2018-3-7 Linux Learning Notes

Last Update:2018-03-07 Source: Internet

Author: User

Tags php source code phpinfo

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

11.28 restricting a directory from parsing PHP

background : For security reasons, in general, the static file is located in the file can be uploaded under the directory is not allowed to store PHP files, because this can be prevented from parsing PHP in this directory, to prevent possible intrusion through PHP parsing.
To configure a directory to disallow parsing of PHP methods:
Vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
The configuration file adds the following:
<Directory/data/wwwroot/123.com/upload>
Php_admin_flag engine off
</Directory>
Reload the configuration file:
/usr/local/apache2.4/bin/apachectl-t
/usr/local/apache2.4/bin/apachectl Graceful
Post-Configuration test:
Curl-x127.0.0.1:80 ' http://123.com/upload/admin.php '
Conclusion: The PHP source code is returned directly from Curl test, which shows that admin.php is not parsed.

11.29 Limit User_agent

background : Sometimes our site will be subject to CC attacks, it is simply said that the attackers control thousands of many host/server simultaneously access the site, a lot of resources such as the bandwidth of the Web server, causing the server to be overwhelmed and stop service. This kind of attack is also a normal access, but a short period of high-frequency access, the purpose is to bring down your site. One feature of this type of attack is that their user_agent are basically consistent, so to prevent such attacks, we can set a method that restricts user_agent.
To configure a method that restricts user_agent:
Vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
The configuration file adds the following:
<ifmodule mod_rewrite.c>
Rewriteengine on
Rewritecond%{http_user_agent}. *curl.* [Nc,or]
Rewritecond%{http_user_agent}. *baidu.com.* [NC]
Rewriterule. *-[F]
</IfModule>
In the above configuration:
NC: Indicates ignoring case
or: denotes or means that the line (condition) is not written and the relationship
F: Forbidden, no access
Reload the configuration file:
/usr/local/apache2.4/bin/apachectl-t
/usr/local/apache2.4/bin/apachectl Graceful
Post-Configuration test:
Curl-x127.0.0.1:80 ' http://123.com/admin.php '
Curl-a "baidu.com"-x127.0.0.1:80 ' http://123.com/upload/admin.php '-I
Curl-a "qq.com"-x127.0.0.1:80 ' http://123.com/admin.php '-I

Tail-n 5/usr/local/apache2.4/logs/123.com-access_20180306.log
The view log verifies again that the rejected 2 access user_agent contain curl and baidu.com, respectively.

conclusion : The Curl Direct test (This is user_agent contains curl) and the specified user_agent is baidu.com return 403 code, indicating that the limit User_agent succeeded. When User_agent is qq.com, 200 code is returned, unrestricted, and access is successful.

Knowledge points :
(1) User_agent can be understood as a browser identifier.
(2) curl-a "123123" indicates that the specified user_agent is 12312311.30/11.31 PHP-related configuration
What you learned before is about the configuration of Apache, this section is about PHP-related configuration.
1. View the PHP configuration file location
/usr/local/php/bin/php-i|grep-i "Loaded configuration file"
However, it is not always correct to use the above statement, but it is more reliable to create a PHP page with the phpinfo () function in the site (e.g. 123.com) and then access it in the browser to see the configuration file location.
2. Once you have found the PHP configuration file, you can edit it to set up the relevant configuration.
Vi/usr/local/php7/etc/php.ini
(1) Time zone configuration, set to Asia/shanghai or asia/chongqing
Date.timezone = Asia/shanghai
(2) Security-related configuration-Disable the following function, so that even if it is on a trojan, because the related function has been disabled, it can not be executed.
Disable_functions =
Eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown, Escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog, Readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
(3) Error log related configuration--easy to view when troubleshooting
To define the error log file:
Error_log =/tmp/php_errors.log
Error log switch:
Log_errors = On
If an error message is displayed on the webpage when an error occurs:
Display_errors = Off
The production environment is generally set to off because you do not want to leave potentially useful information (such as the directory in which the files are located) to the hacker.

At this point, even if the error, there will be no display on the webpage, so as to prevent information leakage.

However, the operator can view the relevant error information in the defined errors log file.
Define the level of error Reporting:
error_reporting = E_all & ~e_notice
The production environment is generally set to E_all & ~e_notice, i.e. all other errors, warnings and other information are recorded except for notifications.
(4) Safety-related parameters Open_basedir
Simply say php.ini in the Open_basedir parameter, play the role of restricting operations in a site directory. For example, a server has multiple sites (each site has a directory corresponding), in case a site is hacked, if we set the site Open_basedir, That he can at most in the site under the toss, do not have other sites.
However, the Open_basedir parameter in php.ini is applicable to all sites, if there is only one site on the server, directly configure the Open_basedir parameters in php.ini can play a role, but if more than one site, because each site directory is different, The Open_basedir parameter in php.ini can only be set one place, so it is powerless.
The Apache virtual Host configuration file is then used to set the Open_basedir parameter for a specific site.
Vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf
The configuration file adds the following:
Php_admin_value Open_basedir "/data/wwwroot/123.com:/tmp/"
This sets up the Open_basedir configuration for the 123.com site.

Extended Learning:
Apache Open Compression http://ask.apelearn.com/question/5528
apache2.2 to 2.4 configuration file changes http://ask.apelearn.com/question/7292
Apache Options Parameter http://ask.apelearn.com/question/1051
Apache prohibits trace or track from preventing XSS http://ask.apelearn.com/question/1045
Apache configuration HTTPS support SSL http://ask.apelearn.com/question/1029

2018-3-7 Linux Learning notes

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More