Qualifying a directory prevents parsing PHP, restricting user

Qualifying a directory prevents parsing PHP, restricting user_agent, PHP-related configuration

Last Update:2017-11-10 Source: Internet

Author: User

Tags ranges

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Restricting a directory against parsing PHP

When hackers attack your server, add a Trojan script in your static directory, then the server will be a great risk, then you need to limit which directories can not parse PHP, improve security.

1. What's new

[Email protected] local]# vi/usr/local/apache2.4/conf/extra/httpd-vhosts.conf

DocumentRoot "/data/wwwroot/111.com"

ServerName 111.com

Serveralias www.111.com www.example.com

<Directory/data/wwwroot/111.com/upload>

Php_admin_flag engine off

</Directory>

Prohibit parsing #将对/data/wwwroot/111.com/upload directory

[Email protected] local]# Mkdir/data/wwwroot/111.com/upload

2, [[email protected] upload]#/usr/local/apache2.4/bin/apachectl Graceful

Verify:

[Email protected] upload]# curl-x127.0.0.1:80 ' http://111.com/upload/123.php '

<?php

Echo ' 123.php ';

[Email protected] upload]# curl-x127.0.0.1:80 ' http://111.com/upload/baidu.png '-I

http/1.1 OK

Date:thu, 14:15:19 GMT

Server:apache/2.4.29 (Unix) php/5.6.30

Last-modified:thu, 14:15:19 GMT

etag:w/"1EC5-55D9B44CAAAC0"

Accept-ranges:bytes

content-length:7877

cache-control:max-age=86400

Expires:fri, 14:15:19 GMT

Content-type:image/png

Validation result: When accessing a. php file, the contents of the file are displayed, and access to the other shows normal

Extended:

Unable to display the contents of PHP, disable it directly

1, [[email protected] upload]# vi/usr/local/apache2.4/conf/extra/httpd-vhosts.conf

DocumentRoot "/data/wwwroot/111.com"

ServerName 111.com

Serveralias www.111.com www.example.com

Php_admin_flag engine off

<filesmatch (. *) \.php (. *) >

Order Allow,deny

Deny from all

</FilesMatch>

</Directory>

2, [[email protected] upload]#/usr/local/apache2.4/bin/apachectl Graceful

Validation results:

[Email protected] upload]# curl-x127.0.0.1:80 ' http://111.com/upload/123.php '-I

http/1.1 403 Forbidden

Date:thu, 14:18:32 GMT

Server:apache/2.4.29 (Unix) php/5.6.30

content-type:text/html; Charset=iso-8859-1

Limit User_agent

User_agent (user agent): refers to the browser (search engine) information including hardware platform, system software, application software and user preferences.

When hackers use CC to attack your server, look under the log to find User_agent is consistent, and a second appear multiple user_agent, so you must limit user_agent

[Email protected] upload]# vi/usr/local/apache2.4/conf/extra/httpd-vhosts.conf

DocumentRoot "/data/wwwroot/111.com"

ServerName 111.com

Serveralias www.111.com www.example.com

Rewriteengine on

Rewritecond%{http_user_agent}. *curl.* [Nc,or]

Rewritecond%{http_user_agent}. *chrome.* [Nc,or]

Rewritecond%{http_user_agent}. *baidu.com.* [NC]

Rewriterule. *-[F]

</IfModule>

#当含有curl, Chrome, baidu.com such as user_agent will be disabled; NC: Ignore case, or option means either (no option table and) connect next condition; [F]:forbidden Forbidden

Verify:

1. When accessing with curl

[Email protected] upload]# curl-x127.0.0.1:80 ' http://111.com/upload/baidu.png '-I

http/1.1 403 Forbidden

Date:thu, 14:30:22 GMT

Server:apache/2.4.29 (Unix) php/5.6.30

content-type:text/html; Charset=iso-8859-1

-A: Specify User_agent

[[email protected] upload]# curl-a ' Linux linux '-x127.0.0.1:80 ' http://111.com/upload/baidu.png '-I

http/1.1 OK

Date:thu, 14:30:50 GMT

Server:apache/2.4.29 (Unix) php/5.6.30

Last-modified:thu, 14:30:50 GMT

etag:w/"1EC5-55D9B44CAAAC0"

Accept-ranges:bytes

content-length:7877

cache-control:max-age=86400

Expires:fri, 14:30:50 GMT

Content-type:image/png

650) this.width=650; "Src=" Https://s4.51cto.com/oss/201711/10/3b21fa49fff5975b98e910a870cdbde6.png-wh_500x0-wm_3 -wmp_4-s_3663274941.png "title=" 11.png "alt=" 3b21fa49fff5975b98e910a870cdbde6.png-wh_ "/>

This article is from the "Discover new things" blog, make sure to keep this source http://shenj.blog.51cto.com/5802843/1980653

Qualifying a directory prevents parsing PHP, restricting user_agent, PHP-related configuration

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More