The content of this article is about prohibiting parsing of PHP in directories and restricting user_agent. It has certain reference value. Now I share it with everyone. Friends in need can refer to it.
If the website has vulnerabilities, if someone uploads some Trojan files on the website, they will be stored in the directory of the website. If they are parsed, it will be over.
For example, if a hacker uploads a info.php, and we have not set up apache to prohibit parsing files uploaded by users, so hackers are likely to see our configuration information in the browser
We only need to restrict these uploaded Trojans Files are enough, and there are two methods of restriction:
Uploading is not allowed, but this is inappropriate, and all users cannot upload it
Even after uploading, no operations are allowed, and parsing is not allowed
Disabling PHP parsing is a security option.
Core configuration file that prohibits PHP parsing:
<Directory /data/wwwroot/www.123.com/upload> //选择目录
php_admin_flag engine off //禁止解析PHP
</Directory>1
2
3
4
The result of disabling parsing of PHP is to directly display the source code on the web page.
Disable PHP parsing of the 111.com/upload directory.
Edit virtual configuration file:
[root@shuai-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<Directory /data/wwwroot/111.com/upload>
php_admin_flag engine off
</Directory>[root@shuai-01 ~]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@shuai-01 ~]# /usr/local/apache2.4/bin/apachectl graceful
Shows the source code
Of course, it is better to disable parsing PHP and use it together with access control:
Edit configuration file:
<Directory /data/wwwroot/111.com/upload>
php_admin_flag engine off
<FilesMatch (.*)\.php(.*)>
Order allow,deny
deny from all
</FilesMatch>
</Directory>
禁止访问
参考博客:
http://blog.51cto.com/kevinjin117/1835341
user_agent(用户代理):是指浏览器(搜索引擎)的信息包括硬件平台、系统软件、应用软件和用户个人偏好。
当黑客用CC攻击你的服务器时,查看下日志发现user_agent是一致的,而且一秒钟出现多次user_agent,这样就必须限制user_agent
配置文件:
<IfModule mod_rewrite.c> //使用rewrite模块
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //定义user_agent条件,OR表示两条件之间是或者的意思,NC表示忽略大小写
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC] //定义user_agent条件
RewriteRule .* - [F] // 规则 [F] 表示forbidden(403)
</IfModule>编辑虚拟配置文件:
[root@shuai-01 ~]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>保存退出检查配置文件语法并重新加载配置文件:
[root@shuai-01 ~]# /usr/local/apache2.4/bin/apachectl -t Syntax OK [root@shuai-01 ~]# /usr/local/apache2.4/bin/apachectl graceful
测试:
[root@shuai-01 111.com]# curl -x127.0.0.1:80 'http://111.com/123.php' -IHTTP/1.1 403 Forbidden Date: Tue, 26 Dec 2017 11:41:06 GMT Server: Apache/2.4.29 (Unix) PHP/5.6.30 Content-Type: text/html; charset=iso-8859-1
指定一个user_agent测试:
[root@shuai-01 111.com]# curl -A "shuailinux" -x127.0.0.1:80 'http://111.com/123.php' -I HTTP/1.1 200 OK Date: Tue, 26 Dec 2017 11:42:18 GMT Server: Apache/2.4.29 (Unix) PHP/5.6.30 X-Powered-By: PHP/5.6.30 Content-Type: text/html; charset=UTF-8
命令:curl
选项:
-A 指定user_agent。
如:
[root@shuai-01 111.com]# curl -A "shuailinux" -x127.0.0.1:80
-e 指定referer,指定引用地址
如:
[root@shuai-01 ~]# curl -e "http://111.com/123.txt" -x127.0.0.1:80 111.com/logo.png -I
-x 在给定的端口上使用HTTP代理
如:
[root@shuai-01 111.com]# curl -x127.0.0.1:80 'http://111.com/123.php'
-I 查看状态码
如:
[root@shuai-01 111.com]# curl -x127.0.0.1:80 'http://111.com/123.php' -I
The above is the detailed content of The directory prohibits parsing PHP and restricts user_agent. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
