Qualify a directory to prohibit parsing PHP restrictions user_agent PHP-related configuration

Source: Internet
Author: User
Tags parse error phpinfo

One, limit a directory to prohibit parsing PHP

By prohibiting PHP parsing the image directory, to restrict the site by xxx malicious find backdoor access to database permissions
#vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf

#/usr/local/apache2.4/bin/apachectl-t
#/usr/local/apache2.4/bin/apachectl Graceful
#mkdir upload//Create a upload directory under/data/wwwroot/111.com
#cp 123.php upload/
#curl-x127.0.0.1:80 ' http://111.com/upload/123.php '-I//test

Ii. Limitation of User_agent

Ccxxx principle is: XXX with proxy server (meat machine) to generate a legitimate request to the victim host, to achieve DDoS and camouflage
Through the log analysis, encounter user_agent very regular request basically can determine it is ccxxx
#vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf

#/usr/local/apache2.4/bin/apachectl-t
#/usr/local/apache2.4/bin/apachectl Graceful
#curl-A "Aminglinux aminglinux"-x192.168.8.131:80 # ' http://111.com/123.php '-i//-a specifies user_agent,-e specified rewrite, which must be " HTTP//"Start,-x specifies that hosts,-i only view status codes

Third, the PHP related configuration

Through browser access, use the Phpinfo () function to view the site Phpinfo function file, if not loaded php.ini, from the source package to copy one to/usr/local/php/etc/
Cp/usr/local/src/php-5.6.32/php.ini-development/usr/local/php/etc/php.ini

Disable_functions is a security function
#vim/usr/local/php/etc/php.ini//Modify the configuration file, in disable_functions = followed by the following security functions, some enterprise production environment to add phpinfo to security functions, increase security
Disable_functions =eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir , Chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen, Openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
#/usr/local/apache2.4/bin/apachectl Graceful//re-loading the next file after the modification is complete
To refresh the http://111.com/index.php Web page in the browser, the following page prompt appears: Phpinfo is banned

#vim/usr/local/php/etc/php.ini//date.timezone defined as Asia Shanghai or Chongqing
Date.timezone = Asia/shanghai
Change display_errors = on to display_errors = off, and access to off after http://111.com/index.php will not output error message, directly into white page
If the error message output is disabled, you need to turn on the error log, log_errors = ON, modify the error log path error_log =/tmp/php_errors.log
Error_reporting defines error logging level, default error_reporting = E_all, general use of Show all errors on production, except for notices
#/usr/local/apache2.4/bin/apachectl-t
#/usr/local/apache2.4/bin/apachectl Graceful
#ls/tmp//Can see if the Php_errors.log file is generated under/tmp
#ls-L/tmp/php_errors.log
rw-r--r--1 Daemon Daemon 145 June 5 07:34/tmp/php_errors.log//Can see that its genus is daemon
#ps aux |grep httpd

Daemon is actually the process of httpd, then this error log is generated as the identity of this process
If an error log is defined, but the error log is never generated, you will need to check the defined error path for write permission
#cat/tmp/php_errors.log//View error log contents
[05-jun-2018 07:34:06 Asia/shanghai] PHP Warning:phpinfo () have been disabled for security reasons in/data/wwwroot/111.com/index.php on line 2
#vim/data/wwwroot/111.com/2.php//Create a 2.php
Curl-a "A"-x127.0.0.1:80 Http://111.com/2.php-I//Report 500 error
#cat/tmp/php_errors.log//Prompt for parse error error
[05-jun-2018 08:14:40 Asia/shanghai] PHP Parse error:syntax Error, unexpected end of file in/data/wwwroot/111.com/2.php on line 4

Multi-site Security configuration:
Requirements: A server to run multiple sites, a site code may have problems, there are loopholes, the result of a site is black, to make other site directory is not affected, you can increase Open_basedir
#vim/usr/local/php/etc/php.ini
OPEN_BASEDIR=/DATA/WWWROOT/111.COM:/TMP//If defined under PHP.ini, only one open_basedir can be defined, for all sites and temporary directories
#/usr/local/apache2.4/bin/apachectl Graceful
#vim/usr/local/apache2.4/conf/extra/httpd-vhosts.conf//individually qualify each site for isolation, modify the httpd-vhosts.conf configuration file
Php_admin_value open_basedir "/data/wwwroot/111.com:/tmp"//Added in 111.com site configuration file
Php_admin_value open_basedir "/data/wwwroot/abc.com:/tmp"//Added in abc.com site configuration file
#/usr/local/apache2.4/bin/apachectl-t
#/usr/local/apache2.4/bin/apachectl Graceful

Qualify a directory to prohibit parsing PHP restrictions user_agent PHP-related configuration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.