目录
一、限定某个目录禁止解析php
二、限制user_agent
三、php相关配置
一、限定某个目录禁止解析php
php中有一些危险的函数,网站入侵者可以在网站上传恶意的php木马进而获取服务器的最高权限,这是非常危险的。
应对方法是设置上传文件目录禁止解析php文件,上传的php木马文件不会被解析,这样入侵者无法进一步获取到更高的权限。
- 禁止解析PHP
[root@minglinux-01 ~] vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
···
php_admin_flag engine off //禁止解析PHP
//禁止访问(.*)\.php(.*)
Order allow,deny
Deny from all
···
- 测试
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] mkdir /usr/local/apache2.4/htdocs/upload
[root@minglinux-01 ~] cp /usr/local/apache2.4/htdocs/1.php /usr/local/apache2.4/htdocs/ming1/upload/1.php
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php' -I
HTTP/1.1 403 Forbidden
Date: Mon, 19 Nov 2018 15:03:33 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-
- 注释掉
,仅禁止PHP解析
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php' -I
HTTP/1.1 200 OK
Date: Mon, 19 Nov 2018 15:05:08 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Last-Modified: Mon, 19 Nov 2018 15:02:40 GMT
ETag: "24-57b05cee94b4e"
Accept-Ranges: bytes
Content-Length: 36
Cache-Control: max-age=0
Expires: Mon, 19 Nov 2018 15:05:08 GMT
Content-Type: application/x-httpd-php
[root@minglinux-01 /usr/local/apache2.4/htdocs/ming1] curl -x127.0.0.1:80 'http://www.ming1.com/upload/1.php'
可以看到1.php可以被访问但无法正常解析,返回了源代码。
二、限制user_agent
user_agent为浏览器标识,针对user_agent可以用来限制一些访问,比如可以限制一些不太友好的搜索引擎“爬虫”和cc攻击。“爬虫”抓取数据类似于用户用浏览器访问网站,当“爬虫”太多或者访问太频繁,就会浪费服务器资源。cc攻击是指用很多用户的电脑同时访问同一个站点,当访问量或者频率达到一定层次,服务器就会无法承受这些访问而不能正常工作。
这些恶意请求的user_agent相同或者相似,那我们就可以通过限制 user_agent发挥防攻击的作用。限制user_agent后,对方在访问时会收到状态码403,这样对方对服务器资源不会造成太大影响,仅仅是对方发送来了一个请求,带宽消耗也不会太大。
针对user_agent来做访问控制
[root@minglinux-01 ~] vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
···
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
···
方括号中的OR表示“或者”,NC表示“不区分大小写”,F相当于Forbidden。当user_agent匹配curl或者baidu.com时,都会触发下面的规则。
- 测试
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] curl -x127.0.0.1:80 www.ming1.com/upload/1.php -I
HTTP/1.1 403 Forbidden
Date: Tue, 20 Nov 2018 13:15:50 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
- 查看日志
[root@minglinux-01 ~] tail -n2 /usr/local/apache2.4/logs/www.ming1.com-access_20181120.log
127.0.0.1 - - [20/Nov/2018:21:15:50 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 403 - "-" "curl/7.29.0"
192.168.162.1 - - [20/Nov/2018:21:19:29 +0800] "GET /upload/1.php HTTP/1.1" 200 36 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
- curl的-A选项指定user_agent
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/upload/1.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 13:32:27 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
Last-Modified: Mon, 19 Nov 2018 15:02:40 GMT
ETag: "24-57b05cee94b4e"
Accept-Ranges: bytes
Content-Length: 36
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 13:32:27 GMT
Content-Type: application/x-httpd-php
[root@minglinux-01 ~] curl -e "http://ming2.com" -A "ming" -x127.0.0.1:80 www.ming1.com/upload/1.php -I
[root@minglinux-01 ~] tail -n2 /usr/local/apache2.4/logs/www.ming1.com-access_20181120.log
127.0.0.1 - - [20/Nov/2018:21:32:27 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 200 - "-" "ming"
127.0.0.1 - - [20/Nov/2018:21:35:15 +0800] "HEAD HTTP://www.ming1.com/upload/1.php HTTP/1.1" 200 - "http://ming2.com" "ming"
三、php相关配置
- 查看PHP配置文件位置
- 通过浏览器查看
在网站目录下新建phpinfo的页面,然后通过浏览器访问。
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/index.php
- PHP常用配置
- disable_functions禁用函数
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
··· //找到disable_function行,在后面写入禁用函数
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
···
- date.timezone定义时区
不定义有时会有警告信息,编辑php.ini,找到date.timezone设置如下:
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···
date.timezone = Asia/Shanghai //定义所在时区为上海
···
- display_errors错误显示
···
display_errors = Off //off表示关闭,不在浏览器显示错误。
···
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php //没有任何输出
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 14:54:35 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 14:54:35 GMT
Content-Type: text/html; charset=UTF-8
这样配置后网页上不会显示任何错误信息,curl也不返回错误,那我们无法获取和分析错误信息了,所以我们需要配置一下 error_log错误日志。
- error_log错误日志
log_errors = On //开启错误日志
error_log = /tmp/php_errors.log //设定错误日志路径
error_reporting = E_ALL //设定错误日志的级别
错误日志的级别,E_ALL为所有类型的日志,不管是提醒还是警告都会记录。在开发环境下面设置为E_ALL,可以方便程序员排查问题,但也会造成日志记录很多无意义的内容。
- 测试
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 15:13:56 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 15:13:56 GMT
Content-Type: text/html; charset=UTF-8
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/index.php
[root@minglinux-01 ~] ls -l /tmp/php_errors.log
-rw-r--r-- 1 daemon daemon 157 11月 20 23:13 /tmp/php_errors.log
[root@minglinux-01 ~] cat !$
cat /tmp/php_errors.log
[20-Nov-2018 23:13:56 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /usr/local/apache2.4/htdocs/ming1/index.php on line 2
由于配置了display_errors = Off,所以curl命令返回状态码200,浏览器访问也没有报错信息,但错误日志显示了phpinfo函数是被禁用了,访问没有成功。
若以上配置都完成但始终无法在设定路径生成错误日志文件时,应该去检查生成文件的目录的权限信息(daemon是否对该目录有写权限),或者手动创建php_errors.log,生成后再修改文件属主为daemon,权限改为777。
- 再模拟一个错误
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
//随便写一些东西
可以看到错误日志和前面的不一样了
- open_basedir安全选项
open_basedir的作用是可以在一台服务器上将网站的目录间隔离,入侵者就算黑了其中一个目录但无法继续黑其他网站或目录。
- 在php.ini中设置open_basedir
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
···
open_basedir = /usr/local/apache2.4/htdocs/ming:/tmp //限制PHP只能在ming和tmp两个目录下活动
···
- 测试
[root@minglinux-01 ~] vim /usr/local/apache2.4/htdocs/ming1/2.php
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 20 Nov 2018 15:54:02 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Connection: close
Content-Type: text/html; charset=UTF-8
[root@minglinux-01 ~] tail -n5 /tmp/php_errors.log
[20-Nov-2018 23:31:20 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:54:02 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'abc' (T_STRING), expecting ',' or ';' in /usr/local/apache2.4/htdocs/ming1/2.php on line 2
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Warning: Unknown: open_basedir restriction in effect. File(/usr/local/apache2.4/htdocs/ming1/2.php) is not within the allowed path(s): (/usr/local/apache2.4/htdocs/ming:/tmp) in Unknown on line 0
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[20-Nov-2018 23:57:52 Asia/Shanghai] PHP Fatal error: Unknown: Failed opening required '/usr/local/apache2.4/htdocs/ming1/2.php' (include_path='.:/usr/local/php/lib/php') in Unknown on line 0
错误日志显示由于ming1目录不属于允许访问目录,所以被限制访问了。
- open_basedir的ming目录改为ming1
[root@minglinux-01 ~] vim /usr/local/php/etc/php.ini
open_basedir = /usr/local/apache2.4/htdocs/ming1:/tmp
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@minglinux-01 ~] /usr/local/apache2.4/bin/apachectl graceful
[root@minglinux-01 ~] curl -A "ming" -x127.0.0.1:80 www.ming1.com/2.php -I
HTTP/1.1 200 OK
Date: Tue, 20 Nov 2018 16:03:46 GMT
Server: Apache/2.4.37 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Cache-Control: max-age=0
Expires: Tue, 20 Nov 2018 16:03:46 GMT
Content-Type: text/html; charset=UTF-8
修改后可以正常访问了。
- 如果服务器上跑的站点比较多,那在php.ini中设置就不合适了,因为在php.ini中只能定义一次,也就是说所有站点都一起定义限定的目录,那这样似乎起不到隔离多个站点的目的。我们可以给单个虚拟主机设置open_basedir。如下所示:
···
php_admin_value open_basedir "/usr/local/apache2.4/htdocs/ming1:/tmp"
···
我们可以给任意虚拟主机设置open_basedir,只需要在虚拟主机相应的区域加上以上代码即可。
在open_basedir中允许tmp是因为站点的临时文件会写在/tmp目录下,如果tmp目录禁止了可能会导致上传不了图片的问题。
扩展
apache开启压缩 http://ask.apelearn.com/question/5528
apache2.2到2.4配置文件变更 http://ask.apelearn.com/question/7292
apache options参数 http://ask.apelearn.com/question/1051
apache禁止trace或track防止xss http://ask.apelearn.com/question/1045
apache 配置https 支持ssl http://ask.apelearn.com/question/1029