dzx安全相关
<h3>UCenter防止恶意访问(安全加固):</h3><span style="font-size:15px"><span style="color:#1a1a1a"><span style="font-family:"Noto Sans SC",sans-serif"><span style="background-color:#ffffff">功能说明:uc_server/consoler.php是ucenter默认的后台地址,正常情况下可以直接访问,为了防止某些恶意访问的情况,可以修改以下内容进行安全性能提升。</span></span></span></span><br />
<span style="font-size:15px"><span style="color:#1a1a1a"><span style="font-family:"Noto Sans SC",sans-serif"><span style="background-color:#ffffff">适用版本:Discuz!x1-x3.4适用情况:ucenter在论坛根目录下</span></span></span></span><br />
<span style="font-size:15px"><span style="color:#1a1a1a"><span style="font-family:"Noto Sans SC",sans-serif"><span style="background-color:#ffffff">修改后效果:未登录Discuz论坛或不在指定的管理组,打开uc_server/consoler.php提示404</span></span></span></span><br />
<span style="font-size:15px"><span style="color:#1a1a1a"><span style="font-family:"Noto Sans SC",sans-serif"><span style="background-color:#ffffff">原帖地址:</span></span></span></span><strong><span style="color:#ff0000">https://www.discuzlab.com/thread/56805</span></strong><br />
<span style="font-size:15px"><span style="color:#1a1a1a"><span style="font-family:"Noto Sans SC",sans-serif"><span style="background-color:#ffffff">具体实施方案:</span></span></span></span><br />
<span style="font-size:15px"><span style="color:#1a1a1a"><span style="font-family:"Noto Sans SC",sans-serif"><span style="background-color:#ffffff">打开uc_server/model/admin.php</span></span></span></span><br />
<span style="font-size:15px"><span style="color:#1a1a1a"><span style="font-family:"Noto Sans SC",sans-serif"><span style="background-color:#ffffff">搜索</span></span></span></span><br />
$this->cookie_status = isset($_COOKIE['sid']) ? 1 : 0;<br />
在下面加入以下代码<br />
<br />
if(!$this->cookie_status){<br />
include UC_ROOT.'../config/config_global.php';<br />
$cookiepre = $_config['cookie']['cookiepre'].substr(md5($_config['cookie']['cookiepath'].'|'.$_config['cookie']['cookiedomain']), 0, 4).'_';<br />
$auth = addslashes($_COOKIE[$cookiepre.'auth']);<br />
if(empty($_config['cookie']['saltkey'])) {<br />
$_config['cookie']['saltkey'] = addslashes($_COOKIE[$cookiepre.'saltkey']);<br />
}<br />
$authkey = md5($_config['security']['authkey'].$_config['cookie']['saltkey']);<br />
$auth = daddslashes(explode("\t", $this->dauthcode($auth, 'DECODE',$authkey)));<br />
list($discuz_pw, $discuz_uid) = empty($auth) || count($auth) < 2 ? array('', '') : $auth;<br />
$discuz_uid = intval($discuz_uid);<br />
$groupid = $this->db->result_first("SELECT groupid FROM ".$_config['db']['tablepre']."common_member WHERE uid='$discuz_uid'");<br />
if(!in_array($groupid,array('1','2'))){<br />
header("HTTP/1.1 404 Not Found");header("Status: 404 Not Found");exit;<br />
}<br />
}<br />
<br />
其中这里增加用户组:<br />
array('1','2')<br />
搜索<br />
function __construct() {<br />
$this->adminbase();<br />
}<br />
后面加入<br />
function dauthcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {<br />
$ckey_length = 4;<br />
$key = md5($key );<br />
$keya = md5(substr($key, 0, 16));<br />
$keyb = md5(substr($key, 16, 16));<br />
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';<br />
<br />
$cryptkey = $keya.md5($keya.$keyc);<br />
$key_length = strlen($cryptkey);<br />
<br />
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;<br />
$string_length = strlen($string);<br />
<br />
$result = '';<br />
$box = range(0, 255);<br />
<br />
$rndkey = array();<br />
for($i = 0; $i <= 255; $i++) {<br />
$rndkey[$i] = ord($cryptkey[$i % $key_length]);<br />
}<br />
<br />
for($j = $i = 0; $i < 256; $i++) {<br />
$j = ($j + $box[$i] + $rndkey[$i]) % 256;<br />
$tmp = $box[$i];<br />
$box[$i] = $box[$j];<br />
$box[$j] = $tmp;<br />
}<br />
<br />
for($a = $j = $i = 0; $i < $string_length; $i++) {<br />
$a = ($a + 1) % 256;<br />
$j = ($j + $box[$a]) % 256;<br />
$tmp = $box[$a];<br />
$box[$a] = $box[$j];<br />
$box[$j] = $tmp;<br />
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));<br />
}<br />
<br />
if($operation == 'DECODE') {<br />
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {<br />
return substr($result, 26);<br />
} else {<br />
return '';<br />
}<br />
} else {<br />
return $keyc.str_replace('=', '', base64_encode($result));<br />
}<br />
}<br />
<br />
修改好的下载地址:<a href="https://www.discuzlab.com/thread-56805-1-1.html">https://www.discuzlab.com/thread-56805-1-1.html</a> <h3>dzx开启防CC攻击</h3>
<span style="font-family:-apple-system,"">在discuz的config/config_global.php配置文件中可以配置attackevasive参数开启CC 攻击防御</span>
<pre>
$_config['security']['attackevasive'] = 0; // CC 攻击防御 1|2|4|8</pre>
<span style="font-size:14px"><span style="color:#333333"><span style="font-family:Tahoma,Simsun"><span style="background-color:#ffffff">当你的站点发现被CC攻击时,你也可以在config中打开CC攻击防御,该防御有1/2/4/8四种防御方式,每个数字的意义为:</span></span></span></span><br />
<span style="font-size:14px"><span style="color:#333333"><span style="font-family:Tahoma,Simsun"><span style="background-color:#ffffff">0表示关闭此功能</span></span></span></span><br />
<span style="font-size:14px"><span style="color:#333333"><span style="font-family:Tahoma,Simsun"><span style="background-color:#ffffff">1表示cookie刷新限制</span></span></span></span><br />
<span style="font-size:14px"><span style="color:#333333"><span style="font-family:Tahoma,Simsun"><span style="background-color:#ffffff">2表示限制代理访问</span></span></span></span><br />
<span style="font-size:14px"><span style="color:#333333"><span style="font-family:Tahoma,Simsun"><span style="background-color:#ffffff">4表示二次请求</span></span></span></span><br />
<span style="font-size:14px"><span style="color:#333333"><span style="font-family:Tahoma,Simsun"><span style="background-color:#ffffff">8表示回答问题(第一次访问时需要回答问题)</span></span></span></span><br />
<span style="font-size:14px"><span style="color:#333333"><span style="font-family:Tahoma,Simsun"><span style="background-color:#ffffff">正常情况下设置为 0。在遭到攻击时,分析其攻击手法和规律,组合使用。 可以尝试先设置为 2, 2|4, 1|2|4|, 1|2|4|8, 如果 1|2|4|8 还不行,应用程序层面上已经抵挡不住,可能主机遭受的攻击来自于僵尸网络的 DDOS 攻击了,建议从防火墙策略上入手。</span></span></span></span><br />
<span style="font-size:14px"><span style="color:#333333"><span style="font-family:Tahoma,Simsun"><span style="background-color:#ffffff">由于此项配置是针对所有访问者的,隐藏一旦发生误判将会影响网站的访问性,以及影响搜索引擎的抓取!</span></span></span></span>
<hr /><img alt="dz开启防攻击" src="data/attachment/forum/202403/19/66318f41fac61352013b86d0ca097b1f.jpg" aid="778" style="border:1px solid #cccccc; padding:5px" /><br />
好长一段时间,服务器CPU占用一直在100%,重装系统开始几天正常,过几天就又不正常了,安装服务器安全狗,网络安全狗,均没有效果,$_config['security']['attackevasive'] = '4'; //2|4|8,设置为1和2问题依旧,只有设置为4和8服务器的CPU占用才正常,10%——20%,这个问题除了设置4或8以外,有无其它方法可防?因为设置为4,某些插件不能正常运行,设置为8用户嫌麻烦,影响使用体验。<br />
<br />
源文地址:https://www.dismall.com/thread-21436-1-1.html <h3>最最最重要的一点安全</h3>
1、论坛可写目录(data、source/plugin、uc_server/data、uc_client/data、config[此目录在安装论坛时必须可写])外,其它目录均不能有写入权限<br />
2、data、uc_server/data、uc_client/data目录禁止运行php文件(需要nginx配合)<br />
3、防跨站:open_basedir=/www/wwwroot/网站目录/:/tmp/<br />
4、验证码也换成中文的吧。
页:
[1]