Chinaunix首页 | 论坛 | 博客

keyxl的ChinaUnix博客keyxl.blog.chinaunix.net

首页 |  博文目录 |  关于我

keyxl

  • 博客访问: 133167
  • 博文数量: 11
  • 博客积分: 171
  • 博客等级: 入伍新兵
  • 技术积分: 387
  • 用 户 组: 普通用户
  • 注册时间: 2012-01-18 20:43
文章分类

全部博文(11)

文章存档

2013年(3)

2012年(8)

我的朋友
最近访客
推荐博文
相关博文
防范WEBSHELL方法之一:用PHP-CGI端口锁定网站目录

分类: 网络与安全

2012-02-16 15:56:53

  现在网站的动态程序越来越多,从一方面来说,程序为我们工作的自动化提供了方便,但简便是需要代价的。网站上的动态程序多了,便容易给入侵者利用,通过WEBSHELL控制网站。
  如果网站动态程序主要是用PHP语言编写的,我们可以通过设置php-cgi锁定某个目录,这样,PHP-CGI便只能在这个目录下运行,就算网站被入侵者用webshell控制了,也无法跳转出这个目录。
  假设网站目录为/home/www/,进入/usr/local/php/etc,增加一个文件
vi ,输入如下代码:
  4. All relative paths in this config are relative to php's install prefix
  8. Pid file
  9. /usr/local/php/logs/php-fpm.pid
  11. Error log file
  12. /usr/local/php/logs/php-fpm.log
  14. Log level
  15. notice
  17. When this amount of php processes exited with SIGSEGV or SIGBUS ...
  18. 10
  20. ... in a less than this interval of time, a graceful restart will be initiated.
  21. Useful to work around accidental curruptions in accelerator's shared memory.
  22. 1m
  24. Time limit on waiting child's reaction on signals from master
  25. 5s
  27. Set to 'no' to debug fpm
  28. yes
  36. Name of pool. Used in logs and stats.
  37. default
  39. Address to accept fastcgi requests on.
  40. Valid syntax is 'ip.ad.re.ss:port' or just 'port' or '/path/to/unix/socket'
  41. 127.0.0.1:9000
  45. Set listen(2) backlog
  46. -1
  48. Set permissions for unix socket, if one used.
  49. In Linux read/write permissions must be set in order to allow connections from web server.
  50. Many BSD-derrived systems allow connections regardless of permissions.
  53. 0644
  56. Additional php.ini defines, specific to this pool of workers.
  60. /home/www/:/tmp/:/var/tmp/
  64. Unix user of processes
  65. www
  67. Unix group of processes
  68. www
  70. Process manager settings
  73. Sets style of controling worker process count.
  74. Valid values are 'static' and 'apache-like'
  75. apache-like
  77. Sets the limit on the number of simultaneous requests that will be served.
  78. Equivalent to Apache MaxClients directive.
  79. Equivalent to PHP_FCGI_CHILDREN environment in original php.fcgi
  80. Used with any pm_style.
  81. 32
  83. Settings group for 'apache-like' pm style
  86. Sets the number of server processes created on startup.
  87. Used only when 'apache-like' pm_style is selected
  88. 20
  90. Sets the desired minimum number of idle server processes.
  91. Used only when 'apache-like' pm_style is selected
  92. 5
  94. Sets the desired maximum number of idle server processes.
  95. Used only when 'apache-like' pm_style is selected
  96. 35
  102. The timeout (in seconds) for serving a single request after which the worker process will be terminated
  103. Should be used when 'max_execution_time' ini option does not stop script execution for some reason
  104. '0s' means 'off'
  105. 30s
  107. The timeout (in seconds) for serving of single request after which a php backtrace will be dumped to slow.log file
  108. '0s' means 'off'
  109. 0s
  111. The log file for slow requests
  112. logs/slow.log
  114. Set open file desc rlimit
  115. 1024
  117. Set max core size rlimit
  118. 0
  120. Chroot to this directory at the start, absolute path
  123. Chdir to this directory at the start, absolute path
  126. Redirect workers' stdout and stderr into main error log.
  127. If not set, they will be redirected to /dev/null, according to FastCGI specs
  128. yes
  130. How much requests each process should execute before respawn.
  131. Useful to work around memory leaks in 3rd party libraries.
  132. For endless request processing please specify 0
  133. Equivalent to PHP_FCGI_MAX_REQUESTS
  134. 1024
  136. Comma separated list of ipv4 addresses of FastCGI clients that allowed to connect.
  137. Equivalent to FCGI_WEB_SERVER_ADDRS environment in original php.fcgi (5.2.2+)
  138. Makes sense only with AF_INET listening socket.
  139. 127.0.0.1
  141. Pass environment variables like LD_LIBRARY_PATH
  142. All $VARIABLEs are taken from current environment
  144. $HOSTNAME
  145. /usr/local/bin:/usr/bin:/bin
  146. /tmp
  147. /tmp
  148. /tmp
  149. $OSTYPE
  150. $MACHTYPE
  151. 2
其中“127.0.0.1:9000”表示给这个php-cgi进程指定的端口,“/home/www/:/tmp/:/var/tmp/”表示这个端口的php-cgi进程只运行这几个目录以下的PHP程序。然后在/usr/local/php/sbin/php-fpm文件中加入一行代码"$php_fpm_BIN --fpm --fpm-config /usr/local/php/etc/",如下
  1. #! /bin/sh
  3. php_fpm_BIN=/usr/local/php/bin/php-cgi
  4. php_fpm_PID=/usr/local/php/logs/php-fpm.pid
  6. $php_fpm_BIN --fpm --fpm-config /usr/local/php/etc/
  7. ......

  重启php-cgi进程,然后再在nginx.conf中配置这个网站对应的php-cig端口9000,即完成了这个php-cgi进程只运行指定目录下的PHP程序。

阅读(3588) | 评论(0) | 转发(0) |
0

上一篇:du与df的区别以及异常处理

下一篇:Mysql的binary日志

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6