我的Apache安全加固

以下配置为我正式环境使用的。之前用Apache比较多；现在基本不用了。现分享吧。

1.针对 Spider的
<Location />
#SetEnvIfNoCase User-Agent "spider" bad_bot
BrowserMatchNoCase bingbot bad_bot
BrowserMatchNoCase Googlebot bad_bot
BrowserMatchNoCase 360Spider bad_bot
BrowserMatchNoCase "iaskspider" badguy
BrowserMatchNoCase "QihooBot" badguy
BrowserMatchNoCase "larbin" badguy
BrowserMatchNoCase "iearthworm" badguy
BrowserMatchNoCase "Outfoxbot" badguy
BrowserMatchNoCase "lanshanbot" badguy
BrowserMatchNoCase "Arthur" badguy
BrowserMatchNoCase "InfoPath" badguy
BrowserMatchNoCase "DigExt" badguy
BrowserMatchNoCase "Embedded" badguy
BrowserMatchNoCase "EmbeddedWB" badguy
BrowserMatchNoCase "Wget" badguy
BrowserMatchNoCase "CNCDialer" badguy
BrowserMatchNoCase "LWP::Simple" badguy
BrowserMatchNoCase "WPS" badguy
Order Deny,Allow
Deny from 124.115.4. 124.115.0. 64.69.34.135 216.240.136.125 218.15.197.69 155.69.160.99 58.60.13. 121.14.96. 58.60.14. 58.61.164. 202.108.7.209
Deny from env=bad_bot
</Location>

2.用Rewrite对Apache进行加固

#####APACHE URL关键字加固策略
#####请自行添加删减关键字
#####并做好测试。实例如下：
RewriteEngine on
RewriteCond %{REQUEST_URI} xwork|java|redirect|passwd|hosts|windows|script|ScRiPt|location|prompt|proc\/self\/environ|mosConfig_[a-zA-Z_]{1,21}(=|%3D)|base64_encode.*(.*)|(<|%3C).*script.*(>|%3E)|GLOBALS(=|[|%[0-9A-Z]{0,2})|_REQUEST(=|[|%[0-9A-Z]{0,2})|limit|\/WEB-INF\/web\.xml|applicationContext\.xml|\/manager\/html|\/jmx-console\/|\.properties|\.class|phpinfo\.php|\/conn\.asp|\/conn\.php|\/conn\.jsp|\/cmd\.asp|\/diy\.asp|\.asp;|\/(\w+)\.(\w+)\/(\w+)\.php|\.php\.|eval\(|%eval|\.jsp?action=|fsaction=|/etc/passwd|\/%c0%ae%c0%ae|\/%2E%2E|boot\.ini|win\.ini|access\.log|httpd\.conf|nginx\.conf|boot\.ini|\/etc\/hosts|((\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|php|php5|jspx)|~)$) [NC]
RewriteRule ^/(.*) http://www.baidu.com/ [R,F]
RewriteCond %{QUERY_STRING} xwork|java|redirect|passwd|hosts|windows|script|ScRiPt|location|prompt|proc\/self\/environ|mosConfig_[a-zA-Z_]{1,21}(=|%3D)|base64_encode.*(.*)|(<|%3C).*script.*(>|%3E)|GLOBALS(=|[|%[0-9A-Z]{0,2})|_REQUEST(=|[|%[0-9A-Z]{0,2})|limit|\/WEB-INF\/web\.xml|applicationContext\.xml|\/manager\/html|\/jmx-console\/|\.properties|\.class|phpinfo\.php|\/conn\.asp|\/conn\.php|\/conn\.jsp|\/cmd\.asp|\/diy\.asp|\.asp;|\/(\w+)\.(\w+)\/(\w+)\.php|\.php\.|eval\(|%eval|\.jsp?action=|fsaction=|/etc/passwd|\/%c0%ae%c0%ae|\/%2E%2E|boot\.ini|win\.ini|access\.log|httpd\.conf|nginx\.conf|boot\.ini|\/etc\/hosts|((\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|php|php5|jspx)|~)$) [NC]
RewriteRule ^/(.*) http://www.baidu.com/ [R,F]

其实感觉功能还是有些鸡肋的。我这边也是配合Waf使用的。呵呵。

本文出自 “情商低的技术宅” 博客，谢绝转载！