Shulou(Shulou.com)06/02 Report--

Realizing hotlink protection with Apache

Hotlink protection is to prevent other people's website code from stealing pictures, files, videos and other related resources of the server.

If others steal these static resources of the website, it will obviously increase the bandwidth pressure on the server.

So as the maintainer of the website To prevent the static resources of our server from being embezzled by other websites, configure rule variable description *% {HTTP_ _ REFERER}: browse the link field in header and store a linked URL. Represents the link from which to access the required web page! ^: does not start with the following string. * $: ends with any character NC: insensitive to uppercase R: forced jump rule matching description RewriteEngine On: open web page rewriting function RewriteCond: set matching rules RewriteRule: set jump action rule matching

If the value of the corresponding variable matches the set rule, it is processed one by one; if it does not match, the subsequent rules no longer match.

Apache hotlink protection experiment

(1) install the DNS service package bind.

[root@localhost ~] # yum install bind-y.mp / omit the installation process [root@localhost ~] #

(2) modify the main configuration file of the DNS service.

[root@localhost ~] # vim / etc/named.confoptions {listen-on port 53 {any;}; / / 127.0.0.1 change to any listen-on-v6 port 53 {:: 1;}; directory "/ var/named"; dump-file "/ var/named/data/cache_dump.db" Statistics-file "/ var/named/data/named_stats.txt"; memstatistics-file "/ var/named/data/named_mem_stats.txt"; recursing-file "/ var/named/data/named.recursing"; secroots-file "/ var/named/data/named.secroots"; allow-query {any;}; / / localhost changed to any

(3) modify the regional configuration file of the DNS service.

[root@localhost ~] # vim / etc/named.rfc1912.zoneszone "abc.com" IN {/ / add a domain name information type master; file "abc.com.zone"; allow-update {none;};}

(4) check the IP address.

[root@localhost named] # ifconfig ens33: flags=4163 mtu 1500 inet 192.168.52.133 netmask 255.255.255.0 broadcast 192.168.52.255 inet6 fe80::3e1d:31ba:f66a:6f80 prefixlen 64 scopeid 0x20 ether 00:0c:29:27:1c:3f txqueuelen 1000 (Ethernet) RX packets 14532 bytes 20210558 (19.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6054 bytes 399142 (389.7 KiB ) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

(5) reserve the right to copy a regional data configuration file of the DNS service and modify it.

[root@localhost ~] # cd / var/named/ change the directory [root@localhost named] # ls / / View data dynamic named.ca named.empty named.localhost named.loopback slaves [root@localhost named] # cp-p named.localhost abc.com.zone / / copy [root@localhost named] # vim abc.com.zone $TTL 1D @ IN SOA @ rname.invalid. (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1www IN A 192.168.52.133 / / Domain name resolution by adding IPv4

(6) start the named service.

[root@localhost named] # systemctl start named / / enable the service [root@localhost named] # systemctl stop firewalld.service / / turn off the firewall [root@localhost named] # setenforce 0 / / disable the enhanced security feature [root@localhost named] #

(7) share the toolkits we need at the host.

(8) Mount the toolkit to the Linux system through the Samba service.

[root@localhost ~] # smbclient-L / / 192.168.100.50 / / View share Enter SAMBA\ root's password: / / Anonymous share, no password Direct enter OS= [Windows 10 Enterprise LTSC 2019 17763] Server= [Windows 10 Enterprise LTSC 2019) Sharename Type Comment-IPC$ IPC remote IPC share Disk tools Disk Users Disk Connection to 192.168.100.50 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) NetBIOS over TCP disabled-- no workgroup available [root@localhost ~] # mkdir / mnt/tools/ / create a mount directory [root@localhost ~] # mount.cifs / / 192.168.100.50/tools / mnt/tools/ mount Password for root@//192.168.100.50/tools: [root@localhost ~] # cd / mnt/tools/ enter the mount directory [root @ localhost tools] # ls / / View awstats-7.6.tar.gz extundelete-0.2.4.tar.bz2 forbid.png jdk-8u191-windows-x64.zip LAMP-C7cronolog-1.6.2-14.el7.x86_64.rpm fiddler.exe intellijideau2018.rar john-1.8.0.tar.gz picture.jpg [root@localhost tools] #

(9) unpack the source code compilation and installation of the Apache service to the "/ opt/" directory.

[root@localhost tools] # cd LAMP-C7/ switch directory [root@localhost LAMP-C7] # lsapr-1.6.2.tar.gz Discuz_X2.5_SC_UTF8.zip LAMP-php5.6.txt php-5.6.11.tar.bz2apr-util-1.6.0.tar.gz httpd-2.4.29.tar.bz2 mysql-5.6.26.tar.gz [root@localhost LAMP-C7] # tar jxvf httpd-2.4.29.tar.bz2-C / opt/ decompress. / / omit decompression details [root@localhost LAMP-C7] # tar zxvf apr-1.6.2.tar.gz-C / opt/ decompression. / / omit decompression details [root@localhost LAMP-C7] # tar zxvf apr-util-1.6.0.tar.gz-C / opt/ / / decompress. / / omit the decompression details

(10) go to the "/ opt/" directory, move the two apr packages to the "httpd-2.4.29/srclib/" directory, and rename them.

[root@localhost LAMP-C7] # cd / opt/ [root@localhost opt] # lsapr-1.6.2 apr-util-1.6.0 httpd-2.4.29 rh [root@localhost opt] # mv apr-1.6.2/ httpd-2.4.29/srclib/apr [root@localhost opt] # mv apr-util-1.6.0/ httpd-2.4.29/srclib/apr-util

(11) go to the "httpd-2.4.29/" directory and install the environment package required for compilation.

[root@localhost opt] # lshttpd-2.4.29 rh [root@localhost opt] # cd httpd-2.4.29/ [root@localhost httpd-2.4.29] # lsABOUT_APACHE ap.d CHANGES docs httpd.spec libhttpd.dep Makefile.win README srclibacinclude.m4 build CMakeLists.txt emacs-style include libhttpd.dsp modules README.cmake supportApache-apr2 .dsw BuildAll.dsp config.layout httpd.dep INSTALL libhttpd.mak NOTICE README.platforms testApache.dsw BuildBin.dsp configure httpd.dsp InstallBin.dsp LICENSE NWGNUmakefile ROADMAP VERSIONINGapache_probes.d buildconf configure.in httpd.mak LAYOUT Makefile.in os server [root@localhost httpd-2.4.29] # [root@localhost httpd-2.4.29] # Yum-y install\ > gcc\ > gcc-c++\ > make\ > pcre\ > pcre-devel\ > expat-devel\ > zlib-devel\ > perl.// omits the installation process

(12) configure the Apache server.

[root@localhost httpd-2.4.29] #. / configure\ >-- prefix=/usr/local/httpd\ / / installation path >-- enable-deflate\ / / enable compression module support >-- enable-expires\ / enable cache module support >-- enable-so\ / / enable dynamic loading module support >-- enable-rewrite\ / / enable web address rewriting >-- enable-charset-lite\ / / enable character set support >-- enable-cgi / / enable CGI scripting support

(13) compile and install the Apache service.

[root@localhost httpd-2.4.29] # make & & make install.// omits the compilation and installation process [root@localhost httpd-2.4.29] #

(14) modify the Apache service configuration file

[root@localhost httpd-2.4.29] # ln-s / usr/local/httpd/conf/httpd.conf / etc/httpd.conf / / create a soft link to facilitate the use of [root@localhost httpd-2.4.29] # Listen 192.168.50.133 usr/local/httpd/conf/httpd.conf 80 / / enable IPv4 snooping # Listen 80 / / comment IPv6 snooping # ServerName www.abc.com:80 / / set the domain name

(15) copy the two pictures under the "/ mnt/tools/" directory to the Apache service site directory "/ usr/local/httpd/htdocs/".

[root@localhost httpd-2.4.29] # cd / mnt/tools/ [root@localhost tools] # lsawstats-7.6.tar.gz extundelete-0.2.4.tar.bz2 forbid.png jdk-8u191-windows-x64.zip LAMP-C7cronolog-1.6.2-14.el7.x86_64.rpm fiddler.exe intellijideau2018.rar john-1.8.0.tar.gz Picture.jpg [root@localhost tools] # cp picture.jpg / usr/local/httpd/htdocs/ [root@localhost tools] # cp forbid.png / usr/local/httpd/htdocs/ [root@localhost tools] # cd / usr/local/httpd/htdocs/ [root@localhost htdocs] # lsforbid.png index.html picture.jpg [root@localhost htdocs] #

(16) modify the home page file to add the picture "picture.jpg" to the home page.

[root@localhost htdocs] # vim index.html It works!

(17) move the "apachectl" file under the "/ usr/local/httpd/bin/" directory to the "/ etc/init.d/" directory, add the chkconfig recognition configuration at the beginning of the file, and then add it as a standard Linux system service.

[root@localhost htdocs] # cd / opt/httpd-2.4.29/ switch directory [root@localhost httpd-2.4.29] # cp / usr/local/httpd/bin/apachectl / etc/init.d/httpd / / copy [root@localhost httpd-2.4.29] # vim / etc/init.d/httpd / / add two lines of declaration to the configuration file # chkconfig: 35 85 21 / / Service identification parameter Start at levels 3 and 5: the order of startup and shutdown is 85, 2 add description: Apache is a World Wide Web server / / Service description Information [root@localhost httpd-2.4.29] # chkconfig-- add httpd/ / add a httpd service as a system service [root@localhost httpd-2.4.29] # [root@localhost httpd-2.4.29] # ln-s / usr/local/httpd/bin/* / usr/local/bin/ Command file for Apache service Set up a soft link to a directory that is easy for the system to recognize [root@localhost htdocs] # apachectl-t / / check the Apache service profile format Syntax OK / / correct [root@localhost httpd-2.4.29] # service httpd start / / start the Apache service [root@localhost httpd-2.4.29] #

(18) We change the DNS address of the win10-1 host to the IP address of the Linux system, and then access the domain name "www.abc.com" successfully.

(19) configure the win10-2 host with a static IP address on the same network segment as the LinuxIP address. Then configure the DNS address as the Linux system IP address. Then visit the domain name "www.abc.com", and the access is successful.

(20) right-click the picture and click Properties. Get the URL of the picture and copy it.

(21) enter the control panel, operate according to the following picture, and build the web service on the win10-2 host.

(22) create a new TXT text file and enter the contents of the following figure. Then save and change the file name to "index.html". And move it to the default site directory of the web service.

(23) We then use the win10-1 host to visit the site built by the win10-2 host, and we can see the picture of the "www.abc.com" site that has been successfully hacked.

(24) modify the Apache service configuration file, use "/" to find the keyword "rewrite", delete "#", and open the hotlink protection module. Then add a rule to the tag below.

[root@localhost httpd-2.4.29] # vim / etc/httpd.conf LoadModule rewrite_module modules/mod_rewrite.so / / Open hotlink protection module DocumentRoot "/ usr/local/httpd/htdocs" / / tag and finally add rules # # Possible values for the Options directive are "None", "All" # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named * explicitly*-"Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # AllowOverride FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # Require all grantedRewriteEngine On / / the following is the rule RewriteCond% {HTTP_REFERER}! ^ http://abc.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://abc.com$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.abc.com/.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ http://www.abc.com/$ [NC] RewriteRule. *\. (gif | jpg | swf) $http:// Www.abc.com/forbid.png / / Jump to our hotlink protection picture

(25) restart Apache service.

[root@localhost httpd-2.4.29] # service httpd stop [root@localhost httpd-2.4.29] # service httpd start [root@localhost httpd-2.4.29] #

(26) use the win10-1 host to access the site with the domain name "www.abc.com" of the Linux system, and the site of the win10-2 host.

At this time, the win10-2 host can no longer steal images.

Configure Apache to hide version information

The version information of Apache reveals some vulnerability information, which brings security risks to the website.

To configure Apache to hide version information in a production environment

You can use Fiddler package grabbing tool to analyze Apache hidden version information experiment.

(1) continue with the previous experiment, we use the win10-1 host to visit the "www.abc.com" site. At the same time, Fiddler tool is used to grab the package. At this point, we can see the version number of Apache in Headers.

(2) modify the Apache service master configuration file and open the sub-configuration file.

[root@localhost httpd-2.4.29] # vim / etc/httpd.conf# Various default settingsInclude conf/extra/httpd-default.conf / / enable sub-configuration file

(3) enter the default sub-configuration file and modify the configuration file. Then restart the Apache service.

[root@localhost httpd-2.4.29] # cd / usr/local/httpd/conf/ switch directory [root@localhost conf] # ls / / View extra httpd.conf magic mime.types original [root@localhost conf] # cd extra/ switch directory [root@localhost extra] # ls / / View httpd-autoindex.conf httpd-default.conf httpd-languages.conf httpd-mpm.conf httpd- Ssl.conf httpd-vhosts.confhttpd-dav.conf httpd-info.conf httpd-manual.conf httpd-multilang-errordoc.conf httpd-userdir.conf proxy-html.conf [root@localhost extra] # vim httpd-default.conf / / Edit configuration file # # ServerTokens# This directive configures what you return as the Server HTTP response# Header. The default is' Full' which sends information about the OS-Type# and compiled in modules.# Set to one of: Full | OS | Minor | Minimal | Major | Prod# where Full conveys the most information, and Prod the least.#ServerTokens Prod / Full should be Pord## Optionally add a line containing the server version and virtual host# name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc. But not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin.# Set to one of: On | Off | EMail#ServerSignature Off / / disable signature (off by default) [root@localhost extra] # service httpd stop / / disable service [root@localhost extra] # service httpd start / / enable service [root@localhost extra] #

(4) visit the site again with the win10-1 host to view the packet header crawled by the Fiddler packet crawling tool. At this time, the version number of the Apache service has been hidden.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.