2018-3-7 11 weeks 2 Lessons limited to a directory prohibit parsing PHP, restricting user_agent, PHP-related configuration

11.28 restricting a directory from parsing PHP

Prohibit PHP parsing: To prevent the upload of harmful php files, and be executed, PHP may have dangerous functions, if the open upload permissions, will certainly be uploaded malicious Trojan files, will be taken to the server permissions, root authority, very dangerous.

You can also add FilesMatch access restrictions

Check and reload the configuration file-t,graceful

[[email protected] ~]# cd/data/wwwroot/111.com/[[email protected] 111.com]# mkdir upload[[email protected] 111.com]# CP 1 23.php Upload/[[email protected] 111.com]# curl-x127.0.0.1:80 111.com/upload/123.php-ihttp/1.1 403 Forbiddendate:mon, Mar 2018 14:00:22 gmtserver:apache/2.4.29 (Unix) php/7.1.6content-type:text/html; Charset=iso-8859-1

(Already 403)

First remove the FilesMatch, see the ban on parsing php what effect

[Email protected] 111.com]# curl-x127.0.0.1:80 111.com/upload/123.php<?phpecho "123.php";? >

(Unable to parse at all, directly returned the source code of PHP, not resolved)

When you enter 111.com/upload/123.php in the browser, the file is ready to download, stating that it cannot be resolved

In the configuration file, further restrict

Access to 111.com/upload/123.php is forbidden

11.29 Limit User_agent

User_agent access Control requirements background: The site will be subject to CC attacks, the principle of the attacker through means (software, meat machine) to let thousands of meat machine at the same time to visit a site, the site may be hung off

CC attacks are very regular, their user_agent are very regular.

Above is the condition, the lower azimuth rule

Or, user_agent matches the conditions above or below, or is and, but it is not possible to match both curl and baidu.com

NC means ignoring case (user_agent similar to Mozilla is case-sensitive)

F for Forbidden

Curl up 111.com/123.php, be banned

View logs, restricted

To prove that the user_agent is limited, the analog user_agent can be accessed directly

[Email protected] 111.com]# curl-a "a4l"-x127.0.0.1:80 111.com/123.php123.php[[email protected] 111.com]# curl-a "A4L" -x127.0.0.1:80 111.com/123.php-ihttp/1.1 Okdate:mon, Mar 2018 14:36:14 gmtserver:apache/2.4.29 (Unix) PHP/7.1.6 x-powered-by:php/7.1.6content-length:7content-type:text/html; Charset=utf-8

To view the log information, you can see that user_agent is the one we specified

Curl Common configuration options:

-e Specifies referer (must start with HTTP//)

-A specify User_agent

-x Specifies IP, which is equivalent to omitting the hosts

-I View status code

Extension: cc attack Https://baike.baidu.com/item/cc%E6%94%BB%E5%87%BB/10959545?fr=aladdin

11.30/11.31 PHP Related Configuration

• View PHP configuration file Locations

/usr/local/php/bin/php-i|grep-i "Loaded configuration file"

[Email protected] php-7.1.6]#/usr/local/php/bin/php-i|grep-i "Loaded configuration file" Php Warning:Unknown:It is n OT safe to rely on the system ' s timezone settings. You is *required* to use the Date.timezone setting or the Date_default_timezone_set () function. In case you used any of those methods and you is still getting this warning, your most likely misspelled the timezone Iden Tifier. We selected the timezone ' UTC ' for now, but please set Date.timezone to select your timezone. In Unknown on line 0Loaded Configuration File =/usr/local/php/etc/php.ini

Edit index.php, content is phpinfo

[Email protected] 111.com]# vim index.php

The browser can access the 111.com/index.php for Phpinfo

We can see that the PHP configuration directory is under/USR/LOCAL/PHP7/ETC, but it does not load

Since it is not loaded, it can be copied to the source package

[Email protected] 111.com]# cd/usr/local/src/php-php-5.6.30/php-7.1.6/[[email protected] 111.com]# CD/USR/LOCAL/SRC /php-7.1.6/[[email protected] php-7.1.6]# CP php.ini-php.ini-development Php.ini-production[[email protected] php-7.1.6]# CP Php.ini-development/usr/local/php7/etc/php.ini[[email protected] php-7.1.6]#/usr/local/apache2.4/ Bin/apachectl Graceful

After reloading the configuration, you can see that php.ini is loaded

• Configuration php.ini:

1, limit disable_fuctions (Dangerous function)

hazard function:eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir, Chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen, Openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo

Some companies will also ban Phpinfo, because Phpinfo will expose some of the system's directories to others, which is dangerous.

After the configuration is complete, view 111.com/index.php, has been banned

2, define Date.timezone (time zone)

Time zone set to Asia/shanghai or asia/chongqing

3, log related

Display_errors

display_errors Display error message, if on, open, then the error message will be displayed on the browser, it is likely to expose the directory

Then, when set to off, then access, then the white page will appear, then everything is unknown, not very easy to find the problem.

Therefore, after you change display_errors to OFF, you need to edit the error log log_errors

Log_errors

1) log_errors: Error log Open

2) error log logging to a directory to change itself

3) also to define a error_log level, very rigorous, then only to record some serious errors, some less serious errors are not recorded, suddenly be omitted, I can relax some, lower level

In production environments, general use of E_all & ~e_notice

Re-access, new error log generated

(The host and group of PHP Errors.log is Deamon, and demon is the owner of httpd, and PHP Errors.log is generated as a httpd process. ）

[[email protected] php-7.1.6]# cat/tmp/php_errors.log[06-mar-2018 11:56:52 UTC] php warning:phpinfo () has been disabled For security reasons in/data/wwwroot/111.com/index.php on line 2

Let's simulate one more error, then create 2.php in the/data/wwwroot/111.com/directory, as follows:

[Email protected] php-7.1.6]# vim/data/wwwroot/111.com/2.php

[[email protected] php-7.1.6]# curl -a  "a4l"  -x127.0.0.1:80 111.com/2.php[[ email protected] php-7.1.6]# curl -a  "a4l"  -x127.0.0.1:80 111.com/2.php  -IHTTP/1.0 500 Internal Server ErrorDate: Tue, 06 Mar 2018  12:09:39 gmtserver: apache/2.4.29  (Unix)  php/7.1.6x-powered-by: php/7.1.6connection:  closecontent-type: text/html; charset=utf-8[[email protected] php-7.1.6]# cat  /tmp/php_errors.log[06-mar-2018 11:56:52 utc] php warning:  phpinfo ()  has been disabled for security reasons in /data/wwwroot/111.com/ index.php on line 2[06-mar-2018 12:09:35 utc] php parse error:   syntax error, unexpected end of file in /data/wwwroot/111.com/2.php  on line 4[06-mar-2018 12:09:39 utc] php parse error:  syntax error, unexpected  end of file in /data/wwwroot/111.com/2.php on line 4

Viewing the log reveals that the Parse error is more severe than the previous warning

4, Open_basedir

For example, a server ran a lot of sites, one of the sites write more loopholes, was black, was people get the permission, then will be further infiltration, into another site.

But if you add open_basedir, it's probably not going to be black.

A site in a directory, B site in the B directory, even if it is black, that is also a directory of black, will not be associated with other directories are black

Modify/usr/local/php7/etc/php.ini (: For delimiter, split need to limit the number of directories, the default temp file under TMP, so take the TMP directory)

PHP.ini is a bit of a limit for stations, but if there are multiple sites running, multiple sites run under the same folder, then there is no separate limit.

Only for the site to do Open_basedir, php.ini can not do, only in Apache virtual host defined in the line

Php_admin_value can define parameters in the php.ini, such as error_log,error_reporting, which can limit different open_basedir for different virtual hosts

• Limit different open_basedir for different virtual hosts

With Php_admin_value Open_basedir "/data/wwwroot/111.com:/tmp/" to limit the directory, and for a number of different virtual hosts to restrict different open_basedir, you can use the first virtual host above to limit

(Why take temporary files?) Because the default temporary files under/tmp/, so that even temporary files are not written)

[Email protected] php-7.1.6]# curl-a "a4l"-x127.0.0.1:80 111.com/2.php123[[email protected] php-7.1.6]#

If there are errors, please correct, learn from each other and progress together!

2018-3-7 11 weeks 2 Lessons limited to a directory prohibit parsing PHP, restricting user_agent, PHP-related configuration