当前位置: 首页>>网站问题>>正文


我如何模糊我用来运行我的网站?

webfans 网站问题 , 去评论

问题描述

有什么我可以做的,以防止有人通过查看首页的源代码知道我的网站使用Drupal?我指的是使用软件扫描网站的人,该软件检测用于运行网站的软件,以便能够使用任何已知的弱点攻击它。

如果无法完全隐藏网站使用Drupal的事实,是否至少可以混淆它们(例如,通过使用像http://example.com/servlets/<node-id>.jsp这样的URL别名化节点页面)?

最佳解决思路

这是一个陈旧且已经回答的问题,但我最近花了一些精力写出你需要改变的所有事情的描述:

  • 删除Drupal 7的元生成器

  • 删除像CHANGELOG.txt一样的tell-tale-text

  • 检查Expires标头

  • HTTP 200/404/403状态代码的行走目录

  • 查找默认短信 – 调整所有user-facing消息

  • 查看HTML – 来自核心和模块的默认html是一个明显的标志

http://drupalscout.com/knowledge-base/hiding-fact-your-site-runs-drupal-or-fingerprinting-drupal-site

基本上:技术上可能隐藏你的网站运行Drupal的事实,但你会花很多时间在它上面,这是不值得的。您应该专注于确保安全和安全操作(例如,快速部署更新,监控日志等)。

次佳解决思路

你无法完全隐藏它。大部分需要做的事情都需要黑客核心。最重要的是,Drupal JavaScript变量可从首页或任何页面读取。

如果你想通过隐藏它是一个Drupal站点来提高你的网站安全性,那么你花在代码审查上的努力要比试图隐藏网站是用Drupal制作的那样。

第三种解决思路

这太容易了,kiam!

  • 使用反向代理或自定义您的http守护进程来过滤恼人的Drupal http标头

  • 拒绝对任何Drupal默认文件夹的http访问

  • 使用PHP输出缓冲来重写和隐藏HTML源代码,删除不必要的数据

  • 使用网址别名或custom_url_rewrite_in /outbound使您的网址变得一团糟

  • 更改默认的404错误,删除/更改update.php

  • 如果有人发现,请进行任何其他更改

最后但并非最不重要的是,确保您的网站非常简单,不需要JS或CSS用于正常行为(不使用Views或Ctools ……),不支持用户身份验证等,这意味着您的网站应该就像一个静态的HTML网站一样简单。

好吧,所有这些让人们相信你的网站没有运行Drupal。无论如何,默默无闻的安全是无用的。

第四种思路

有一篇关于the same的官方文章和讨论。

You can’t. Do not try

  • Automated attacks (by far the most common attacks) do not even inspect the server before trying their exploits.
    Inspecting the logs of any high-profile site will show thousands of fruitless requests for /AspBB/db/betaboard.mdb _private/cmd.asp /scripts/../../winnt/system32/cmd.exe /wp-login/ /administrator/components/com_wmtgallery/admin.wmtgal, /cgi-bin/ip.cgi … and any number of attempts at historical exploits on any unrelated system.
    Attacks on exploits happen even if the exploits do not exist on your OS or CMS. Whatever you do to mis-identify your site will be ignored anyway by amateur hackers.
  • Whatever you think you can hide, there are other clues for any system.
    Simply removing the some of all strings that contain ‘drupal’ does not disguise your site to any reasonable snooper. There are dozens of ways that can be used to guess what is serving your pages, even dedicated services to tell Is that site running Drupal. Just the keywords that you recognize and think are a threat are a minor subset of the real indicators.
    Ask for index.php/?q=user . Then try to disable that response without crippling your site.
  • Security by obscurity is no security. It gives a false impression of being ‘safe’ when you are only hiding vulnerabilities behind a smokescreen that any attacker that posed any real threat would be able to see through.
  • Although it’s not entirely impossible to hack the code to the point where most traces of Drupal are hidden from the HTML source, (It’s Open source after all) the steps required to do so would necessarily break core so badly that your hacked branch of the code would be incompatible with the real security updates that you could not patch and would genuinely be open to any real future threats identified by the security team. This is a true route to system vulnerability.
  • Most significant or useful modules have their own code ‘signature’ that is hard to hide without significant rewrites. If you are using ‘views’, ‘cck’, ‘ad’, ‘imagecache’, ‘jquery’, css-aggregation, contributed themes or anything useful on your site – someone can tell. Hiding that entirely would usually require a total conversion of the theme functions – at least. Even then, obsfucation probably won’t work.
  • To remove identification of many of the advanced features, like even the easy install of Google Analytics that may use Drupal Libraries to work, you must necessarily either forgo those features altogether, or rewrite them in a way that does not take advantage of the Drupal infrastructure. Sometimes this is possible, but in all cases it is counter-productive.

您可能也有兴趣阅读Securing your site

记住Never hack core

第五种思路

您可能要做的另一件事是使用文件别名模块来更改默认文件结构。

The File Aliases module allows you to use token customisable aliases for your uploaded files, giving you the ability to keep your file system organised as per usual while providing clean looking paths (i.e., no more /sites/default/files/).

参考资料

本文由朵颐IT整理自网络, 文章地址: https://duoyit.com/article/2273.html,转载请务必附带本地址声明。