:80 xavi.com/index.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 11 Mar 2018 10:15:23 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[[email protected] php-7.1.6]# !cat
cat /tmp/php_errors.log
[11-Mar-2018 18:14:46 Asia/shanghai] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/xavi.com/2.php on line 4
四、 PHP相關配置 open_basedir
如果有一臺伺服器跑了很多個站點,其中就有一個站的程式寫的很爛,漏洞百出,被黑客所劫持,只要一臺被劫持,其它的伺服器也就很快被搞定。為了防止這樣的事情發生,如何搞定呢?
針對不同的虛擬主機限定不同的open_basedir
[[email protected] php-7.1.6]# vim /usr/local/php/etc/php.ini
open_basedir = /usr/local/wwwroot/xavi.com:/tmp //多個目錄用:隔開,這個說明PHP限制在這兩個目錄活動
一致沒有500報錯
[[email protected] php-7.1.6]# cat /tmp/php_errors.log
[11-Mar-2018 18:14:46 Asia/shanghai] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/xavi.com/2.php on line 4
1.針對不同的虛擬主機限定不同的open_basedir
1.1 開啟配置檔案:vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
1.2 增加如下配置:
php_admin_value open_basedir "/data/wwwroot/xavi.com/:/tmp/"
為什麼要新增/tmp呢?
是因為/tmp下有咱們的錯誤日誌,並且有些論壇允許上傳圖片也都是先上傳到tmp目錄下,然後再次轉到upload下!
