=Start=
缘由:
强迫症
正文:
参考解答:
一般来说,现在流行的CMS框架里面,WordPress可以说是相对比较安全的一个了,为了保证VPS/blog的安全,除了及时升级WordPress之外,还可以在Nginx层面做一些简单的防护操作,避免因为运维失误导致VPS/blog被入侵/挂马。下面简单说一下我了解的&正在用的一些Nginx配置:
user nginx nginx; #以低权限运行Nginx
http {
server_tokens off; #不显示Nginx的具体版本信息
charset utf-8;
...
limit_conn_zone $binary_remote_addr zone=perip:10m; #限制连接速度
# If enable limit_conn_zone, add "limit_conn perip 10;" to server section.
server {
...
limit_conn perip 10;
...
location ~* /wp-includes/.*.php$ { #禁止解释执行wp-includes目录中的PHP文件
deny all;
# access_log off;
# log_not_found off;
}
location ~* /(?:uploads|files)/.*.php$ { #禁止解释执行uploads/files目录中的PHP文件(使被上传的webshell不可执行)
deny all;
# access_log off;
# log_not_found off;
}
location = /xmlrpc.php { #禁用WordPress的xmlrpc功能
deny all;
# access_log off;
# log_not_found off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { #防盗链
expires 30d;
valid_referers blocked *.ixyzero.com server_names ~\.google\. ~\.baidu\.;
# valid_referers none blocked *.ixyzero.com server_names ~\.google\. ~\.baidu\.; #这里的none指的是refer为空的情况,请按需使用
if ($invalid_referer) {
return 403;
# rewrite ^/ http://ixyzero.com/403.jpg;
}
}
location ~ .*\.(js|css)?$ {
expires 12h;
}
# 防止Web目录中的敏感文件被下载
location ~* \.(rar|zip|gz|tar|tgz|tar.gz|7z|z|bz2|tar.bz2|sql|log|ini|bak|old|conf|idea|DS_Store|swp|svn/entries|git/config)$ {
deny all;
}
}
}
参考链接:
- http://www.ttlsa.com/nginx/nginx-referer/
- http://www.ttlsa.com/nginx/nginx-modules-secure_link/
- http://www.ccvita.com/312.html
- https://wizardforcel.gitbooks.io/nginx-doc/content/Text/7.5_doorchain.html
- Nginx禁止IP访问
- https://www.leavesongs.com/PENETRATION/nginx-safe-dir.html
- https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
- http://stackoverflow.com/questions/32960967/nginx-location-deny-by-file-extension-syntax
=END=
《 “用Nginx对WordPress进行简单防护” 》 有 11 条评论
常见Web源码泄露总结
http://www.mottoin.com/95749.html
`
.hg源码泄漏 https://github.com/kost/dvcs-ripper
.git源码泄漏 https://github.com/lijiejie/GitHack
.DS_Store文件泄漏 https://github.com/lijiejie/ds_store_exp
网站备份压缩文件 https://github.com/ring04h/weakfilescan (.rar/.zip/.7z/.tar.gz/.bak/.swp/.txt)
SVN导致文件泄露 https://github.com/kost/dvcs-ripper
WEB-INF/web.xml泄露
CVS泄漏
Bazaar/bzr
`
lijiejie写的针对.DS_Store文件泄露的利用工具(A .DS_Store file disclosure exploit. It parse .DS_Store file and download files recursively.)
https://github.com/lijiejie/ds_store_exp
lijiejie之前还写过GitHack
https://github.com/lijiejie/GitHack
Github信息泄露升级版案例
http://www.ms509.com/?p=718
https://www.waitalone.cn/git-local-decode.html
Nginx配置PHP文件/目录访问需要密码来保护受限制的内容
https://www.qs5.org/Post/654.html
`
# 免密码的文件
location ~ ^/pass/test\.php(/|$)
{
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
# 只需要密码的文件
location ~ ^/pass/home\.php(/|$)
{
# 开启 密码验证
auth_basic “Welcome Pass.”;
auth_basic_user_file /home/htdocs/default/.htpasswd;
limit_req zone=auth_logs burst=3;
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;ng
}
# 其他需要密码的
location ~ [^/]\.php(/|$)
{
# 只有带协议头才能继续
if ($http_x_safe_token != ‘vv9Th1bg’){
return 404;
}
# 开启 密码验证
auth_basic “Welcome Home.”;
# 密码文件
auth_basic_user_file /home/htdocs/default/.htpasswd;
# 认证次数限制(防爆破)
limit_req zone=auth_logs burst=3;
try_files $uri =404;
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
`
解析.DS_Store文件格式
https://mp.weixin.qq.com/s/ZgZYr_GR7ZBAq0fLBkdoQA
https://github.com/gehaxelt/ds_store
Nginx 之限流
https://chenyongjun.vip/articles/81
`
生活中的 “限流”?
Nginx 限流
控制速率
正常限流
处理突发流量
限制连接数
设置白名单
拓展阅读
参考
`
WordPress防止密码爆破
https://tlanyan.me/wordpress-prevent-password-brute-force/
`
之前一贯的做法是修改wp-login.php文件,将请求重定向到Ubuntu或者CentOS的镜像下载页面。由于站点开通了自动更新功能,WordPress发布新版后常在第一时间自动更新,wp-login.php的修改被抹除,又变成登录入口文件。主题中做修改也有类似的缺点。
今天被邮件烦到了,然后想到可以在Nginx里做重定向啊!这样每次WordPress更新,文件覆盖也没事。说动手就动手,在Nginx的server配置块中新增配置项:
server {
…
location = /wp-login.php {
redirect ^ http://mirrors.aliyun.com/centos/7.6.1810/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso permanent;
}
location = /xmlrpc.php {
redirect ^ http://mirrors.aliyun.com/centos/7.6.1810/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso permanent;
}
…
}
`
使用 GZip Bomb 对抗站点扫描工具
https://rocka.me/article/defend-website-with-gzip-bomb
https://paper.tuisec.win/detail/011eb2977b31bd7
https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html
https://paper.tuisec.win/detail/0954d810d731478
Nginx与安全有关的几个配置
https://mp.weixin.qq.com/s/D6PeQ_lzcaY8pmOLqTY-gQ
`
隐藏版本号 – server_tokens off;
开启HTTPS
添加黑白名单 – allow/deny
添加账号认证 – auth_basic/auth_basic_user_file
限制请求方法 – $request_method
拒绝User-Agent – $http_user_agent
图片防盗链 – valid_referers
控制并发连接数 – limit_conn_zone
缓冲区溢出攻击
Header头设置
add_header X-Frame-Options “SAMEORIGIN”;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Content-Type-Options “nosniff”;
`
在线生成Nginx配置文件的网站
https://nginxconfig.io/
巧用 Nginx 快速实现 HTTPS 双向认证
https://www.hi-linux.com/posts/38492.html