LAMP environment - limited PHP parsing, useragent, PHP related configuration, Apache related configuration

11.28 Restricting a directory to prohibit php parsing

The content in this section should be used to optimize settings for static file directories or writable directories, to avoid malicious attacks and improve security by restricting parsing/access permissions.

Edit the virtual host configuration file:

[root@1 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
    <Directory /data/wwwroot/111.com/upload>
        php_admin_flag engine off
    </Directory>

Create the appropriate directory:

[root@1 111.com]# mkdir upload
……
[root@1 111.com]# ls upload/
123.php  abc.jpg  baidu.png

test:

[root@1 111.com]# curl -x192.168.8.131:80 'http://111.com/upload/123.php' 
<?php
echo "welcom to 123file";
?>

[root@1 111.com]# curl -x192.168.8.131:80 'http://111.com/upload/baidu.png' -I
HTTP/1.1 200 OK
Date: Thu, 03 Aug 2017 04:47:16 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Last-Modified: Thu, 03 Aug 2017 04:25:26 GMT
ETag: "e7a-555d1c5172a6c"
Accept-Ranges: bytes
Content-Length: 3706
Content-Type: image/png

Description: When accessing the 123.php file, the source code is directly displayed, that is, PHP cannot be parsed, and it is no problem to access other types of files.

Add PHP access restrictions

Add parameter "< FilesMatch (.*)\ .php(. *) > ":

[root@1 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

    <Directory /data/wwwroot/111.com/upload>
        php_admin_flag engine off
        <FilesMatch (.*)\.php(.*)>
        Order Allow,Deny
        Deny from all
        </FilesMatch>
    </Directory>

Note: If you only set to prohibit PHP parsing, the source code will be displayed when users access PHP files. Adding this parameter can prevent users from seeing the PHP source code of the server and further improve security.

test:

[root@1 111.com]# curl -x127.0.0.1:80 111.com/upload/123.php -I
HTTP/1.1 403 Forbidden
Date: Thu, 03 Aug 2017 04:28:49 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

[root@1 111.com]# curl -x127.0.0.1:80 111.com/upload/baidu.png -I
HTTP/1.1 200 OK
Date: Thu, 03 Aug 2017 04:29:25 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Last-Modified: Thu, 03 Aug 2017 04:25:26 GMT
ETag: "e7a-555d1c5172a6c"
Accept-Ranges: bytes
Content-Length: 3706
Content-Type: image/png

Description: At this time, the status code of accessing 123.php is 403, that is, it cannot be accessed!

11.29 Restricting user_agent

user_agent (user agent): refers to browser (search engine) information including hardware platform, system software, application software and user personal preferences.

Requirement background:
Sometimes websites are attacked by CC. The principle is: the attacker uses a proxy server (meat machine) to generate legitimate requests to the victim host to achieve DDOS and camouflage. A characteristic of CC attack is that its useragent is consistent, so the attack can be blocked by restricting the attacker's useragent.

Edit the virtual host configuration file:

[root@1 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf 
……
    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
        RewriteRule  .*  -  [F]
    </IfModule>
……

Description: NC means ignore case, OR option means or (without adding any option table and) connect to the next condition, F=forbidden prohibits.

Detection:

[root@1 111.com]# curl -x192.168.8.131:80 'http://111.com/123.php' -I
HTTP/1.1 403 Forbidden
Date: Thu, 03 Aug 2017 06:59:14 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1

[root@1 111.com]# curl -A "aminglinux aminglinux" -x192.168.8.131:80 'http://111.com/123.php' -I
HTTP/1.1 200 OK
Date: Thu, 03 Aug 2017 07:01:01 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Type: text/html; charset=UTF-8
[root@1 111.com]# curl -A "aminglinux aminglinux" -x192.168.8.131:80 'http://111.com/123.php' 
welcom to 123file

Description: curl -A specifies useragent.

11.30 PHP related configuration

View the PHP configuration file:

/usr/local/php/bin/php -i|grep -i "loaded configuration file"

PHP parameters

set time zone

 date.timezone

Some functional options:

"eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,passthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,shell_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink ,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,phpinfo "The
above function options can be restricted by "disable_function" to achieve the purpose of improving website security:

disable_function=

log related

display_errors=On/Off : Set whether to display the cause of the error. It should be noted that after setting this to off (to prevent users from seeing it), you must set the error log, set the save path, and the error log level, otherwise you will not be able to find errors reason.
log_errors=On/Off Turn on/off the error log
“error_log=/tmp/” Set the save path of the error log. If the log cannot be produced after the path is defined, you need to check whether the directory where the log file is located has write (w) permission.
“error_reporting =” Set the error log level, the levels are: E_ALL, ~E_ NOTICE, ~E_STRICT, ~E_DEPRECATED (can be freely combined). Use in production environment: E_ ALL & ~E_ NOTICE will do.

Official description:

E_ALL (Show all errors, warnings and notices including coding standards.)
E_ALL & ~E_NOTICE  (Show all errors, except for notices)
E_ALL & ~E_NOTICE & ~E_STRICT  (Show all errors, except for notices and coding standards warnings.)
E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR  (Show only errors)

Security parameter "open_basedir"

open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.  
译：如果设置了open_basedir选项，将会把所有关于文件的操作限制在指定目录及其子目录。
将该指令设定在每个目录或者虚拟主机web服务器配置文件中非常重要。

Description: The content in the php.ini file is the configuration for all virtual hosts.

Problem: A server is running more than one virtual host, so setting this option under this file is not appropriate. So, how to set this configuration?

Solution: Make relevant settings in the configuration file of each virtual host.

[root@1 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/"

Description: "php_admin_value" can define parameters in php.ini. Use this method to set the relevant "open_basedir" in each virtual host separately!
The "/tmp/" directory is opened here so that temporary files can be written normally.