Article Directory
Preface
To realize anti-theft chaining, we must first understand the realization principle of hot chaining. When it comes to the realization principle of anti-theft chaining, we have to start with the HTTP protocol. In the HTTP protocol, there is a header field called referer, which is in the format of URL. Indicates where to link to the current web page or file. In other words, through referer, the website can detect the source webpage visited by the target webpage, and if it is a resource file, it can track the webpage address that displays it. It is easy to track the source with a referer. At this time, it can be processed by technical means. Once it is detected that the source is not the site, it will block or return to the specified page.
One: Practical steps of hotlinking
I did DNS resolution for the host that provides website services, and it uses the domain name www.abc.com to access
Client IP address: 20.0.0.41 Hotlink machine IP address: 20.0.0.42
Server configuration
1.1: Configure DNS service
[root@localhost ~]# iptables -F
[root@localhost ~]# setenforce 0
#配置DNS
[root@localhost ~]# yum -y install bind
- Configure DNS master configuration file
options {
listen-on port 53 {
any; };
listen-on-v6 port 53 {
::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query {
any; };
- Configuration area
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "ab.com" IN {
type master;
file "ab.com.zone";
allow-update {
none; };
};
- Configure area data
[root@localhost ~]# cd /var/named/
[root@localhost named]# cp -p named.localhost ab.com.zone
[root@localhost named]# vim ab.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www IN A 20.0.0.41
#重启服务
[root@localhost named]# systemctl restart named
1.2: Win 10 test dns resolution
:
1.3: First, you need to manually compile and install Apache
- Unzip the three packages into an empty folder /opt
[root@localhost opt]# tar zxvf apr-1.6.2.tar.gz [root@localhost opt]# tar zxvf apr-util-1.6.0.tar.gz [root@localhost opt]# tar jxvf httpd-2.4.29.tar.bz2 #将解压后的/apr-1.4.6和/apr-util-1.4.1两个文件夹复制到/httpd-2.4.2/srclib/中分别命名为apr和apr-util,apr-1.4.6和apr-util-1.4.1在一定作用上可以缓解并发连接数进程 [root@localhost opt]# mv apr-1.6.2 httpd-2.4.29/srclib/apr [root@localhost opt]# mv apr-util-1.6.0 httpd-2.4.29/srclib/apr-util #用yum安装需要的基本环境软件包,包括:gcc、gcc-c++、make、pcre、pcre-devel 五个包(pcre :一个Perl库,支持正则表达式) [root@localhost opt]# yum install gcc gcc-c++ pcre pcre-devel perl expat-devel zlib-devel 在/opt/httpd-2.4.29目录下执行 [root@localhost httpd-2.4.29]# ./configure \ > --prefix=/usr/local/httpd \ #安装路径 > --enable-deflate \ > --enable-so \ #动态模块加载 > --enable-rewrite \ #直接重写 > --enable-charset-lite \ #开启字符集 > --enable-cgi #开启通用网关接口
1.4: make compile and install make install
[root@localhost httpd-2.4.29]# make '//编译'
...省略内容
[root@localhost httpd-2.4.29]# make install '//安装'
...省略内容
1.5: Edit the configuration file
- It is easy to manage here, you can establish a soft connection and directly edit the linked file
[root@localhost httpd-2.4.29]# ln -s /usr/local/httpd/conf/httpd.conf /etc/httpd.conf
[root@localhost httpd-2.4.29]# cd /usr/local/httpd/
[root@localhost httpd]# cd htdocs/
[root@localhost htdocs]# ls
index.html
#复制一张图片进来
[root@localhost htdocs]# rz -E
rz waiting to receive.
[root@localhost htdocs]# ls
1389753641370.jpg index.html
[root@localhost htdocs]# vim index.html
#编写首页信息
<html><body><h1>It works!</h1></body></html>
<img src="1389753641370.jpg"/>
#设置监听地址 输入本机IP地址,表示监听本机IP地址80端口 下面加#注释 是监听IPv6
Listen 20.0.0.41:80
#Listen 80
#设置域名
ServerName www.shuai.com:80
##启动服务
[root@localhost htdocs]# cd ..
[root@localhost httpd]# cd bin/
#关闭服务在开启
[root@localhost bin]# ./apachectl stop
#关闭服务时端口没有开启
[root@localhost bin]# netstat -ntap | grep httpd
#开启端口
[root@localhost bin]# ./apachectl start
[root@localhost bin]# netstat -ntap | grep httpd
tcp 0 0 20.0.0.41:80 0.0.0.0:* LISTEN 121958/httpd
1.6: Client test normally visits its main homepage
Two: Hotlink host settings
2.1: Prepare the environment
[root@localhost ~]# iptables -F
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install httpd -y
2.2: Modify the listening address and domain name
#监听地址
Listen 20.0.0.42:80
#Listen 80
#设置域名
ServerName www.shuai.com:80
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
[root@localhost ~]# cd /var/www/html/
[root@localhost html]# vim index.html
<h1>Hello<h1>
<img src="http://www.ab.com/1389753641370.jpg"/>
[root@localhost html]# echo "nameserver 20.0.0.41" > /etc/resolv.conf
2.3: Restart the service
[root@localhost html]# systemctl start httpd.service
[root@localhost html]# netstat -ntap | grep httpd
tcp 0 0 20.0.0.42:80 0.0.0.0:* LISTEN 21810/httpd
2.4: Conduct hotlink test
Three: normal host opens the anti-leech function
Apache防盗链的实现方法,可以用rewrite实现
确保开启rewrite module配置
#/搜索rewrit 开启rewrite模块
LoadModule rewrite_module modules/mod_rewrite.so
##DocumenRoot是站点目录一会去配置
DocumentRoot "/usr/local/httpd/htdocs"
先去末行插入下面内容
RewriteEngine On
RewriteCond %{
HTTP_REFERER} !^http://ab.com/.*$ [NC]
RewriteCond %{
HTTP_REFERER} !^http://ab.com$ [NC]
RewriteCond %{
HTTP_REFERER} !^http://www.ab.com/.*$ [NC]
RewriteCond %{
HTTP_REFERER} !^http://www.ab.com$ [NC]
RewriteRule .*\.(gif|jpg|swf)$ http://www.ab.com/MZY7BWZN(6~~KTS5MILYXAX.png
3.1: Configure site information
[root@localhost bin]# cd ..
[root@localhost httpd]# pwd
/usr/local/httpd
[root@localhost httpd]# cd htdocs/
[root@localhost htdocs]# ls
1389753641370.jpg index.html
#复制一个图片进来
[root@localhost htdocs]# rz -E
rz waiting to receive.
[root@localhost htdocs]# ls
1389753641370.jpg index.html MZY7BWZN(6~~KTS5MILYXAX.png
[root@localhost htdocs]# cd ..
[root@localhost httpd]# cd bin/
#服务关闭在开启
[root@localhost bin]# ./apachectl stop
[root@localhost bin]# ./apachectl start
3.2: Check whether it can be hacked
The anti-leech setting is successful
Four: Hide version information
Attackers often scan the software version information and then carry out targeted attacks. The version information should be hidden as soon as the apache installation is complete.
4.1: Configure Apache to hide version information
- The version information of Apache reveals certain vulnerability information, which
brings security risks to the website - Configure Apache to hide version information in the production environment
4.2: Modify version information
- Comment out the following lines in the main configuration file httpd.conf
[root@localhost conf]# pwd
/usr/local/httpd/conf
[root@localhost conf]# vim httpd.conf
#/搜索Include conf 取消注释
Include conf/extra/httpd-default.conf
[root@localhost conf]# cd extra/
[root@localhost extra]# ls
httpd-autoindex.conf httpd-mpm.conf
httpd-dav.conf httpd-multilang-errordoc.conf
httpd-default.conf httpd-ssl.conf
httpd-info.conf httpd-userdir.conf
httpd-languages.conf httpd-vhosts.conf
httpd-manual.conf proxy-html.conf
[root@localhost extra]# vim httpd-default.conf
#/Token搜索 修改为
ServerTokens Prod #仅软件名称
##重启服务
[root@localhost extra]# cd ..
[root@localhost conf]# cd ..
[root@localhost httpd]# cd bin/
[root@localhost bin]# ./apachectl stop
[root@localhost bin]# ./apachectl start
4.3: Access verification
Profession is good at diligence, waste is at play; action is formed by thinking, but destroyed by follow