& Gt; I don't know which Daniel has a good method .... & gt; SELinux has a few BT points. One is to prohibit HTTPD script programs and modules from connecting to the network, and the other is to impose many restrictions on HTTPD program running. & gt; the first anti-bounce backdoor cannot be connected as long as it is a program started through webshell, in addition, many Linux accounts such as Fedora do not grant/bin/sh permissions, so an interactive shel is required.
> I don't know which Daniel has a good method ....
> SELinux has several BT points. One is to prohibit HTTPD script programs and modules from connecting to the network, and the other is to restrict HTTPD program running.
>
> The first option is to prohibit the use of reverse shells. As long as a program started using webshell cannot be connected, in addition, many Linux accounts such as Fedora do not grant/bin/sh permissions. Therefore, it is very difficult to obtain an interactive shell.
>
> The second prohibition makes it impossible for the overflow program to write something directly to/etc/passwd and/etc/shadow. In this way, the interactive shell cannot be obtained,