Let's talk about the security settings of the company server!

I have been doing my work for a long time, basically developing the company's PHP program. In addition, I have maintained several CentOS servers. During my long work, I have summarized a set of small methods to deal with attacks, so I dare not hide them in private, I hope you will like it!

First, let's talk about the configuration on the server side. The server is in the company, and a fiber optic cable is directly connected with seven fixed IP addresses. Each server has its own fixed IP address, in addition, each server is a two-dimensional network card. In addition to an external fixed IP address, it also corresponds to one internal network, these seven fixed IP addresses are distributed through a hardware firewall with routing functions. the hardware firewall only opens port 80 to the outside, and all others are switched off. the servers are basically CentOs, and only one is windows. centOs has all built-in Linux firewalls. During remote management, you can use some special means to connect to a windows operating system server on the LAN where the server is located, then, you can use SSH installed on windows to control each server. Although this setting is very troublesome, it is safe. (For more information, the firewall of each server sets a rule that allows an intranet IP address to be used for SSH single-line connections. This setting is cumbersome, it takes a long time for a child to speak without a mother-in-law .)

In this case, we may ask, what are the good attacks if we only launch one 80? In fact, some companies often use the webbench stress testing tool to try to paralyze nginx. There is no way because this program was developed by them before, and they know that this program runs extremely consumes CPU resources. second, there are a large number of mainland Internet users who speculate on the potential vulnerabilities of this program, such as the administrator's background portal and whether there are any compressed files backed up by the website on the server, all of these access methods are for port 80. If some measures are not taken, Nginx will often be paralyzed, resulting in a website Error 500 or error 502, I don't need to talk about the harm of those guesses. I have to take some measures to kill the unfriendly visitors.

In fact, it is not complicated to say. First, I will use php to get the visitor's access intention. If the recipient's intention is a ghost or is out of track to meet my blocking conditions, then I will kill him! First, use PHP to automatically create. sh, the content of this file is used to rewrite the firewall rules of linux (of course, I can also rewrite the rules of the hardware firewall, but it is too troublesome, so I should be lazy !), Modify this. the attributes and owner of the sh file allow them to be executed. Then, use linux crontab to obtain and execute this. sh writes the blocking rule to the firewall, and sends an Email to the author to inform me that a molt has been blocked.

Below is my practice:

<? PHP # self-Signed Dynamic ip qq group: 223494678 # usage: #1. first, put the following PHP code generation into the global require configuration. #2. use SSH to pull the line: cat/etc/crontab #3. add the following two lines: # auto lock webshells #*/1 ***** root/home/wwwroot/bossAdm_Web/webshells. sh; #4. restart the service crontab: service crontab restart // A WebBenchIF (isSet ($ _ SERVER ['HTTP _ USER_AGENT ']) that references any source. and Trim ($ _ SERVER ['HTTP _ USER_AGENT '])! = '') {$ _ SERVER ['HTTP _ USER_AGENT '] = StrToLower ($ _ SERVER ['HTTP _ USER_AGENT']); IF (StriStr ($ _ SERVER ['HTTP _ USER_AGENT '], 'website ')! = False And (isSet ($ _ SERVER ['remote _ ADDR ']) And Trim ($ _ SERVER ['remote _ ADDR'])! = '') {DoLock ($ _ SERVER ['remote _ ADDR ']); Die () ;}// a token sensitive Url, directly block the QQ Group for the ip address of the url below: 223494678 // it is best to add this segment to 404. php, which is more effective (you need to reconfigure httpd. conf, so that 404 rows have been directed to the 404.php) QQ group: 223494678IF (isSet ($ _ SERVER ['request _ URI ']) and Trim ($ _ SERVER ['request _ URI '])! = '') {IF (StriStr ($ _ SERVER ['request _ URI '],'/admin ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/sign ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/reg ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/tiki -')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/join ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/config ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/backup ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/www ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/manage ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/password ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/install ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/phpmyadmin ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/webadmin ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/inc ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/user ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/upload ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/setup ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/sys ')! = FalseOr StriStr ($ _ SERVER ['request _ URI '],'/cert ')! = False) {DoLock ($ _ SERVER ['remote _ ADDR ']); Die () ;}// create a sh producer for the ip address of the consumer, THE sh program will be routed as root. QQ group: 223494678 Function DoLock ($ x) {$ p = '/home/wwwroot/bossAdm_Web/weblistener. sh'; File_Put_Contents ($ p ,"#! /Bin/bash \ n iptables-I INPUT-s {$ x}-j DROP; \ n echo \ "{$ x}-'date' \" | mail-s \ "WebBench \" see7di@gmail.com; \ n cat/dev/null> {$ p }", LOCK_EX); Chmod ($ p, 0755); chown ($ p, 'www '); unSet ($ p, $ x );}

After an issue, a netizen asked me "special means ".Connect to a windows operating system server in the LAN of the server.Special MeansWhat exactly is the means? Well, I just want to give it a simple explanation. I'm afraid I 've screwed up my bowl. first, I will log on to the post-website management of the company website, and then send a 3389 request. After sending the request, I will exit the post-website, after receiving the request (just an INI file), the linux server will send the file to the windows server over samb through the internal local area network, on that windows server, there is a traffic controller developed by me. Please refer to the following for more information, if so, the Controller will modify the settings of the hardware firewall and map port 3389 (a port in Port 65525 is mapped to port 3389 on the windows Server) open it, at this time, I can renew the service to this server in the 3389 mode (from the request to the development of the 3389 server, it only takes one minute ), however, please note that you need to modify the settings of gpedit so that it can automatically create a correlation 3389 after the completion of the 3389 forbidden trial, so the rest will be handed over to the control program to help me with the ing port of port 3389.

Above, if you need to communicate with PHP friends, you can add my QQ group: 223494678 believe that only communication can grow! At least I think so .:)