Access control restriction php parsing
Some files uploaded by users may be abnormally placed in the runnable files, so what we need to do is set up in advance to prohibit the parsing of executable php or other files in these directories, so as to avoid loss.
- Editing Virtual Machine Profile
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
- The key code is as follows
<Directory /data/wwwroot/111.com/upload> php_admin_flag engine off //Refers to the prohibition of parsing php in the / data / wwroot / 111.com / upload directory </Directory>
- Limited Code Enhancement
<Directory /data/wwwroot/111.com/upload> php_admin_flag engine off //Refers to the prohibition of parsing php in the / data / wwroot / 111.com / upload directory <FilesMatch (.*)\.php(.*)> Order allow,deny Deny from all </FilesMatch> </Directory>
- graceful restart
/usr/local/apache2.4/bin/apachectl graceful
- Create directory
[root@yolks2 ~]# mkdir /data/wwwroot/111.com/upload/ [root@yolks2 ~]# cd !$ cd /data/wwwroot/111.com/upload/ [root@yolks2 upload]# ls [root@yolks2 upload]# vim test_uplaod.php [root@yolks2 upload]# ls test_uplaod.php
- Test results: No privileges 403
curl -x127.0.0.1:80 'http://111.com/upload/123.php' -I
[root@yolks2 upload]# curl -x127.0.0.1:80 'http://111.com/upload/test_uplaod.php' -I HTTP/1.1 403 Forbidden Date: Mon, 06 Aug 2018 14:32:03 GMT Server: Apache/2.4.34 (Unix) PHP/5.6.32 Content-Type: text/html; charset=iso-8859-1
Restrict user_agent
It can be simply understood as browser identifiers; for example, websites are subject to cc***. People who want to use software or meat machines, when they want to use a website, start all meat machines and let them visit one site at the same time. But CC *** often has a feature that user_agent is consistent and access address is consistent. Access speed is fast, N times per second.
Solution: Limit user_agent to reduce server pressure
Editing Virtual Machine Profile
vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
The core configuration file code is as follows:
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR] //Conditions 1, where OR is added to denote that either condition 1 or condition 2 uses the last rule RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC] //Conditions 2, NC means ignoring case RewriteRule .* - [F] //Rule F is forbidden </IfModule>
Reload files
/usr/local/apache2.4/bin/apachectl graceful
curl test: 403 error
curl -x127.0.0.1:80 'http://111.com/index.php' -I HTTP/1.1 403 Forbidden Date: Tue, 07 Aug 2018 14:29:45 GMT Server: Apache/2.4.34 (Unix) PHP/5.6.32 Content-Type: text/html; charset=iso-8859-1
View Logs: Display Restricted
[root@yolks2 ~]# tail -f /usr/local/apache2.4/logs/111.com-access_20180807.log 127.0.0.1 - - [07/Aug/2018:22:29:45 +0800] "HEAD http://111.com/index.php HTTP/1.1" 403 - "-" "curl/7.29.0"
In order to prove that user_agent is restricted, the simulated user_agent specifies that user_agent is "yolks yolks" and can be accessed directly.
[root@yolks2 ~]# curl -A "yolks yolks" -x127.0.0.1:80 'http://111.com/index.php' -I HTTP/1.1 200 OK Date: Tue, 07 Aug 2018 14:33:28 GMT Server: Apache/2.4.34 (Unix) PHP/5.6.32 X-Powered-By: PHP/5.6.32 Content-Type: text/html; charset=UTF-8
Look at the log again and it's displayed properly:
[root@yolks2 ~]# tail -f /usr/local/apache2.4/logs/111.com-access_20180807.log 127.0.0.1 - - [07/Aug/2018:22:29:45 +0800] "HEAD http://111.com/index.php HTTP/1.1" 403 - "-" "curl/7.29.0" 127.0.0.1 - - [07/Aug/2018:22:33:28 +0800] "HEAD http://111.com/index.php HTTP/1.1" 200 - "-" "yolks yolks"
- Several options for curl
- - e Specify referer (must http://start)
- - A. Specify user_agent
- - x Specify ip, which is equivalent to omitting hosts
- - I. View status codes
cc attack
PHP-related configuration
View the location of the php configuration file
Method 1: Use the command / usr/local/php/bin/php -i | grep -i "loaded configuration file"
Method 2: View with phpinfo
Edit index.php for phpinfo
[root@yolks2 111.com]# cat index.php <?php echo "this is test 111.com"; phpinfo(); ?>
Browser accessible 111.com/index.php, phpinfo
If it is not loaded, it can be copied from the source package.
[root@yolks2 111.com]# cd /usr/local/src/php-7.1.6/ [root@yolks2 php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini
After reloading the configuration, you can see that php.ini is loaded
Configure php.ini
1. Limit disable_fuctions (hazard function)
vim/usr/local/php7/etc/php.ini Edit File Search/disable_fun
Danger function:
eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
Some companies will also ban phpinfo, because phpinfo will expose some directories of the system to others, which is dangerous.
When the configuration is complete, view 111.com/index.php, which has been disabled
2. Define date.timezone (time zone)
Time zone: Asia/Shanghai or Asia/Chongqing
3. Log correlation
display_errors displays error information. If on, open it, it will display the error information on the browser, which will probably expose the directory, for example:
Then, if you set it to off and visit it again, it will show white pages. Although it prevents others, it is not easy for you to see the error message.
Therefore, after changing display_errors to off, you need to edit the error log_errors
**log_errors **
1)log_errors: Error log open
- Error log to a directory
3) We also need to define a level of error_log. If we are very strict, we will only record some serious errors, some less serious errors will not be recorded, and they will be omitted. We can relax and lower the level.
E_ALL &~E_NOTICE is commonly used in production environment
Visit again to view the log:
[root@yolks2 php-7.1.6]# curl -A "yolks" -x127.0.0.1:80 111.com/index.php this is test 111.com[root@yolks2 php-7.1.6]# cat /tmp/php_errors.log [07-Aug-2018 15:46:00 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 3
Let's simulate another error and create 2.php in the directory / data / wwroot / 111. COM / as follows
Document 2.php reads as follows:
cat /data/wwwroot/111.com/2.php <?php shsjshjshj
Test Discovery Log Error Alert 500.
[root@yolks2 php-7.1.6]# curl -A "yolks" -x127.0.0.1:80 111.com/2.php [root@yolks2 php-7.1.6]# curl -A "yolks" -x127.0.0.1:80 111.com/2.php -I HTTP/1.0 500 Internal Server Error Date: Tue, 07 Aug 2018 15:49:50 GMT Server: Apache/2.4.34 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8 [root@yolks2 php-7.1.6]# cat /tmp/php_errors.log [07-Aug-2018 15:46:00 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 3 [07-Aug-2018 15:49:47 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 3 [07-Aug-2018 15:49:50 UTC] PHP Parse error: syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 3
4.open_basedir
For example, a server runs many sites, one of which writes more vulnerabilities, is blackened, has been given permission, then it will be further ***, into another site. But if you add open_basedir, you might not be black.
A website is in directory A, B website is in directory B, even if it is black, it is also a black directory, not with other directories are black.
Modify / usr/local/php7/etc/php.ini (: To delimit, split multiple directories that need to be restricted, default temporary files are under tmp, so take the TMP directory)
php.ini restricts all points of a site, but if there are multiple sites running and multiple sites running in the same folder, then there is no separate restriction.
Only open_basedir for the site, not php.ini, can be defined in the virtual host of apache
php_admin_value can define parameters in php.ini, such as error_log, error_report, and can restrict different open_basedir for different virtual hosts.
Limit different open_basedir for different virtual hosts
Limit directories with php_admin_value open_basedir "/ data / wwroot / 111.com:/ tmp/", while restricting different open_basedirs for multiple different virtual hosts can be done with the first virtual host above.
The reason for adding / tmp / directory is that temporary files will be written to / tmp / directory.