2018-3-7 Linux Learning Notes

Source: Internet
Author: User
Tags php source code phpinfo

11.28 restricting a directory from parsing PHP
    • background : For security reasons, in general, the static file is located in the file can be uploaded under the directory is not allowed to store PHP files, because this can be prevented from parsing PHP in this directory, to prevent possible intrusion through PHP parsing.
    • To configure a directory to disallow parsing of PHP methods:
    • Vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
    • The configuration file adds the following:
      <Directory/data/wwwroot/123.com/upload>
      Php_admin_flag engine off
      </Directory>
    • Reload the configuration file:
      /usr/local/apache2.4/bin/apachectl-t
      /usr/local/apache2.4/bin/apachectl Graceful
    • Post-Configuration test:
      Curl-x127.0.0.1:80 ' http://123.com/upload/admin.php '
    • Conclusion: The PHP source code is returned directly from Curl test, which shows that admin.php is not parsed.
11.29 Limit User_agent
  • background : Sometimes our site will be subject to CC attacks, it is simply said that the attackers control thousands of many host/server simultaneously access the site, a lot of resources such as the bandwidth of the Web server, causing the server to be overwhelmed and stop service. This kind of attack is also a normal access, but a short period of high-frequency access, the purpose is to bring down your site. One feature of this type of attack is that their user_agent are basically consistent, so to prevent such attacks, we can set a method that restricts user_agent.
  • To configure a method that restricts user_agent:
  • Vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
  • The configuration file adds the following:
    <ifmodule mod_rewrite.c>
    Rewriteengine on
    Rewritecond%{http_user_agent}. *curl.* [Nc,or]
    Rewritecond%{http_user_agent}. *baidu.com.* [NC]
    Rewriterule. *-[F]
    </IfModule>
  • In the above configuration:
    NC: Indicates ignoring case
    or: denotes or means that the line (condition) is not written and the relationship
    F: Forbidden, no access
  • Reload the configuration file:
    /usr/local/apache2.4/bin/apachectl-t
    /usr/local/apache2.4/bin/apachectl Graceful
  • Post-Configuration test:
    Curl-x127.0.0.1:80 ' http://123.com/admin.php '
    Curl-a "baidu.com"-x127.0.0.1:80 ' http://123.com/upload/admin.php '-I
    Curl-a "qq.com"-x127.0.0.1:80 ' http://123.com/admin.php '-I

    Tail-n 5/usr/local/apache2.4/logs/123.com-access_20180306.log
    The view log verifies again that the rejected 2 access user_agent contain curl and baidu.com, respectively.

    conclusion : The Curl Direct test (This is user_agent contains curl) and the specified user_agent is baidu.com return 403 code, indicating that the limit User_agent succeeded. When User_agent is qq.com, 200 code is returned, unrestricted, and access is successful.
  • Knowledge points :
    (1) User_agent can be understood as a browser identifier.
    (2) curl-a "123123" indicates that the specified user_agent is 12312311.30/11.31 PHP-related configuration
  • What you learned before is about the configuration of Apache, this section is about PHP-related configuration.
  • 1. View the PHP configuration file location
    /usr/local/php/bin/php-i|grep-i "Loaded configuration file"
  • However, it is not always correct to use the above statement, but it is more reliable to create a PHP page with the phpinfo () function in the site (e.g. 123.com) and then access it in the browser to see the configuration file location.

  • 2. Once you have found the PHP configuration file, you can edit it to set up the relevant configuration.
    Vi/usr/local/php7/etc/php.ini
  • (1) Time zone configuration, set to Asia/shanghai or asia/chongqing
    Date.timezone = Asia/shanghai
  • (2) Security-related configuration-Disable the following function, so that even if it is on a trojan, because the related function has been disabled, it can not be executed.
    Disable_functions =
    Eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown, Escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, Readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
  • (3) Error log related configuration--easy to view when troubleshooting
  • To define the error log file:
    Error_log =/tmp/php_errors.log
  • Error log switch:
    Log_errors = On
  • If an error message is displayed on the webpage when an error occurs:
    Display_errors = Off
    The production environment is generally set to off because you do not want to leave potentially useful information (such as the directory in which the files are located) to the hacker.

    At this point, even if the error, there will be no display on the webpage, so as to prevent information leakage.

    However, the operator can view the relevant error information in the defined errors log file.
  • Define the level of error Reporting:
    error_reporting = E_all & ~e_notice
    The production environment is generally set to E_all & ~e_notice, i.e. all other errors, warnings and other information are recorded except for notifications.
  • (4) Safety-related parameters Open_basedir
  • Simply say php.ini in the Open_basedir parameter, play the role of restricting operations in a site directory. For example, a server has multiple sites (each site has a directory corresponding), in case a site is hacked, if we set the site Open_basedir, That he can at most in the site under the toss, do not have other sites.
  • However, the Open_basedir parameter in php.ini is applicable to all sites, if there is only one site on the server, directly configure the Open_basedir parameters in php.ini can play a role, but if more than one site, because each site directory is different, The Open_basedir parameter in php.ini can only be set one place, so it is powerless.
  • The Apache virtual Host configuration file is then used to set the Open_basedir parameter for a specific site.
  • Vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
  • The configuration file adds the following:
    Php_admin_value Open_basedir "/data/wwwroot/123.com:/tmp/"
  • This sets up the Open_basedir configuration for the 123.com site.

Extended Learning:
Apache Open Compression http://ask.apelearn.com/question/5528
apache2.2 to 2.4 configuration file changes http://ask.apelearn.com/question/7292
Apache Options Parameter http://ask.apelearn.com/question/1051
Apache prohibits trace or track from preventing XSS http://ask.apelearn.com/question/1045
Apache configuration HTTPS support SSL http://ask.apelearn.com/question/1029

2018-3-7 Linux Learning notes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.