nginx防SQL注入与文件注入的相关安全设置

配置文件可以在一定程度上防止sql与文件形式的注入,放在配置文件的server块里面。

  1. server {
  2. [...]
  3.  
  4.     ## Block SQL injections
  5.     set $block_sql_injections 0;
  6.     if ($query_string ~ "union.*select.*\(") {
  7.         set $block_sql_injections 1;
  8.     }
  9.     if ($query_string ~ "union.*all.*select.*") {
  10.         set $block_sql_injections 1;
  11.     }
  12.     if ($query_string ~ "concat.*\(") {
  13.         set $block_sql_injections 1;
  14.     }
  15.     if ($block_sql_injections = 1) {
  16.         return 403;
  17.     }
  18.  
  19.     ## Block file injections
  20.     set $block_file_injections 0;
  21.     if ($query_string ~ "[a-zA-Z0-9_]=http://") {
  22.         set $block_file_injections 1;
  23.     }
  24.     if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
  25.         set $block_file_injections 1;
  26.     }
  27.     if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
  28.         set $block_file_injections 1;
  29.     }
  30.     if ($block_file_injections = 1) {
  31.         return 403;
  32.     }
  33.  
  34.     ## Block common exploits
  35.     set $block_common_exploits 0;
  36.     if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
  37.         set $block_common_exploits 1;
  38.     }
  39.     if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
  40.         set $block_common_exploits 1;
  41.     }
  42.     if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
  43.         set $block_common_exploits 1;
  44.     }
  45.     if ($query_string ~ "proc/self/environ") {
  46.         set $block_common_exploits 1;
  47.     }
  48.     if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
  49.         set $block_common_exploits 1;
  50.     }
  51.     if ($query_string ~ "base64_(en|de)code\(.*\)") {
  52.         set $block_common_exploits 1;
  53.     }
  54.     if ($block_common_exploits = 1) {
  55.         return 403;
  56.     }
  57.  
  58.     ## Block spam
  59.     set $block_spam 0;
  60.     if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
  61.         set $block_spam 1;
  62.     }
  63.     if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
  64.         set $block_spam 1;
  65.     }
  66.     if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
  67.         set $block_spam 1;
  68.     }
  69.     if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
  70.         set $block_spam 1;
  71.     }
  72.     if ($block_spam = 1) {
  73.         return 403;
  74.     }
  75.  
  76.     ## Block user agents
  77.     set $block_user_agents 0;
  78.  
  79.     # Don't disable wget if you need it to run cron jobs!
  80.     #if ($http_user_agent ~ "Wget") {
  81.     #    set $block_user_agents 1;
  82.     #}
  83.  
  84.     # Disable Akeeba Remote Control 2.5 and earlier
  85.     if ($http_user_agent ~ "Indy Library") {
  86.         set $block_user_agents 1;
  87.     }
  88.  
  89.     # Common bandwidth hoggers and hacking tools.
  90.     if ($http_user_agent ~ "libwww-perl") {
  91.         set $block_user_agents 1;
  92.     }
  93.     if ($http_user_agent ~ "GetRight") {
  94.         set $block_user_agents 1;
  95.     }
  96.     if ($http_user_agent ~ "GetWeb!") {
  97.         set $block_user_agents 1;
  98.     }
  99.     if ($http_user_agent ~ "Go!Zilla") {
  100.         set $block_user_agents 1;
  101.     }
  102.     if ($http_user_agent ~ "Download Demon") {
  103.         set $block_user_agents 1;
  104.     }
  105.     if ($http_user_agent ~ "Go-Ahead-Got-It") {
  106.         set $block_user_agents 1;
  107.     }
  108.     if ($http_user_agent ~ "TurnitinBot") {
  109.         set $block_user_agents 1;
  110.     }
  111.     if ($http_user_agent ~ "GrabNet") {
  112.         set $block_user_agents 1;
  113.     }
  114.  
  115.     if ($block_user_agents = 1) {
  116.         return 403;
  117.     }
  118. }

linux下逻辑卷的tmp安全设置

linux默认安装无指定分区的时候,逻辑卷没有独立的/tmp 容易造成安全隐患,/dev/shm也是隐患之一

  1. #dd一个1G的文件,文件/.tmpfs
  2. dd if=/dev/zero of=/.tmpfs bs=1M count=1000
  3.  
  4. #创建文件系统
  5. mke2fs -j /.tmpfs
  6.  
  7. ####################
  8. mke2fs 1.41.12 (17-May-2010)
  9. /.tmpfs is not a block special device.
  10. Proceed anyway? (y,n) y
  11. Filesystem label=
  12. OS type: Linux
  13. Block size=4096 (log=2)
  14. Fragment size=4096 (log=2)
  15. Stride=0 blocks, Stripe width=0 blocks
  16. 64000 inodes, 256000 blocks
  17. 12800 blocks (5.00%) reserved for the super user
  18. First data block=0
  19. Maximum filesystem blocks=264241152
  20. 8 block groups
  21. 32768 blocks per group, 32768 fragments per group
  22. 8000 inodes per group
  23. Superblock backups stored on blocks:
  24.         32768, 98304, 163840, 229376
  25.  
  26. Writing inode tables: done                           
  27. Creating journal (4096 blocks): done
  28. Writing superblocks and filesystem accounting information: done
  29.  
  30. This filesystem will be automatically checked every 32 mounts or
  31. 180 days, whichever comes firstUse tune2fs -c or -i to override.
  32. ####################
  33.  
  34. #复制文件
  35. cp -av /tmp /tmp.old
  36.  
  37. #挂载之前dd的文件
  38. mount -o loop,noexec,nosuid,rw /.tmpfs /tmp
  39.  
  40. #赋默认/tmp的权限
  41. chmod 1777 /tmp
  42.  
  43. #把刚复制出去的文件移回来
  44. mv -f /tmp.old/* /tmp/
  45.  
  46. #删除文件夹
  47. rm -rf /tmp.old
  48.  
  49.  
  50. #修改/etc/fstab 使它重启后自动挂载
  51. /.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0
  52.  
  53. #软链接/var/tmp到/tmp
  54. mv /var/tmp /var/tmp_bak
  55. ln -s /tmp /var/tmp
  56. cp -Rf /var/tmp_bak/* /var/tmp
  57. rm -rf /var/tmp_bak/
  58.  
  59. #测试
  60. #分别到/tmp与/dev/shm目录里,创建可执行文件,并给与777权限
  61. [root@localhost  /tmp]
  62. # ls -lA /tmp/|grep x.sh
  63. -rwxrwxrwx  1 root root     22 Jul 25 15:08 x.sh
  64.  
  65. [root@localhost  /tmp]
  66. # cat /tmp/x.sh 
  67. #!/bin/bash
  68. echo test
  69.  
  70. [root@localhost  /tmp]
  71. # /tmp/x.sh    
  72. -bash: /tmp/x.sh: Permission denied
  73.  
  74. [root@localhost  /dev/shm]
  75. # ls -lA |grep x.sh
  76. -rwxrwxrwx 1 root root 22 Jul 25 15:08 x.sh
  77.  
  78. [root@localhost  /dev/shm]
  79. # cat x.sh
  80. #!/bin/bash
  81. echo test
  82.  
  83. [root@localhost  /dev/shm]
  84. # /dev/shm/x.sh
  85. -bash: /dev/shm/x.sh: Permission denied
  1. #修改/etc/fstab 改变/dev/shm共享内存的nosuid与noexec值
  2. tmpfs   /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
  3. mount -o remount /dev/shm/
1 1