Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to prevent Host head attacks in the Web server. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Apache:

Method 1:

Modify the\ conf\ httpd.conf file

Change ServerName to the domain name of the application, for example

ServerName www.domain.com:80

Add the following lines

UseCanonicalName On

Just restart Apache.

If the repair is successful, you will see that the server side will use the set ServerName.

Parameter explanation:

Method 2:

Modify the\ conf\ httpd.conf file

Refer to the following configuration to add:

NameVirtualHost 192.168.0.16

ServerName 192.168.0.16

Order Allow,Deny

Deny from all

DocumentRoot "C:\ www"

ServerName www.test.com

Just restart Apache.

Function:

Deny any request for access directly through the 192.168.0.16 IP. If you access it with 192.168.0.16, you will be prompted to deny access. Access is only allowed through the domain name www.test.com, and the home directory points to C:\ www

Method 3:

Modify the\ conf\ httpd.conf file

Find "# LoadModule rewrite_module modules/mod_rewrite.so" and remove the previous "#" sign.

Add configurations similar to the following:

RewriteEngine onRewriteCond% {HTTP_HOST}! ^ 192.168.0.16 $[NC] RewriteRule ^ (. *) $/ error.html

Just restart Apache.

Function:

Redirect to the error page when the HOST header is not 192.168.0.16.

Nginx:

Method 1:

Modify nginx.conf

Add a default server that jumps to the default server when the host header is modified to match the server, and the default server directly returns a 403 error.

Examples are as follows:

Server {listen 8888 default; server_name _; location / {return 403;}}

Just restart nginx.

Method 2:

Modify nginx.conf

To add detection rules to the target server, refer to the following red configuration:

Server {server_name 192.168.0.171; listen 8888; if ($http_Host! ~ * ^ 192.168.0.171http_Host 8888 $) {return 403;} include / etc/nginx/default.d/*.conf; location / {root / www/dvwa; index index.php index.html index.htm;}}

Just restart nginx.

Tomcat:

Modify tomcat\ conf\ server.xml

Find the following location:

Modify the name in Host to a static domain name, as follows:

Restart tomcat to complete the repair.

IIS6.0:

Use the ISAPI_Rewrite plug-in to detect the contents of the request packet and rewrite the URL.

Download address of plug-in installation package and cracking tool: https://pan.baidu.com/s/1hZVfCm7FraQWHlKMKyItFQ

After the download is complete, double-click the program and click next to install it.

The cracking tool decompresses the three files as shown in the figure.

Copy and paste the three cracked files directly into the ISAPI_Rewrite installation directory, that is, overwrite the official original files. If the prompt cannot be overwritten, you can first rename the official three files to other names, and then copy the three cracked files.

After the replacement is complete, the SERVICE user group must be added to the ISAPI_Rewrite.dll and read, read, and run permissions must be granted. This step is very important, otherwise the subsequent ISAPI_Rewrite will not work.

Open the IIS Management tool and select Target Project-> Properties-> ISAPI filter-> add-> Select the path to the ISAPI_Rewrite.dll file you installed-> OK.

Restart IIS and reopen the IIS management tool, and you can see the new ISAPI_Rewrite tag in the-> attribute of the target project, where you can directly write .htaccess rules to redirect as needed.

For configuring the whitelist of Host headers, please refer to the following rules.

When you click apply after configuration, if the Host field in the request package is not the set 192.168.2.141, it will be automatically redirected to the error page.

IIS7.0/7.5/8.0:

Microsoft has released a URL rewriting module tool that can filter the request URL. This tool needs to be installed on its own. The download address of the tool is provided below:

Microsoft download address (64-bit): http://www.microsoft.com/zh-cn/download/details.aspx?id=7435

Microsoft download address (32-bit): http://www.microsoft.com/zh-cn/download/details.aspx?id=5747

After the download is complete, double-click the program and click next to install it.

Then restart the iis management tool, and you can see that there is a URL rewriting tool under the IIS bar.

Double-click the URL rewrite function, and then add a rule on the URL address inbound rule bar.

Select request block.

Refer to the following figure for configuration rules, fill in the website domain name or ip in the host header, and then click OK.

Double-click the rule you just created.

Select "does not match the pattern" in the URL option of the request, select "complete match" in the use item, select "abort the request" in the operation type, and then click the apply button in the upper right corner.

Then restart the website, and the retest will find that when the host is not 192.168.124.149, the server will abort the request, thus preventing the host header.

This is how to prevent Host header attacks in the Web server shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.