防盗链就是防止别人的网站代码里面盗用服务器的图片、文件、视频等相关资源
如果别人盗用网站的这些静态资源,明显的是会增大服务器的带宽压力
* %{HTTP_ _REFERER}:浏览header中的链接字段,存放一一个链接的URL,代表是从哪个链接访问所需的网页
!^:不以后面的字符串开头
.*$:以任意字符结尾
NC:不区分大写
R:强制跳转
RewriteEngine On:打开网页重写功能
RewriteCond:设置匹配规则
RewriteRule:设置跳转动作
如果相应变量的值匹配所设置的规则,则逐条往下处理;如果不匹配,则往后的规则不再匹配。
(1)安装DNS服务的软件包bind。
[root@localhost ~]# yum install bind -y
......//省略安装过程
[root@localhost ~]#
(2)对DNS服务的主配置文件进行修改。
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; }; //127.0.0.1改为any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //localhost改为any
(3)对DNS服务的区域配置文件进行修改。
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "abc.com" IN { //添加一个域名信息
type master;
file "abc.com.zone";
allow-update { none; };
};
(4)查看一下IP地址。
[root@localhost named]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.52.133 netmask 255.255.255.0 broadcast 192.168.52.255
inet6 fe80::3e1d:31ba:f66a:6f80 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:27:1c:3f txqueuelen 1000 (Ethernet)
RX packets 14532 bytes 20210558 (19.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6054 bytes 399142 (389.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(5)保留权限复制一份DNS服务的区域数据配置文件,进行修改。
[root@localhost ~]# cd /var/named/ //切换目录
[root@localhost named]# ls //查看
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# cp -p named.localhost abc.com.zone //复制
[root@localhost named]# vim abc.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www IN A 192.168.52.133 //添加IPv4的域名解析
(6)开启named服务。
[root@localhost named]# systemctl start named //开启服务
[root@localhost named]# systemctl stop firewalld.service //关闭防火墙
[root@localhost named]# setenforce 0 //关闭增强性安全功能
[root@localhost named]#
(7)在宿主机将我们所需的工具包共享出去。
(8)通过Samba服务将工具包挂载到Linux系统。
[root@localhost ~]# smbclient -L //192.168.100.50/ //查看共享
Enter SAMBA\root's password: //匿名共享,没有密码,直接回车
OS=[Windows 10 Enterprise LTSC 2019 17763] Server=[Windows 10 Enterprise LTSC 2019 6.3]
Sharename Type Comment
--------- ---- -------
IPC$ IPC 远程 IPC
share Disk
tools Disk
Users Disk
Connection to 192.168.100.50 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
[root@localhost ~]# mkdir /mnt/tools //创建挂载目录
[root@localhost ~]# mount.cifs //192.168.100.50/tools /mnt/tools/ //挂载
Password for root@//192.168.100.50/tools:
[root@localhost ~]# cd /mnt/tools/ //进入挂载目录
[root@localhost tools]# ls //查看
awstats-7.6.tar.gz extundelete-0.2.4.tar.bz2 forbid.png jdk-8u191-windows-x64.zip LAMP-C7
cronolog-1.6.2-14.el7.x86_64.rpm fiddler.exe intellijideahahau2018.rar john-1.8.0.tar.gz picture.jpg
[root@localhost tools]#
(9)将源码编译安装Apache服务的压缩包解压到“/opt/”目录。
[root@localhost tools]# cd LAMP-C7/ //切换目录
[root@localhost LAMP-C7]# ls
apr-1.6.2.tar.gz Discuz_X2.5_SC_UTF8.zip LAMP-php5.6.txt php-5.6.11.tar.bz2
apr-util-1.6.0.tar.gz httpd-2.4.29.tar.bz2 mysql-5.6.26.tar.gz
[root@localhost LAMP-C7]# tar jxvf httpd-2.4.29.tar.bz2 -C /opt/ //解压
......//省略解压详情
[root@localhost LAMP-C7]# tar zxvf apr-1.6.2.tar.gz -C /opt/ //解压
......//省略解压详情
[root@localhost LAMP-C7]# tar zxvf apr-util-1.6.0.tar.gz -C /opt/ //解压
......//省略解压详情
(10)进入“/opt/”目录,将两个apr包移动到“httpd-2.4.29/srclib/”目录,并重命名。
[root@localhost LAMP-C7]# cd /opt/
[root@localhost opt]# ls
apr-1.6.2 apr-util-1.6.0 httpd-2.4.29 rh
[root@localhost opt]# mv apr-1.6.2/ httpd-2.4.29/srclib/apr
[root@localhost opt]# mv apr-util-1.6.0/ httpd-2.4.29/srclib/apr-util
(11)进入“httpd-2.4.29/”目录,然后安装编译所需环境包。
[root@localhost opt]# ls
httpd-2.4.29 rh
[root@localhost opt]# cd httpd-2.4.29/
[root@localhost httpd-2.4.29]# ls
ABOUT_APACHE ap.d CHANGES docs httpd.spec libhttpd.dep Makefile.win README srclib
acinclude.m4 build CMakeLists.txt emacs-style include libhttpd.dsp modules README.cmake support
Apache-apr2.dsw BuildAll.dsp config.layout httpd.dep INSTALL libhttpd.mak NOTICE README.platforms test
Apache.dsw BuildBin.dsp configure httpd.dsp InstallBin.dsp LICENSE NWGNUmakefile ROADMAP VERSIONING
apache_probes.d buildconf configure.in httpd.mak LAYOUT Makefile.in os server
[root@localhost httpd-2.4.29]#
[root@localhost httpd-2.4.29]# yum -y install \
> gcc \
> gcc-c++ \
> make \
> pcre \
> pcre-devel \
> expat-devel \
> zlib-devel \
> perl
......//省略安装过程
(12)进行对Apache服务器的配置。
[root@localhost httpd-2.4.29]# ./configure \
> --prefix=/usr/local/httpd \ //安装路径
> --enable-deflate \ //启用压缩模块支持
> --enable-expires \ //启用缓存模块支持
> --enable-so \ //启用动态加载模块支持
> --enable-rewrite \ //启用网页地址重写功能
> --enable-charset-lite \ //启用字符集支持
> --enable-cgi //启用CGI脚本程序支持
(13)编译安装Apache服务。
[root@localhost httpd-2.4.29]# make && make install
......//省略编译安装过程
[root@localhost httpd-2.4.29]#
(14)对Apache服务配置文件进行修改
[root@localhost httpd-2.4.29]# ln -s /usr/local/httpd/conf/httpd.conf /etc/httpd.conf //创建软链接,方便使用
[root@localhost httpd-2.4.29]#
Listen 192.168.50.133:80 //开启IPv4监听
#Listen 80 //注释IPv6监听
#
ServerName www.abc.com:80 //设置域名
(15)将“/mnt/tools/”目录下的两张图片,复制到Apache服务站点目录“/usr/local/httpd/htdocs/”下。
[root@localhost httpd-2.4.29]# cd /mnt/tools/
[root@localhost tools]# ls
awstats-7.6.tar.gz extundelete-0.2.4.tar.bz2 forbid.png jdk-8u191-windows-x64.zip LAMP-C7
cronolog-1.6.2-14.el7.x86_64.rpm fiddler.exe intellijideahahau2018.rar john-1.8.0.tar.gz picture.jpg
[root@localhost tools]# cp picture.jpg /usr/local/httpd/htdocs/
[root@localhost tools]# cp forbid.png /usr/local/httpd/htdocs/
[root@localhost tools]# cd /usr/local/httpd/htdocs/
[root@localhost htdocs]# ls
forbid.png index.html picture.jpg
[root@localhost htdocs]#
(16)修改主页文件,将图片“picture.jpg”添加到首页。
[root@localhost htdocs]# vim index.html
<html><body><h2>It works!</h2>
<img src="picture.jpg"/>
</body></html>
(17)将“/usr/local/httpd/bin/”目录下的“apachectl”文件移动到“/etc/init.d/”目录下,并在文件开头添加chkconfig识别配置,然后将其添加为标准的Linux系统服务
[root@localhost htdocs]# cd /opt/httpd-2.4.29/ //切换目录
[root@localhost httpd-2.4.29]# cp /usr/local/httpd/bin/apachectl /etc/init.d/httpd //复制
[root@localhost httpd-2.4.29]# vim /etc/init.d/httpd //在配置文件添加两行声明
# chkconfig: 35 85 21 //服务识别参数,在级别3、5中启动:启动和关闭的顺序分别为85、21
# description: Apache is a World Wide Web server //服务描述信息
[root@localhost httpd-2.4.29]# chkconfig --add httpd //将httpd服务添加为系统服务
[root@localhost httpd-2.4.29]#
[root@localhost httpd-2.4.29]# ln -s /usr/local/httpd/bin/* /usr/local/bin/ //将Apache服务的命令文件,建立软链接到易于系统识别的目录
[root@localhost htdocs]# apachectl -t //检查Apache服务配置文件格式
Syntax OK //格式正确
[root@localhost httpd-2.4.29]# service httpd start //启动Apache服务
[root@localhost httpd-2.4.29]#
(18)我们将win10-1主机的DNS地址改为Linux系统的IP地址,然后去访问域名“www.abc.com”,访问成功。
(19)再给win10-2主机配置静态IP地址,与LinuxIP地址同网段。然后配置DNS地址为Linux系统IP地址。然后访问域名“www.abc.com”,访问成功。
(20)右击图片,点击属性。获取图片的URL,复制下来。
(21)进入控制面板,按下列图片进行操作,在win10-2主机搭建web服务。
(22)新建一个TXT文本文件,输入下图的内容。然后保存,更改文件名为“index.html”。并将其移动到web服务的默认站点目录内。
(23)我们再用win10-1主机去访问,win10-2主机搭建的站点,可以看到成功盗链的“www.abc.com”站点的图片。
(24)对Apache服务配置文件进行修改,用“ / ”查找关键词“rewrite”,将“ # ”删除,开启防盗链模块。然后在下面的标签内添加规则。
[root@localhost httpd-2.4.29]# vim /etc/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so //开启防盗链模块
DocumentRoot "/usr/local/httpd/htdocs"
<Directory "/usr/local/httpd/htdocs"> //标签最后添加规则
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
RewriteEngine On //以下为规则
RewriteCond %{HTTP_REFERER} !^http://abc.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://abc.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.abc.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.abc.com/$ [NC]
RewriteRule .*\.(gif|jpg|swf)$ http://www.abc.com/forbid.png //跳转到我们的防盗链图片
</Directory>
(25)重启Apache服务。
[root@localhost httpd-2.4.29]# service httpd stop
[root@localhost httpd-2.4.29]# service httpd start
[root@localhost httpd-2.4.29]#
(26)用win10-1主机分别访问,Linux系统的域名为“www.abc.com”的站点,和win10-2主机的站点。
此时win10-2主机已经不能盗链图片。
Apache的版本信息,透露了一定的漏洞信息,从而给网站带来安全隐患
生产环境中要配置Apache隐藏版本信息
(1)接着上个实验往下做,我们用win10-1主机去访问“www.abc.com”站点。同时用Fiddler抓包工具进行抓包。此时我们再Headers里可以看到Apache的版本号。
(2)对Apache服务主配置文件进行修改,开启子配置文件。
[root@localhost httpd-2.4.29]# vim /etc/httpd.conf
# Various default settings
Include conf/extra/httpd-default.conf //开启子配置文件
(3)进入默认子配置文件,修改配置文件。然后重启Apache服务。
[root@localhost httpd-2.4.29]# cd /usr/local/httpd/conf/ //切换目录
[root@localhost conf]# ls //查看
extra httpd.conf magic mime.types original
[root@localhost conf]# cd extra/ //切换目录
[root@localhost extra]# ls //查看
httpd-autoindex.conf httpd-default.conf httpd-languages.conf httpd-mpm.conf httpd-ssl.conf httpd-vhosts.conf
httpd-dav.conf httpd-info.conf httpd-manual.conf httpd-multilang-errordoc.conf httpd-userdir.conf proxy-html.conf
[root@localhost extra]# vim httpd-default.conf //编辑配置文件
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod //将Full该为Pord
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature Off //关闭签名(默认关闭)
[root@localhost extra]# service httpd stop //关闭服务
[root@localhost extra]# service httpd start //开启服务
[root@localhost extra]#
(4)再次用win10-1主机访问站点,查看Fiddler抓包工具抓取的数据包头部,此时Apache服务的版本号已经隐藏。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。