Shulou(Shulou.com)06/02 Report--

Optimize Apache service-hotlink protection

If one day your website server in charge of a sudden surge in traffic, do not be surprised. It is very likely that other websites have stolen the static resources of this site, so that a lot of access pressure is transferred to their own servers, and the number of clicks is not their own.

As the maintenance staff of the website, we should put an end to the embezzlement of the static resources of our server by other websites.

Simulated environment IP address domain name experimental use 192.168.116.148www.zhy.comDNS server, source website 192.168.116.128 non-domain name hotlink website experimental steps

1. Install DNS

[root@localhost ~] # yum install bind-y [root@localhost ~] # vim / etc/named.confoptions {listen-on port 53 {any;}; / / change 127.0.0.1 in parentheses to any listen-on-v6 port 53 {:: 1;}; directory "/ var/named"; dump-file "/ var/named/data/cache_dump.db" Statistics-file "/ var/named/data/named_stats.txt"; memstatistics-file "/ var/named/data/named_mem_stats.txt"; recursing-file "/ var/named/data/named.recursing"; secroots-file "/ var/named/data/named.secroots"; allow-query {any;} / / change localhost to any# in parentheses and press Esc, and enter: wq save exit [root@localhost ~] # vim / etc/named.rfc1912.zoneszone "zhy.com" IN {type master; file "zhy.com.zone"; allow-update {none;};} # add the above content in the same format and press Esc, and enter: wq save exit [root@localhost ~] # cd / var/named/ [root@localhost named] # lsdata dynamic named.ca named.empty named.localhost named.loopback slaves [root@localhost named] # cp-p named.localhost zhy.com.zone [root@localhost named] # vim zhy.com.zone$TTL 1D @ IN SOA @ rname.invalid. (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1www IN A 192.168.116.14 make changes to the above format. Note that the final IP address is the IP address of your linux host. After modification, press Esc, and enter: wq Save exit [root@localhost named] # systemctl start named [root@localhost named] # systemctl stop firewalld.service [root@localhost named] # setenforce 0

2. Compile and install Apache manually and set up the source website

[root@localhost named] # mount.cifs / / 192.168.10.181/rpm / mnt / / share the folder with compressed files in the host Password for root@//192.168.10.181/rpm: / / enter [root@localhost named] # cd / mnt [root@localhost mnt] # ls anaconda-ks.cfg error.png LAMP-php5.6 directly here. Txt apr-1.6.2.tar.gz httpd-2.4.29.tar.bz2 mysql-5.6.26.tar.gz apr-util-1.6.0.tar.gz initial-setup-ks.cfg php-5.6.11.tar.bz2 Discuz_X2.5_SC_UTF8.zip LAMP-C7.rar yuan.jpg [root@localhost mnt] # tar xjf httpd-2.4.29. Tar.bz2-C / opt/ [root@localhost mnt] # tar xzf apr-1.6.2.tar.gz-C / opt/ [root@localhost mnt] # tar xzf apr-util-1.6.0.tar.gz-C / opt/ [root@localhost LAMP] # cd / opt/ [root@localhost opt] # lsapr-1.6.2 apr-util-1.6.0 httpd-2.4.29 rh [root@localhost opt] # mv apr-1.6.2/ httpd- 2.4.29/srclib/apr [root@localhost opt] # mv apr-util-1.6.0/ httpd-2.4.29/srclib/apr-util [root@localhost opt] # yum install gcc gcc-c++ pcre pcre-devel zlib-devel expat-devel-y / / installation environment package [root@localhost opt] # cd httpd-2.4.29/ [root@localhost httpd-2.4.29] #. / configure\ / / compile-- Prefix=/usr/local/httpd\-enable-deflate\-enable-so\-enable-rewrite\-enable-charset-lite\-enable-cgi [root@localhost httpd-2.4.29] # make & & make install [root@localhost httpd-2.4.29] # vim / usr/local/httpd/conf/httpd.conf / ServerName Search to the URL, remove the # comment, change the content to the following content ServerName www.zhy.com:80/Listen, search to the listening port, add the IPv6 comment, change the IPv4 listening IP address to the address of your own linux Listen 192.168.116.148:80#Listen 8 modify and press Esc Input: wq save and exit [root@localhost httpd-2.4.29] # ln-s / usr/local/httpd/conf/httpd.conf / etc/httpd.conf// to establish a soft connection [root@localhost httpd-2.4.29] # cd / usr/local/httpd/bin/ [root@localhost bin] # lsab apu-1-config dbmmanage fcgistarter htdigest httxt2dbmapachectl apxs envvars htcacheclean htpasswd logresolveapr-1-config checkgid envvars-std Htdbm httpd rotatelogs [root@localhost bin] # vim / usr/local/httpd/htdocs/index.html It works!

/ / if you need to insert a picture, make the above changes, press Esc, and enter: wq save and exit [root@localhost bin] # cp / mnt/yuan.jpg / usr/local/httpd/htdocs/// to copy the picture to this directory [root@localhost bin] #. / apachectl start [root@localhost bin] # netstat-atnp | grep "80" tcp 0 0192.168.116.148mnt/yuan.jpg 80 0.0.0.0mnt/yuan.jpg * LISTEN 40569/httpd

Verify:

Open a Windows virtual machine, use it as the test side, and change its DNS resolution address.

Go to the browser and enter the domain name: www.zhy.com

By right-clicking on the image and selecting the properties, you can see the URL: http://www.zhy.com/yuan.jpg of the picture

Set up a bootleg website

At this point, we open another Windows virtual machine and use it as a hacked website server.

Control Panel-programs-programs and Features-turn windows functions on and off-Select Internet Information Services

After the installation is complete, create a new web page file "index.html" in C:\ inetpub\ wwwroot

Test web

At this point, enter the address of the hotlink website IP: 192.168.116.128 in the browser, and the image will appear as the same as the source website, which is considered to be successful.

Establish hotlink protection measures

[root@localhost bin] # vim.. / conf/httpd.conf / rewrite Uncomment this line and insert the following rule RewriteEngine OnRewriteCond% {HTTP_REFERER}! ^ http://zhy.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://zhy.com$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.zhy.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.zhy.com/ under this line $[NC] RewriteRule. *\. (gif | jpg | swf) $http://www.zhy.com/error.png # Press Esc after modification Enter: wq save exit

Copy the wrong picture

[root@localhost bin] # ls.. / htdocs/yuan.jpg index.html [root@localhost bin] # cp / aaa/LAMP/error.png.. / htdocs/ [root@localhost bin] # ls.. / htdocs/error.png yuan.jpg index.html [root@localhost bin] #. / apachectl stop [root@localhost bin] #. / apachectl start verify hotlink protection

On the test Windows machine, enter 192.168.116.128, because we have taken hotlink protection measures, now visit the hotlink website will get an error picture.

Optimize Apache Security Service-Hidden version number

Based on the same configuration of the previous hotlink protection, start the optimization operation of hiding the version number.

Experimental procedure

1. Verification before experiment

Go to the Windows client and use the "fiddler" package grab tool to view the head of the website.

At this point, the packet grab will display the version suffix, and the intentional person will attack the server according to the loopholes in this version, which is very insecure, so the version number needs to be hidden.

2. Start the optimization

[root@localhost ~] # vim / usr/local/httpd/conf/httpd.conf/default search default and modify Include conf/extra/httpd-default.conf / / delete the first # wq to save and exit

When enabled, the httpd-default.conf configuration file will be generated in / usr/local/httpd/conf/extra/ for optimization.

[root@localhost bin] # vim / usr/local/httpd/conf/extra/httpd-default.conf / ServerTokens search ServerTokens, modify ServerTokens Prod / / change Full to Prodwq save and exit [root@localhost bin] #. / apachectl stop [root@localhost bin] #. / apachectl start / / restart the service

3. Result verification

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.