1.限定某个目录解析PHP
在虚拟主机文件配置里增加如下字段:
<Directory /data/wwwroot/aaa.com/upload>
php_admin_flag engine off
</Directory>
重新加载配置;
将aaa.com下的123.php复制到upload目录下;
[root@yuioplvlinux-128 ~]# cd /data/wwwroot/aaa.com/ [root@yuioplvlinux-128 aaa.com]# ls 123.php 2959d05a089225a9bcfeccb039a5fe62.jpg admin index.html [root@yuioplvlinux-128 aaa.com]# mkdir upload [root@yuioplvlinux-128 aaa.com]# cp 123.php upload/
使用curl测试,这说明123.php是不能被解析的;
[root@yuioplvlinux-128 aaa.com]# curl -x127.0.0.1:80 aaa.com/upload/123.php <?php echo "123.php";
但这样会存在一个问题,就是会泄露源代码,所有增加拒绝访问的字段;
<Directory /data/wwwroot/aaa.com/upload>
php_admin_flag engine off
<FilesMatch (.*)\.php(.*)>
Order allow,deny
Deny from all
</FilesMatch>
</Directory>
重新加载配置,使用curl测试;
[root@yuioplvlinux-128 aaa.com]# curl -x127.0.0.1:80 aaa.com/upload/123.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /upload/123.php
on this server.<br />
</p>
</body></html>
[root@yuioplvlinux-128 aaa.com]# curl -x127.0.0.1:80 aaa.com/upload/123.php -I
HTTP/1.1 403 Forbidden
Date: Sun, 03 Jun 2018 02:43:22 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
2.访问控制-user_agent
user_agent是浏览器标识,当用curl访问时,user_agent为“curl/7.29.0”;
针对user_agent来限制一些访问,比如可以限制一下不太友好的搜索引擎“爬虫”;或者限制恶意请求,这种恶意请求我们通常叫做cc攻击,它的原理是,很多用户的电脑同时访问同一个站点,当访问量或者频率达到一定层次,就会耗尽服务器资源,从而使之不能正常提供服务。
在虚拟主机配置文件中增加如下字段:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
RewriteRule .* - [F]
</IfModule>
%{HTTP_USER_AGENT}为user_agent的内置变量,在本例中当user_agent匹配curl或者baidu.com时,都会触发下面的规则,方括号中的OR表示“或者”,NC表示“不区分大小写”,F相当于Forbidden;
使用curl测试;
[root@yuioplvlinux-128 ~]# curl -x127.0.0.1:80 aaa.com/123.php -I HTTP/1.1 403 Forbidden Date: Sun, 03 Jun 2018 03:17:13 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 Content-Type: text/html; charset=iso-8859-1 [root@yuioplvlinux-128 ~]# curl -A "yuioplv" -x127.0.0.1:80 aaa.com/123.php -I HTTP/1.1 200 OK Date: Sun, 03 Jun 2018 03:17:23 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Cache-Control: max-age=0 Expires: Sun, 03 Jun 2018 03:17:23 GMT Content-Type: text/html; charset=UTF-8
第一个请求,user_agent为“curl/7.29.0”匹配了第一个条件,所以是403;curl的-A 选项可以指定user_agent,第二个请求,user_agent为“yuioplv”,没有匹配任何条件,所以状态码是200;
查看访问日志;
[root@yuioplvlinux-128 ~]# tail /usr/local/apache2/logs/aaa.com-access_20180603_log
192.168.30.1 - - [03/Jun/2018:10:53:02 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
192.168.30.1 - - [03/Jun/2018:10:53:05 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
192.168.30.1 - - [03/Jun/2018:10:53:06 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
192.168.30.1 - - [03/Jun/2018:10:53:18 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
192.168.30.1 - - [03/Jun/2018:10:53:19 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
192.168.30.1 - - [03/Jun/2018:10:53:20 +0800] "GET /123.php HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
127.0.0.1 - - [03/Jun/2018:11:16:27 +0800] "HEAD HTTP://aaa.com/upload/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [03/Jun/2018:11:17:00 +0800] "HEAD HTTP://aaa.com/upload/123.php HTTP/1.1" 403 - "-" "yuioplv"
127.0.0.1 - - [03/Jun/2018:11:17:13 +0800] "HEAD HTTP://aaa.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
127.0.0.1 - - [03/Jun/2018:11:17:23 +0800] "HEAD HTTP://aaa.com/123.php HTTP/1.1" 200 - "-" "yuioplv"
3.PHP配置
在aaa.com目录下新建一个index.php的文件,输入内容:
<?php phpinfo();
复制/usr/local/src/php-7.1.6目录下的php.ini-development一份,然后重启配置;
[root@yuioplvlinux-128 aaa.com]# cd /usr/local/src/php-7.1.6 [root@yuioplvlinux-128 php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini [root@yuioplvlinux-128 php-7.1.6]# /usr/local/apache2/bin/apachectl graceful
在浏览器中打开,截图如下:
3.1 PHP的disable_functions
PHP有许多内置的函数,有一些函数会直接调取linux系统命令,如果开放会非常危险,因此,要把一些存在安全风险的函数禁掉;
编辑/usr/local/php7/etc/php.ini,搜索disable_functions,编辑成如下;
disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo
保存后,重新加载配置;
这时候再去访问index.php,可以看到phpinfo禁止访问;
3.2 配置时区
定义时区,将其定义为上海;
3.3 配置error_log
PHP的日志非常重要,它是排查问题的重要手段。将display_errors设为off,如果是on的话会将错误日志直接显示在浏览器里,这样对于用户访问不好,而且还会暴露一些文件路径等重要信息,所以要设为off。
重新加载配置,在浏览器中访问,显示空白页;
使用curl测试,不输出任何结果;
[root@yuioplvlinux-128 ~]# curl -A "yuioplv" -x127.0.0.1:80 aaa.com/index.php -I HTTP/1.1 200 OK Date: Sun, 03 Jun 2018 05:40:49 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Cache-Control: max-age=0 Expires: Sun, 03 Jun 2018 05:40:49 GMT Content-Type: text/html; charset=UTF-8 [root@yuioplvlinux-128 ~]# curl -A "yuioplv" -x127.0.0.1:80 aaa.com/index.phplog_errors也可以设置为on或off,如果想让PHP记录错误日志,则需要设置为on;
error_log设定错误日志路径;
error_reporting设定错误日志的级别,E_ALL为所有类型的日志,不管是提醒还是警告都会记录,一般是在开发环境下设置为E_ALL,可以方便排查问题;这里设置为E_ALL & ~E_NOTICE,&表示并且,~表示排除,所以是指在E_ALL的基础上排除掉notice相关的日志。
保存并退出后,创建/var/log/php目录,并将其权限设为777;
重新加载配置后,使用curl测试,可以看到/var/log/php目录出现了PHP的错误日志;
[root@yuioplvlinux-128 php]# pwd /var/log/php [root@yuioplvlinux-128 php]# chmod 777 /var/log/php [root@yuioplvlinux-128 php]# /usr/local/apache2/bin/apachectl graceful [root@yuioplvlinux-128 php]# curl -A "yuioplv" -x127.0.0.1:80 aaa.com/index.php -I HTTP/1.1 200 OK Date: Sun, 03 Jun 2018 05:53:37 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Cache-Control: max-age=0 Expires: Sun, 03 Jun 2018 05:53:37 GMT Content-Type: text/html; charset=UTF-8 [root@yuioplvlinux-128 php]# ls php_errors.log
查看错误日志内容;
[root@yuioplvlinux-128 php]# cat php_errors.log [03-Jun-2018 13:53:37 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/aaa.com/index.php on line 2
在aaa.com目录下新建一个2.php的文件,输入以下内容:
<?php echo 123
使用curl测试,然后查看错误日志;
[root@yuioplvlinux-128 php]# curl -A "yuioplv" -x127.0.0.1:80 aaa.com/2.php
[root@yuioplvlinux-128 php]# curl -A "yuioplv" -x127.0.0.1:80 aaa.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Sun, 03 Jun 2018 05:58:39 GMT
Server: Apache/2.4.33 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
[root@yuioplvlinux-128 php]# cat php_errors.log
[03-Jun-2018 13:53:37 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/aaa.com/index.php on line 2
[03-Jun-2018 13:58:37 Asia/Shanghai] PHP Parse error: syntax error, unexpected end of file, expecting ',' or ';' in /data/wwwroot/aaa.com/2.php on line 3
[03-Jun-2018 13:58:40 Asia/Shanghai] PHP Parse error: syntax error, unexpected end of file, expecting ',' or ';' in /data/wwwroot/aaa.com/2.php on line 3
3.4 配置open_basedir
一个服务器经常会跑很多网站,但一旦其中一个网站被黑,很有可能会连累到其它网站,PHP有一个概念叫做open_basedir,它的作用是将网站限定在指定目录里,就算该站点被黑,黑客也只能在这个目录下操作,而不会影响到其它目录。
如果只有一个站点,可以在php.ini中定义,格式如下:
若存在多个站点,需要去虚拟主机配置文件中设置,格式如下:
“php_admin_value open_basedir "/data/wwwroot/aaa.com:/tmp/"”
为了测试,先将目录格式设置错误;
[root@yuioplvlinux-128 php]# !curl curl -A "yuioplv" -x127.0.0.1:80 aaa.com/123.php -I HTTP/1.0 500 Internal Server Error Date: Sun, 03 Jun 2018 07:19:58 GMT Server: Apache/2.4.33 (Unix) PHP/7.1.6 X-Powered-By: PHP/7.1.6 Connection: close Content-Type: text/html; charset=UTF-8
出现了状态码500,这说明访问的页面是存在错误的。