Apache security chain
- Anti-hotlinking is to prevent other people-related resource website code inside the server theft pictures, documents, videos, etc.
- If someone misappropriation these static resource site, it is apparent that increases server bandwidth pressure
- All maintenance personnel as the site is to eliminate the static resources of our servers were stolen other sites
Configuration Variable Description Rules
* %{HTTP_REFERER}:浏览header中的链接字段,存放一个链接的URL,
代表是从哪个链接访问所需的网页
* !^:不以后面的字符串开头
* .*$:以任意字符结尾
* NC:不区分大写
* R:强制跳转
Rules match Description
RewriteEngineOn:打开网页重写功能
RewriteCond:设置匹配规则
RewriteRule:设置跳转动作
Matching rules
如果相应变量的值匹配所设置的规则,则逐条往下处理;如果不匹配,则往后的规则不再匹配
Configuration operation and demonstration
Modify the configuration file to enable security chain function and set the rules:
RewriteEngineOn
RewriteCond %{HTTP_REFERER} !^http://test.com/.*$[NC]
RewriteCond %{HTTP_REFERER} !^http://test.com$[NC]
RewriteCond %{HTTP_REFERER} !^http://www.test.com/.*$[NC]
RewriteCond %{HTTP_REFERER} !^http://www.test.com/$[NC]
RewriteRule .*\.(gif|jpg|swf)$ http://www.test.com/error.html [R,NC]
surroundings
一台Linux服务器(192.168.13.128)
一台win10测试机
一台win7盗链机(192.168.13.135)
1, yum install DNS service and configure profiles
[root@localhost ~]# yum install bind -y ##安装bind服务器
[root@localhost ~]# vim /etc/named.conf ##配置主配置文件信息
options {
listen-on port 53 { any; }; ##监听所有
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; ##允许所有
[root@localhost ~]# vim /etc/named.rfc1912.zones ##配置区域配置文件
zone "kgc.com" IN {
type master;
file "kgc.com.zone";
allow-update { none; };
};
[root@localhost ~]# cd /var/named
[root@localhost named]# cp -p named.localhost kgc.com.zone ##复制模板为kgc.com.zone
[root@localhost named]# vim kgc.com.zone ##修改区域数据配置文件信息
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www IN A 192.168.13.128 ##解析地址为本机地址
[root@localhost named]# systemctl start named ##启动DNS解析服务
[root@localhost named]# systemctl stop firewalld.service ##关闭防火墙
[root@localhost named]# setenforce 0
2, mount the remote share to Linux
1) In the LAMP package required for Windows will compress to share out the blog related articles before (see here if there are questions)
2) use remote shared on Linux to get a file and mount the / mnt directory
root@localhost ~]# smbclient -L //192.168.100.3/
Sharename Type Comment
--------- ---- -------
LAMP-C7 Disk
[root@localhost ~]# mount.cifs //192.168.100.3/LAMP-C7 /mnt
##远程挂载软件包到/mnt目录
3, manually compile and install Apache
1) extract the source package to opt / directory
[root@localhost mnt]# cd /mnt ##切换到/mnt目录下
[root@localhost mnt]# tar zxvf apr-1.6.2.tar.gz -C /opt/ ##解压源码包到/opt下
...
[root@localhost mnt]# tar zxvf apr-util-1.6.0.tar.gz -C /opt/
....
[root@localhost mnt]# tar jxvf httpd-2.4.29.tar.bz2 -C /opt/
...
[root@localhost mnt]# cd /opt //进入/opt目录
[root@localhost opt]# ls //查看解压的文件
apr-1.6.2 apr-util-1.6.0 httpd-2.4.29 rh
2) move the package to the http apr assembly and install compilation tools
[root@localhost opt]# mv apr-1.6.2/ httpd-2.4.29/srclib/apr
[root@localhost opt]# mv apr-util-1.6.0/ httpd-2.4.29/srclib/apr-util
[root@localhost opt]# yum -y install \
gcc \ //c语言
gcc-c++ \ //c++语言
make \ //编译工具
pcre-devel \ //pcre语言工具
expat-devel \ //识别标签性语言工具
perl \
pcre \
zlib-devel //数据压缩用的函式库
3) Configure and various installation directory module
[root@localhost opt]# cd /opt/httpd-2.4.29/
[root@localhost httpd-2.4.29]#./configure \ //配置
--prefix=/usr/local/httpd \
--enable-deflate \ //配置压缩模块
--enable-so \ //apache核心模块开启
--enable-rewrite \ //开启重写功能,防盗链
--enable-charset-lite \ //支持字符集,简体中文
--enable-cgi //通用网关接口
...
4) compile and install
[root@localhost httpd-2.4.29]# make //生成可执行的二进制文件
...
[root@localhost httpd-2.4.29]# make install //复制二进制文件到系统,配置应用环境
...
5) Configure http master configuration file
[root@localhost httpd-2.4.29]# cd /usr/local/httpd/
[root@localhost httpd]# ls
bin cgi-bin error icons lib man modules
build conf htdocs include logs manual
[root@localhost httpd]# cd conf/ ##切换到http主配置文件中
[root@localhost conf]# vim /etc/httpd.conf ##配置主配置文件
Listen 192.168.13.128:80 ##设置监听地址
#Listen 80
ServerName www.kgc.com:80 ##设置域名
[root@localhost conf]# ln -s /usr/local/httpd/conf/httpd.conf /etc/httpd.conf ##方便管理创建软连接
4. Edit Page
1) to switch to your shared mount point, copy the pictures to the site
[root@localhost conf]# cd /mnt ##切换到挂载点
[root@localhost mnt]# cp kali.jpg /usr/local/httpd/htdocs/ ##将图片复制到站点中
[root@localhost mnt]# cd /usr/local/httpd/htdocs/
[root@localhost htdocs]# ls ##查看图片复制成功
index.html kali.jpg
Home contents 2) edit the site and start
[root@localhost ~]# cd /usr/local/httpd/
[root@localhost httpd]# cd htdocs/ ##切换到站点
[root@localhost htdocs]# ls
index.html kali.jpg
[root@localhost htdocs]# vim index.html ##编辑网页内容,将图片加入到网页中
<html><body><h1>It works!</h1>
<img src="kali.jpg"/> ##将图片放到网页中
</body></html>
[root@localhost htdocs]# cd /usr/local/httpd/bin/
[root@localhost bin]# ./apachectl start ##开启
5, with win10 tester test page, and view pictures of the property situation
6, visit the page with win7 hotlinking machine
1) modify the DNS address resolution server
2) Visit the website
3) View page image properties Information
7, install the web site service on the machine and use kgc.com win7 hotlinking of Web Images
1) to build Web services on win7
2) Open a web manager
3) Edit Home html file, modify the text as index.html
4) The edited content on the site Home
8, using the win10 tester access information hotlinking site (turn off the firewall)
9, open the anti-theft chain configuration module
[root@localhost bin]# vim ../conf/httpd.conf ##编辑http配置文件
LoadModule rewrite_module modules/mod_rewrite.so ##开启防盗链模块
##找到htdocs并添加权限内容
249 RewriteEngine On
250 RewriteCond %{HTTP_REFERER} !^http://kgc.com/.*$ [NC]
251 RewriteCond %{HTTP_REFERER} !^http://kgc.com$ [NC]
252 RewriteCond %{HTTP_REFERER} !^http://www.kgc.com/.*$ [NC]
253 RewriteCond %{HTTP_REFERER} !^http://www.kgc.com/$ [NC]
254 RewriteRule .*\.(gif|jpg|swf)$ http://www.kgc.com/error.png ##防盗链图片
[root@localhost bin]# cp /mnt/error.png /usr/local/httpd/htdocs/ ##将error图片放到站点中
[root@localhost bin]# ./apachectl stop ##关闭
[root@localhost bin]# ./apachectl start ##开启
10, after the contents of the test module hotlinking hotlinking open web site win7
Configuring Apache version information hide
- Apache version information, revealed a certain amount of vulnerability information, and thus a security risk to the site
- To configure the production environment to hide apache version information
- Analysis tools can use Fiddler
1, when viewed with normal packet capture software to access web pages
2, the main configuration file to configure http
[root@localhost bin]# vim /etc/http.conf ##配置主配置文件
Include conf/extra/httpd-default.conf ##开启子配置文件
[root@localhost bin]# cd ../
[root@localhost httpd]# cd conf/
[root@localhost conf]# ls
extra httpd.conf magic mime.types original
[root@localhost conf]# cd extra/ ##切换到extra目录下
[root@localhost extra]# vim httpd-default.conf ##配置子配置文件
ServerTokens Prod ##将full全部修改为prod
ServerSignature Off ##签名关闭
3, close and re-open the service to view the service information packet capture
[root@localhost conf]# cd ../
[root@localhost httpd]# cd bin/
[root@localhost bin]# ./apachectl stop ##关闭
[root@localhost bin]# ./apachectl start ##开启
thanks for reading! ! !