有的网站论坛开启了上传图片功能,导致黑客木马捆绑图片上传到服务器,通过访问php来提升服务器后台权限,
这里我们就需要将上传图片的目录禁止访问php文件,来达到防止黑客木马上传上来通过访问web来运行木马的作用;
编辑虚拟配置文件
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf增加代码
???<Directory /data/wwwroot/szl.com/upload> ???????php_admin_flag engine off ???????<FilesMatch (.*)\.php(.*)> ???????Order allow,deny ???????Deny from all ???????</FilesMatch> ???</Directory>配置生效
/usr/local/apache2.4/bin/apachectl -t/usr/local/apache2.4/bin/apachectl graceful测试:
访问szl.com/upload/123.php,禁止访问403
curl -x127.0.0.1:80 szl.com/upload/123.php<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don‘t have permission to access /upload/123.phpon this server.<br /></p></body></html>访问控制-user_agent
防止多肉鸡洪水攻击,也就是超出服务器正常访问的访问,屏蔽掉一curl的访问;
user_agent:使用curl访问或使用浏览器访问,会产生日志文件,名字就是curl或浏览器名称;
编辑虚拟配置文件
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf增加配置
<IfModule mod_rewrite.c> ???????????????????????????????????????????????????????//应用rewrite模块 ???????RewriteEngine on ???????????????????????????????????????????????????????????????//启用规则 ???????RewriteCond %{HTTP_USER_AGENT} ?.*curl.* [NC,OR] ??????????//定义规则1,NC不区分大小写、or或、*curl.*访问中有curl的禁止 ???????RewriteCond %{HTTP_USER_AGENT} ?.*baidu.com.* [NC] ??????//定义规则2,不区分大小写,访问agent为baidu.com的 ???????RewriteRule ?.* ?- ?[F]</IfModule>检查http.conf文件是否加载rewrite模块
/usr/local/apache2.4/bin/apachectl -M |grep rewrite生效配置
/usr/local/apache2.4/bin/apachectl -t/usr/local/apache2.4/bin/apachectl graceful测试
使用curl访问szl.com/admin.php,拒绝访问,403
curl -x127.0.0.1:80 szl.com/admin.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don‘t have permission to access /admin.phpon this server.<br /></p></body></html>定义其他agent访问,成功200
curl -A "szl szl" -x127.0.0.1:80 szl.com/admin.php -I
HTTP/1.1 200 OKDate: Wed, 07 Mar 2018 10:24:27 GMTServer: Apache/2.4.29 (Unix) PHP/5.6.30X-Powered-By: PHP/5.6.30Content-Type: text/html; charset=UTF-8lamp架构-访问控制-禁止php解析、屏蔽curl命令访问
原文地址:http://blog.51cto.com/shuzonglu/2083974