Apache security chain
Apache installation package
Links: https://pan.baidu.com/s/11X5CEWoVemxlGuNQqn9cuA
Extraction code: jn6l
1. Install and configure Apache service
1.1. Mount the Apache installation package to the virtual machine through sharing
[root@localhost ~]# smbclient -L //192.168.10.64
Enter SAMBA\root's password:
Sharename Type Comment
--------- ---- -------
IPC$ IPC Long-range IPC
share Disk
Users Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 192.168.10.64 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
[root@localhost ~]# mount.cifs //192.168.10.64/share /mnt
Password for root@//192.168.10.64/share:
[root@localhost ~]# 1.2 install dns service package
[root@localhost ~]# yum install bind -y Loaded plug-ins: faststmirror, langpacks Loading mirror speeds from cached hostfile * base: centos.ustc.edu.cn * extras: mirrors.163.com * updates: centos.ustc.edu.cn Resolving dependencies -->Checking transactions --->Package bind.x86_.32.9.11.4-9.p2.el7 will be installed -->Processing dependency bind LIBS Lite (x86-64) = 32:9.11.4-9.p2.el7 required by package 32: bind-9.11.4-9.p2.el7.x86_ -->Processing dependency bind LIBS (x86-64) = 32:9.11.4-9.p2.el7, which is required by package 32: bind-9.11.4-9.p2.el7.x86_ -->Processing dependency liblwres.so.160()(64bit), which is required by package 32: bind-9.11.4-9.p2.el7.x86_ -->Processing dependency libisccfg.so.160()(64bit), which is required by package 32: bind-9.11.4-9.p2.el7.x86_
1.2 modify dns main configuration file
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; }; //Change to any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //Change to any1.2 modify dns zone configuration file
[root@localhost ~]# vim /etc/named.rfc1912.zones
#Add the following
zone "kgc.com" IN {
type master;
file "kgc.com.zone";
allow-update { none; };
};1.2 copy the dns area data profile template and modify the dns area data profile
[root@localhost ~]# cp -p /var/named/named.localhost /var/named/kgc.com.zone
[root@localhost ~]# vim /var/named/kgc.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
www IN A 192.168.102.1661.2 turn on dns service and turn off firewall
[root@localhost ~]# systemctl start named [root@localhost ~]# systemctl stop firewalld.service [root@localhost ~]# setenforce 0 [root@localhost ~]#
2. Manually compile and install apache service
2.1 unzip the apache installation package
[root@localhost ~]# tar zvxf /mnt/LAMP-C7/apr-1.6.2.tar.gz -C /opt [root@localhost ~]# tar zvxf /mnt/LAMP-C7/apr-util-1.6.0.tar.gz -C /opt [root@localhost ~]# tar jxvf /mnt/LAMP-C7/httpd-2.4.29.tar.bz2 -C /opt
2.2 location of mobile cross platform components
[root@localhost ~]# mv /opt/apr-1.6.2 /opt/httpd-2.4.29/srclib/apr [root@localhost ~]# mv /opt/apr-util-1.6.0 /opt/httpd-2.4.29/srclib/apr-util [root@localhost ~]#
2.3 installation environment necessary software package
[root@localhost ~]# yum -y install \ > gcc \ > gcc-c++ \ > make \ > pcre-devel \ > zlib-devel \ > expat-devel \ > pcre \ > perl
2.4 configure
[root@localhost ~]# cd /opt/httpd-2.4.29/ [root@localhost httpd-2.4.29]# ./configure \ > --prefix=/usr/local/httpd \ > --enable-so \ > --enable-deflate \ > --enable-expires \ > --enable-rewrite \ > --enable-charset-lite \ > --enable-cgi
2.5 compilation and installation
[root@localhost httpd-2.4.29]# make && make install
3. Configure anti-theft chain service
3.1 modify listening address and domain name
[root@localhost ~]# vim /usr/local/httpd/conf/httpd.conf
#Change this to Listen on specific IP addresses as shown below to #prevent Apache from glomming onto all bound IP addresses. #Listen 12.34.56.78:80 #Listen 80 Listen 192.168.102.166:80
#ServerName gives the name and port that the server uses to identify itself. #This can often be determined automatically, but we recommend you specify #it explicitly to prevent problems during startup. #If your host doesn't have a registered DNS name, enter its IP address here. ServerName www.kgc.com:80 #Deny access to the entirety of your server's filesystem. You must #explicitly permit access to web
3.2 enable the anti-theft chain function
[root@localhost ~]# vim /usr/local/httpd/conf/httpd.conf LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so <IfModule unixd_module>
244 AllowOverride None
245
246 #
247 # Controls who can get stuff from this server.
248 #
249 Require all granted
250 RewriteEngine On
251 RewriteCond %{HTTP_REFERER} !^http://kgc.com/.*$ [NC]
252 RewriteCond %{HTTP_REFERER} !^http://kgc.com$ [NC]
253 RewriteCond %{HTTP_REFERER} !^http://www.kgc.com/.*$ [NC]
254 RewriteCond %{HTTP_REFERER} !^http://www.kgc.com$ [NC]
255 RewriteRule .*.(gif|jpg|swf)$ http://www.kgc.com/error.png
256 </Directory>
257
258 #
259 # DirectoryIndex: sets the file that Apache will serve if a directory3.3 modify the content of apache Homepage
[root@localhost ~]# vim /usr/local/httpd/htdocs/index.html <html> <body> <h1>this is test web</h1> <img src="game.jpg"/> </body> </html>
3.3 copying pictures in the attached folder
[root@localhost htdocs]# cp /mnt/LAMP-C7/game.jpg /usr/local/httpd/htdocs/ [root@localhost htdocs]# cp /mnt/LAMP-C7/error.png /usr/local/httpd/htdocs/ [root@localhost htdocs]# ls error.png game.jpg index.html [root@localhost htdocs]#
3.4 restart apache service
[root@localhost ~]# /usr/local/httpd/bin/apachectl stop httpd (no pid file) not running [root@localhost ~]# /usr/local/httpd/bin/apachectl start [root@localhost ~]#
4. Create chain stealing website
4.1 open another virtual machine and install apache service
[root@localhost ~]# yum install httpd -y
4.2 modify the listening address in the configuration file
[root@localhost ~]# vim /etc/httpd/conf/httpd.conf 33 # 34 # Listen: Allows you to bind Apache to specific IP addresses and/or 35 # ports, instead of the default. See also the <VirtualHost> 36 # directive. 37 # 38 # Change this to Listen on specific IP addresses as shown below to 39 # prevent Apache from glomming onto all bound IP addresses. 40 # 41 Listen 192.168.102.167:80 42 #Listen 80 43 44 # 45 # Dynamic Shared Object (DSO) Support 46 #
86 ServerAdmin root@localhost 87 88 # 89 # ServerName gives the name and port that the server uses to identify itself. 90 # This can often be determined automatically, but we recommend you specify 91 # it explicitly to prevent problems during startup. 92 # 93 # If your host doesn't have a registered DNS name, enter its IP address here. 94 # 95 ServerName www.kgc.com:80 96 97 # 98 # Deny access to the entirety of your server's filesystem. You must 99 # explicitly permit access to web content directories in other 100 # <Directory> blocks below. 101 #
4.3 modify apache website home page
[root@localhost ~]# cd /var/www/html [root@localhost html]# ls [root@localhost html]# vim index.html <html> <body> <h1>this is test web</h1> <img src="http://www.kgc.com/game.jpg"/> </body> </html> ~ ~
4.4 add domain name resolution server address
[root@localhost ~]# echo "nameserver 192.168.102.166" > /etc/resolv.conf [root@localhost ~]#
4.5 restart apache service
[root@localhost ~]# systemctl restart httpd [root@localhost ~]#
4.6
5, validation
5.1 first visit the original website www.kgc.com
5.2 visit the website of stealing chain
