The directory prohibits parsing PHP and restricts user_agent

The content of this article is about prohibiting parsing of PHP in directories and restricting user_agent. It has certain reference value. Now I share it with everyone. Friends in need can refer to it.

Disable PHP parsing

If the website has vulnerabilities, if someone uploads some Trojan files on the website, they will be stored in the directory of the website. If they are parsed, it will be over.
For example, if a hacker uploads a info.php, and we have not set up apache to prohibit parsing files uploaded by users, so hackers are likely to see our configuration information in the browser

We only need to restrict these uploaded Trojans Files are enough, and there are two methods of restriction:
Uploading is not allowed, but this is inappropriate, and all users cannot upload it
Even after uploading, no operations are allowed, and parsing is not allowed

Disabling PHP parsing is a security option.

Core configuration file that prohibits PHP parsing:

<Directory /data/wwwroot/www.123.com/upload> //选择目录
    php_admin_flag engine off //禁止解析PHP
</Directory>

• 1

• 2

• 3

• 4

The result of disabling parsing of PHP is to directly display the source code on the web page.

Disable PHP parsing of the 111.com/upload directory.
Edit virtual configuration file:

   [root@shuai-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<Directory /data/wwwroot/111.com/upload>
    php_admin_flag engine off
</Directory>

• 
  

##Save exit check configuration file syntax and reload the configuration file:

[root@shuai-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK

[root@shuai-01 ~]# /usr/local/apache2.4/bin/apachectl graceful

• 
  

##View the effect:

Shows the source code
Of course, it is better to disable parsing PHP and use it together with access control:

Edit configuration file:

<Directory /data/wwwroot/111.com/upload>
    php_admin_flag engine off
    <FilesMatch (.*)\.php(.*)>
    Order allow,deny
    deny from all
    </FilesMatch>
</Directory>

• 
  

Save Exit Reload

禁止访问

参考博客：

http://blog.51cto.com/kevinjin117/1835341

限制user_agent

user_agent（用户代理）：是指浏览器（搜索引擎）的信息包括硬件平台、系统软件、应用软件和用户个人偏好。
当黑客用CC攻击你的服务器时，查看下日志发现user_agent是一致的，而且一秒钟出现多次user_agent，这样就必须限制user_agent

配置文件：

   <IfModule mod_rewrite.c> //使用rewrite模块
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR] //定义user_agent条件，OR表示两条件之间是或者的意思，NC表示忽略大小写
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC] //定义user_agent条件
        RewriteRule  .*  -  [F] // 规则 [F] 表示forbidden（403）
    </IfModule>

• 
  

编辑虚拟配置文件：

   [root@shuai-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

   <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
        RewriteRule  .*  -  [F]
    </IfModule>

• 
  

保存退出检查配置文件语法并重新加载配置文件：

[root@shuai-01 ~]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK

[root@shuai-01 ~]# /usr/local/apache2.4/bin/apachectl graceful

• 
  

测试：

[root@shuai-01 111.com]# curl -x127.0.0.1:80 'http://111.com/123.php' -IHTTP/1.1 403 Forbidden
Date: Tue, 26 Dec 2017 11:41:06 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

• 
  

指定一个user_agent测试：

[root@shuai-01 111.com]# curl -A "shuailinux" -x127.0.0.1:80 'http://111.com/123.php' -I
HTTP/1.1 200 OK
Date: Tue, 26 Dec 2017 11:42:18 GMT
Server: Apache/2.4.29 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8

• 
  

命令：curl
选项：
-A 指定user_agent。
如：

[root@shuai-01 111.com]# curl -A "shuailinux" -x127.0.0.1:80

• 
  

-e 指定referer,指定引用地址
如：

[root@shuai-01 ~]# curl -e "http://111.com/123.txt" -x127.0.0.1:80 111.com/logo.png -I

• 
  

-x 在给定的端口上使用HTTP代理
如：

[root@shuai-01 111.com]# curl -x127.0.0.1:80 'http://111.com/123.php'

• 
  

-I 查看状态码
如：

[root@shuai-01 111.com]# curl -x127.0.0.1:80 'http://111.com/123.php' -I

           

The above is the detailed content of The directory prohibits parsing PHP and restricts user_agent. For more information, please follow other related articles on the PHP Chinese website!