11.28-31 Restricts a directory from parsing php, user_agent, php-related configuration

Access Control - Prohibit php parsing.

note prohibits parsing PHP under a directory, which is very useful. When we do website security, this is used a lot. For example, some directories can upload files. In order to avoid the Trojan horse of uploaded files, we prohibit access under this directory to parse PHP.

1. Disable parsing PHP first
 <Directory /data/wwwroot/111.com/upload>
        php_admin_flag engine off
  </Directory>

 [root@linux-129 111.com]# curl -x127.0.0.1:80 '111.com/upload/admin.php'
<?php
echo "FilesMatch control";
?>
2. Prohibit parsing php and deny access to anyone
<Directory /data/wwwroot/111.com/upload>
        php_admin_flag engine off
 <filesmatch "(.*)php">
        	Order deny,allow
        	Deny from all 
   	 </filesmatch>
    </Directory>
[root@linux-129 111.com]# curl -x127.0.0.1:80 '111.com/upload/admin.php' -I
HTTP/1.1 403 Forbidden
Date: Mon, 09 Apr 2018 09:27:33 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1

Access Control - user_agent

Sometimes our website will be attacked, such as CC attack.
Probably, the attacker uses some means, software or chicken.
What is broiler
If he wants to attack a website, he can take control of the broiler to visit the website. If 10,000 broilers visit the website, half of the website servers will not be very concurrent, 10,000 to visit, their bandwidth, database can not stand.
CC attack has an unconventional feature, its referer is the same, and user_agent is the same.

So we can reduce server pressure by limiting user_agent

Core profile content   
   <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT}  .*curl.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT}  .*baidu.com.* [NC]
        RewriteRule  .*  -  [F]
    </IfModule>

Curl-A "123123" specifies user_agent
Interpretation:

OR or Meaning
 NC means ignoring case
 F forbidden means no access

Use of curl
 - x Specifies Target IP: Target Port
 After - u is the specified user and password
 - I does not display content, only status codes
 - e specifies referer-e "http://www.123.com" must be http://start
 - A specifies user_agent curl-A "123123" 

PHP-related configuration

View the location of the php configuration file

/usr/local/php/bin/php -i|grep -i "loaded configuration file"
* date.timezone=Asia/shanghai defines the time zone, or there will be a warning message

Disable_functions = eval, assert, popen, passthru, escapeshell larg, escapeshell shell lcmd, passthru, exec, exec, system, chroot, scandir, chgrp, chown, escapeshell lcmd, escapeshell larg, shell_exec, proc_get_status, ini_status_alter, ini_rester, ini_restore, dl, pfsockopen, log, opensloslog, opensyg, readsysyg, readreadreadsymsymsymsymsymthrk, popass popepepepepepepepepepepepepstream_socket_socket_socket, popstream_socket_socket_server, popproproproproproproproproproproproproproproproPhpinfo \\\\\\\\\\\ The function eval, which you use as a Trojan horse.

Display_errors on\\\ to off to prevent error messages from being displayed on the page.

log_errors on \\\\ Turn on the error log function

 error_log=/tmp/php_errors.log\ Defines the path of the error log

 error_reporting\ Defines the error log level by default, all, and the generation environment uses the second

 open_basedir\ Security related parameters are used to limit the directories of all websites, but a server has many sites, and their directories are the same. If you use open_dasedir to limit the directories under one directory, then the websites under this directory can run freely, which is different from what we want, so we can configure them on the virtual host. To configure in files

Php_admin_value open_basedir"/data/wwroot/111.com:/tmp/"\\\\\\\ Different open_basedir configurations for different virtual hosts can be added to each virtual host configuration, limiting their site directories to the specified directories;
[root@linux-129 111.com]# ls /tmp/php_errors.log
/tmp/php_errors.log
[root@linux-129 111.com]# cat !$
cat /tmp/php_errors.log
[10-Apr-2018 12:23:08 Asia/shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2

[root@linux-129 111.com]# ls -l !$
ls -l /tmp/php_errors.log
-rw-r--r-- 1 daemon daemon 145 4 Month 1012:23 /tmp/php_errors.log

Its main and subgroup are daemon.
It was found that the daemon was generated as an apache process

Sometimes we find that an error log is defined, and as a result, the error log is never generated, so we need to check whether the directory that defines the error log has write permission. This file is written by apache's startup user daemon.
For the sake of insurance, we ordered an errors_log.
We can create this file and do a 777 permission.

[root@linux-129 111.com]# Vim/data/wwroot/111.com/2.php \\\\\\\ Edit an incorrect PHP
[root@linux-129 111.com]# curl -x127.0.0.1:80 111.com/2.php -I
HTTP/1.0 500 Internal Server Error
Date: Tue, 10 Apr 2018 04:35:17 GMT
Server: Apache/2.4.29 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
[root@linux-129 111.com]# cat /tmp/php_errors.log
[10-Apr-2018 12:23:08 Asia/shanghai] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/index.php on line 2
[10-Apr-2018 12:35:17 Asia/shanghai] PHP Parse error:  syntax error, unexpected end of file in /data/wwwroot/111.com/2.php on line 4
syntax error: Syntax error
[root@linux-129 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.

Php_admin_value open_basedir"/data/wwroot/111.com:/tmp/"\\\ This configuration can be added to each virtual host configuration, limiting their site directories to the specified directories

The parameter php_admin_value can add some parameters in php.ini to the virtual host configuration file, such as error_log, open_base.dir, error_reporting, etc.

Why set up a / tmp here?
Because the default temporary file is under / tmp, if / TMP is restricted, it can't even write its temporary file. The uploaded image will be temporarily placed under / tmp directory first, then slowly placed under the directory to be placed.

Tags: PHP Linux curl Apache

Posted on Wed, 19 Dec 2018 03:57:04 -0800 by mohson