Lamp architecture-access Control-disable PHP parsing
Some web forums opened the upload image function, resulting in the hacker Trojan bundle image upload to the server, by accessing PHP to enhance the server background permissions,
Here we need to upload images of the directory to prohibit access to PHP files, to prevent hackers to upload the Trojan horse by accessing the web to run the role of Trojans;
Edit a virtual configuration file
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
Add code
<Directory /data/wwwroot/szl.com/upload> php_admin_flag engine off <FilesMatch (.*)\.php(.*)> Order allow,deny Deny from all </FilesMatch> </Directory>
Configuration takes effect
/usr/local/apache2.4/bin/apachectl -t/usr/local/apache2.4/bin/apachectl graceful
Test:
Access to szl.com/upload/123.php, no access 403
curl -x127.0.0.1:80 szl.com/upload/123.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
Access Control-user_agentPrevent multi-broiler flood attacks, that is, access beyond the normal access of the server, shielding off a curl of access;
User_agent: Using curl to access or use browser access, will produce a log file, name is curl or browser name;
Edit a virtual configuration filevim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
Add configuration<IfModule mod_rewrite.c> //应用rewrite模块 RewriteEngine on //启用规则 RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //定义规则1,NC不区分大小写、or或、*curl.*访问中有curl的禁止 RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC] //定义规则2,不区分大小写,访问agent为baidu.com的 RewriteRule .* - [F]</IfModule>
Check if the http.conf file is loading the rewrite module/usr/local/apache2.4/bin/apachectl -M |grep rewrite
Effective configuration/usr/local/apache2.4/bin/apachectl -t/usr/local/apache2.4/bin/apachectl graceful
TestAccess szl.com/admin.php with curl, deny access, 403
Curl-x127.0.0.1:80 szl.com/admin.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
Define other agent access, Success 200
Curl-a "Szl Szl"-x127.0.0.1:80 szl.com/admin.php-i
HTTP/1.1 200 OKDate: Wed, 07 Mar 2018 10:24:27 GMTServer: Apache/2.4.29 (Unix) PHP/5.6.30X-Powered-By: PHP/5.6.30Content-Type: text/html; charset=UTF-8
Lamp architecture-access Control-disable PHP parsing, masking curl command access