我的一个客户抱怨说有一次袭击。 我检查了访问日志,发现从表面上随机的IP地址的pipe理login页面的大量请求。 我在/administrator目录中创build了一个.htacces文件,并使用以下(IP地址混淆)填充它:
order deny,allow deny from all allow from 96.xxx.xx.xxx #my IP address allow from 97.xx.xxx.xxx #my client's IP address
然后,我去了一个免费的代理服务器,并inputpipe理页面的URL。 该页面没有加载任何资产(图片),但它确实加载了实际的页面本身。
的Joomla! 在DocumentRoot的.htaccess文件中做一些SEF的东西。 它看起来像这样:
## Begin - Joomla! core SEF Section. # RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # # If the requested path and file is not /index.php and the request # has not already been internally rewritten to the index.php script RewriteCond %{REQUEST_URI} !^/index\.php # and the request is for something within the component folder, # or for the site root, or for an extensionless URL, or the # requested URL ends with one of the listed extensions RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC] # and the requested path and file doesn't directly match a physical file RewriteCond %{REQUEST_FILENAME} !-f # and the requested path and file doesn't directly match a physical folder RewriteCond %{REQUEST_FILENAME} !-d # internally rewrite the request to the index.php script RewriteRule .* index.php [L] # ## End - Joomla! core SEF Section.
我猜测,pipe理员目录中的.htaccess文件不能正常工作的原因与主Joomla! .htaccess文件。 真的吗? 我试图添加到我的主要.htaccess文件,但它导致了500错误:
<Directory /var/www/vhosts/sweathelp.org/httpdocs/administrator> order deny,allow deny from all allow from 96.xxx.xx.xxx allow from 97.xx.xxx.xxx </Directory>
如何有效阻止对pipe理员目录的所有访问,不包括白名单上的两个IP地址?
实际的pipe理员页面(可能是PHP?)是否存在,还是仅仅是从假目录结构的index.php生成的?
为了简化,尝试像这样(在你的主要configuration文件中,而不是.htaccess ):
<Location /administrator> Order deny,allow Deny from all Allow from 96.xxx.xx.xxx Allow from 97.xx.xxx.xxx </Location>