Anti-hotlinking is to prevent others' website codes from embezzling pictures, files, videos and other related resources on our own server.
Hiding version information is to prevent attackers from scanning software version information and then conducting targeted attacks.
Article Directory
One: Apache anti-theft chain service
1: What is anti-leech
- Anti-hotlinking is to prevent others' website codes from embezzling pictures, files, videos and other related resources on our own server
- If others embezzle these static resources of the website, it will obviously increase the bandwidth pressure of the server
- As the maintainer of the website, we must prevent the static resources of the server from being embezzled by other websites
2: Environmental introduction
IP address | domain name | use |
---|---|---|
192.168.158.30 | www. | server |
192.168.158.10 | www | Hotlink website |
Client | Windows 10 | Client computer |
3: Imitate the hotlink process
- Two host configuration test page
- The test page of the hotlink website, stealing a logo.jpg file in the directory of the source host website
- Access verification in Windows
[root@server1 html]# cat index.html
<html><body><h1>apache</h1><img src="http://192.168.158.30/20201013120035500.png"/></body></html>
Picture is not local
5: The host opens the anti-theft link function
[root@server3 htdocs]# vi /etc/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so #去注释
6: Modify the configuration file
#再合适位置添加以下内容
RewriteEngine On
RewriteCond %{
HTTP_REFERER} !^http://192.168.158.30$ [NC]
RewriteCond %{
HTTP_REFERER} !^http://192.168.158.30/* [NC]
RewriteCond %{HTTP_REFERER} !^http://192.168.158.30/.*$ [NC]
RewriteRule .*\.(gif|png|swf)$ http://192.168.158.30/error.jpg [R,NC] #重写为网址的error图片
Only access to IP 192.168.158.30 can get resources
7: Verify the configuration file and restart the service
[root@server3 htdocs]# httpd -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::9a22:5aea:2642:6dff. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@server3 htdocs]# apachectl -t
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::9a22:5aea:2642:6dff. Set the 'ServerName' directive globally to suppress this message
Syntax OK
[root@server3 htdocs]# netstat -anpt | grep httpd
tcp6 0 0 :::80 :::* LISTEN 110626/httpd
- Test effect
I can’t get the resources of my server through other websites using the Windows hosting test
.
Two: hide version information
1: The role of hiding Apache version information
Attackers often scan the software version information and then conduct targeted attacks. Usually, each version is not perfect, so if you know the version, you can conduct targeted attacks. You should hide it as soon as the apache installation is completed. Version information
2: Configure Apache to hide version information
The version information of Apache reveals certain vulnerability information, which
brings security risks to the website. In the production environment, configure the hidden version information of Apache.
3: Modify version information
Comment out the following lines in the main configuration file httpd.conf
[root@server3 conf]# pwd
/usr/local/httpd/conf
[root@server3 conf]# vi /etc/httpd.conf
Include conf/extra/httpd-default.conf ##去注释
[root@server3 conf]# vi extra/httpd-default.conf
ServerTokens Prod
Serversignature Off
Options | Output format |
---|---|
ServerTokens Prod | ServerTokens Major |
ServerTokens Minor | Server:Apache/2.0 |
ServerTokens Min | Server:Apache/2.0.41 |
ServerTokens OS | Server: Apache/2.0.41 (Unix) |
ServerTokens Full | Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2 |