装iptables和fail2ban提高安全性

1. 安装iptables

1）apt-get install iptables
因为iptable不需要启动脚本，规则一旦设置，立即生效，关机后有自动清零。所以远程登录时，更改设置要小心，切勿将默认值全都改为Drop，以免丢失SSH连接。编写以下脚本可以便于修改，调试。
2）然后可以在用户目录下编写如下脚本 ～/iptables-init.sh （假设服务器对外网卡的设备号是eth0）

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT #保证已经打开的Session都有效，对于远程调试登录的情况下起保护作用，因为iptables的改动是实时生效的
iptables -A INPUT -i lo -j ACCEPT ＃打开Loopback, 及localhost, 127.0.0.1
iptables -A INPUT -p tcp -i eth0 –dport ssh -j ACCEPT #允许SSH远程登录
iptables -A INPUT -p tcp -i eth0 –dport 80 -j ACCEPT ＃允许外界访问www服务器
iptables -A INPUT -p tcp -i eth0 –dport 21 -j ACCEPT ＃允许外界访问ftp服务器
iptables -A INPUT -j DROP
iptables-save > /etc/iptables.rules
然后赋予脚本执行权限 chmod +x ./iptables-init.sh
运行脚本 ./iptables-init.sh
3）设置网卡启动时加载防火墙规则 （这步要很小心，否则网卡加载失败，系统就无法登录了）
最好先用
iptables-restore </etc/iptables.rules
iptables -L -v 仔细检查下数据，必要时，重新开一个putty窗口，验证以下是否还能登录。
然后修改脚本/etc/network/interfaces，使系统能自动应用这些规则，最后一行就是要添加的，加载文件应该和上面脚本中保存规则的文件名一致，并且要用绝对路径。
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
注意：之所以在加载网卡设备后，刷新iptables列表，
而不是象有些地方建议的在/etc/rc.local或是其他地方放置iptables-init这样的脚本，是因为自网卡启动后到系统执行rc.local仍然有一段时间，会使防火墙无效，所以以上的方法是最好的。
本来为了是FTP能够支持PASV模式，方便防火墙后面的客户端连接服务器，可以在何时的启动脚本里执行
modprobe ip_conntrack_ftp
但是Linnode上的Ubuntu内核编译时，并没有带上这个模块，所以只得放弃，好在PASV模式的安全性也不如Active模式(Port模式）
参考文章
1. Ubuntu 服务器版 Iptables 基本设置指南

2. 安装fail2ban

1) apt-get install fail2ban
2) 查看/etc/fail2ban/jail.conf，核对一下logpath = /var/log/auth.log或/var/log/vsftpd.log的路径是否正确。然后编辑/etc/fail2ban /jail.local, 打开以下开关： （这样可以避免升级时，开关被关闭)
[DEFAULT]
bantime=7200 #至少封2小时IP
[ssh]
enabled = true
filter = sshd
[vsftpd]
enabled = true
filter = vsftpd
查看/etc/vsftpd.conf, 确保以下配置正确，如果修改了，需要重启ftp服务，/etc/init.d/vsftpd restart。fail2ban虽然也可以和Wu-FTP配合，然考虑到思维一致性，我们上边只配了vsftpd的过滤，只能识别vsftpd的日志， 所以vsftpd的日志也要采取其自身的格式：
xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
确保以下两行被注释掉，否则log的格式是wu-ftpd 不能被fail2ban识别！！
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
然后/etc/init.d/fail2ban start 启动服务就可以了。
fail2ban每次都会在iptables的INPUT Chain中添加一条记录，专门指向fail2ban的一条Chain, 用来存放封禁ip的记录。 所以/etc/iptables.rules只要独自管理静态规则就可以了

3. FTP客户端的设置

FTP的客户端要复杂一些，因为PORT模式下需要客户端来告诉FTP服务器自己的公网IP，如果用户自己也在防火墙后面的局域网里，一般的客户端 是做不到的。很有可能会告诉FTP服务器，Port 192.168.0.x 这样的指令。结果得到550 illegal port command的信息。但是FileZilla最新版可以选择利用http://ip.filezilla-project.org/ip.php获知 IP，这个问题就迎刃而解了

4. 查看被封禁的IP

fail2ban-client status ssh -iptables
fail2ban-client status vsftpd  -iptables
-------------------------------------------------

服务器暴力入侵防护

找了个小软件fail2ban来防暴力入侵.可以防护的东西可多啦,如下.

fail2ban的安装
Centos5上面安装很容易.yum安装就可以了,当然前提是安装了我讲的那个Centos的扩展包.

1	$ yum install fail2ban

也可以到他们的官方网站看看
http://www.fail2ban.org/wiki/index.php/Main_Page
fail2ban 可以阻挡的暴力入侵服务很多如apache,postfix,exim,named,qmail,sasl,ssh,webmin,wuftpd,大多了.
在 filter.d 目录可以看到所有的部分

1	$ ls -l /etc/fail2ban/filter.d/

-rw-r–r– 1 root root  704 Feb 28  2008 apache-auth.conf
-rw-r–r– 1 root root 2396 Mar  6  2008 apache-badbots.conf
-rw-r–r– 1 root root  650 Mar  5  2008 apache-noscript.conf
-rw-r–r– 1 root root  444 Mar  6  2008 apache-overflows.conf
-rw-r–r– 1 root root 1036 Mar  1  2008 common.conf
-rw-r–r– 1 root root  609 Feb 28  2008 courierlogin.conf
-rw-r–r– 1 root root  584 Feb 28  2008 couriersmtp.conf
-rw-r–r– 1 root root  606 Feb 28  2008 exim.conf
-rw-r–r– 1 root root  447 May 22  2008 gssftpd.conf
-rw-r–r– 1 root root 1014 May 22  2008 named-refused.conf
-rw-r–r– 1 root root  870 May 22  2008 pam-generic.conf
-rw-r–r– 1 root root  584 Feb 28  2008 postfix.conf
-rw-r–r– 1 root root  871 Mar 11  2008 proftpd.conf
-rw-r–r– 1 root root  794 Feb 28  2008 pure-ftpd.conf
-rw-r–r– 1 root root  599 Feb 28  2008 qmail.conf
-rw-r–r– 1 root root  643 Feb 28  2008 sasl.conf
-rw-r–r– 1 root root 1379 May 12  2008 sshd.conf
-rw-r–r– 1 root root  620 Feb 28  2008 sshd-ddos.conf
-rw-r–r– 1 root root  693 Mar  5  2008 vsftpd.conf
-rw-r–r– 1 root root  820 Feb 28  2008 webmin-auth.conf
-rw-r–r– 1 root root  437 May 22  2008 wuftpd.conf
-rw-r–r– 1 root root  841 Mar  6  2008 xinetd-fail.conf

fail2ban的配置
在fail2ban安装好后.主要的设置文件是/etc/fail2ban/jail.conf和 fail2ban.conf.fail2ban.conf.对不过我们用默认的值就好了. 好了,我们平时的设置啦,他设置太容易了,修改设定档jail可以控制上面的所有的服务.

1	$ vim /etc/fail2ban/jail.conf

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

[DEFAULT] #全局设置 # 不列入的 IP 范围,如果有二组以上以空白做为间隔 192.168.250.0/24 ignoreip = 127.0.0.1 # 设定 IP 被封锁的时间(秒),如果值为 -1,代表永远封锁 bantime  = 600 # 设定在多少时间内达到 maxretry 的次数就封锁 findtime  = 600 # 允许尝试的次数 maxretry = 3 #分类设置 #针对sshd暴力入侵防护 [ssh-iptables] enabled  = true filter   = sshd action   = iptables[name=SSH, port=ssh, protocol=tcp]            mail-whois[name=SSH, dest=root] logpath  = /var/log/secure # 如果有个别的次数设定就设在这里 maxretry = 5 #针对vsftpd暴力入侵防护 [vsftpd-iptables] enabled  = true filter   = vsftpd action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]            sendmail-whois[name=VSFTPD, dest=you@mail.com] logpath  = /var/log/secure maxretry = 3 bantime  = 1800

新的 fail2ban 默认就开启了 ssh 的防护,不用配置,直接启动就行了.
建议设置成maxretry为 3 表示3次错误就封锁,另外logpath(Centos5和Rhel5中)要改成/var/log/secure. 然后我们设置启动服务：

1 2	$ chkconfig --level 2345 fail2ban  on $ service  fail2ban start

fail2ban测试和查看
过滤检查语法测试命令,你可以用这个命令看看哦.

1	$ fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/vsftpd.conf

安装完fail2ban后.运行iptables的命令,会看到多了如下的iptables 的规则

1 2 3 4 5 6 7 8 9

$ iptables -L -nv Chain INPUT (policy ACCEPT 231M packets, 51G bytes)  pkts bytes target     prot opt in     out     source               destination    97  5294 fail2ban-VSFTPD  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 Chain fail2ban-VSFTPD (1 references)  pkts bytes target     prot opt in     out     source               destination    20   998 DROP       all  --  *      *       220.249.41.163       0.0.0.0/0    77  4296 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

当然,fail2ban本身还提供一个命令来查

1 2 3 4 5 6 7 8 9 10 11

$ fail2ban-client status vsftpd-iptables Status for the jail: vsftpd-iptables |- filter |  |- File list:    /var/log/secure |  |- Currently failed:    0 |  `- Total failed:    6 `- action    |- Currently banned:    1    |  `- IP list:    220.249.41.163    `- Total banned:    1

注:如果重起iptables 记的一定还要重起fail2ban,不然他就不能生效,fail2ban的过滤表是在iptables 启动后再加入的.
-----------------------------------------------------------------------
Centos下fail2ban的安装


[root@localhost ~]# wget http://cdnetworks-kr-1.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2
[root@localhost ~]# tar xvjf fail2ban-0.8.4.tar.bz2
[root@localhost ~]# cd fail2ban-0.8.4
[root@localhost fail2ban-0.8.4]# ls

    ChangeLog config fail2ban-regex files README setup.py
    client COPYING fail2ban-server man server testcases
    common fail2ban-client fail2ban-testcases PKG-INFO setup.cfg TODO

[root@localhost fail2ban-0.8.4]# python setup.py install
[root@localhost fail2ban-0.8.4]# cd files
[root@localhost files]# cp ./redhat-initd /etc/init.d/fail2ban
[root@localhost files]# chkconfig --add fail2ban
[root@localhost files]# service fail2ban start
Starting fail2ban: [ OK ]
-----------------------------------

Fail2ban

从yum源安装好，然后修改一些配置.

yum -y install fail2ban

# cat /etc/fail2ban/fail2ban.conf |grep -v ^#

[Definition]

loglevel = 2

logtarget = /var/log/fail2ban.log

socket = /var/run/fail2ban/fail2ban.sock

pidfile = /var/run/fail2ban/fail2ban.pid

/etc/fail2ban/jail.conf里面有几个重点:

[DEFAULT]                                 #全局设置
ignoreip = 127.0.0.1                      #忽略的IP列表,不受设置限制（白名单）
bantime  = 600                            #屏蔽时间，单位：秒
findtime  = 600                           #这个时间段内超过规定次数会被ban掉
maxretry = 3                              #最大尝试次数
backend = auto                            #日志修改检测机制（gamin、polling和auto这三种）
 
[ssh-iptables]                            #针对各服务的检查配置，如设置bantime、findtime、maxretry和全局冲突，服务优先级大于全局设置
enabled  = true                           #是否激活此项（true/false）
filter   = sshd                           #过滤规则filter的名字，对应filter.d目录下的sshd.conf
action   = iptables[name=SSH, port=ssh, protocol=tcp]                                                                        #动作的相关参数，这里port的值等于ssh的端口号，如改过ssh端口要相应修改。
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]   #触发报警的收件人
logpath  = /var/log/secure                #检测的系统的登陆日志文件

[ssh-ddos]

enabled  = true
filter   = sshd-ddos
action   = iptables[name=SSHDDOS, port=3389, protocol=tcp]
logpath  = /var/log/secure


[nginx-http-40x]
enabled = true
filter  = nginx-401  #这个是自定义的filter，对应filter.d目录下的nginx-401.conf，下面类似
action  = iptables-multiport[name=nginx-401,port="443"]
logpath = /var/log/nginx/access.log

[ss-fail]
enabled = true
filter  = ss-fail
action  = iptables-multiport[name=ss-fail,port="80,443,4869"]
logpath = /var/log/messages


[anyconnect-fail]
enabled = true
filter  = anyconnect-fail
action  = iptables-multiport[name=anyconnect-fail,port="80,443,4869"]
logpath = /var/log/messages
修改/etc/fail2ban/filter.d/sshd.conf，在规则里添加一项^%(__prefix_line)sBad protocol version identification .* from <HOST>\s*$，因为我把ssh端口改成了3389，扫描器会用错误的协议尝试访问，通过这个提示也ban掉扫描器。


#cat nginx-401.conf

[Definition]

failregex = <HOST> -.*- .*HTTP/1.* 401 .*$
 <HOST> -.*- .*HTTP/1.* 404 .*$

ignoreregex =


# cat anyconnect-fail.conf

[Definition]

failregex = worker: <host>(:\d+)? tlslib.c:372: error verifying client certificate: No certificate was found.

ignoreregex =



#cat ss-fail.conf

[Definition]

failregex =  failed to handshake with <host>$
ignoreregex =


</host></host>

全部搞定之后，service fail2ban restart，然后iptables -L -n -v看看是否生效。 6、其他配置 无论用sshd还是dropbear，改端口和禁止root登陆是必须的，新建一个普通帐号然后加入sudo里是良好的习惯。如果上网设备固定可以考虑证书登陆和禁用PAM，UseDNS no可以加快ssh登陆
/etc/sysctl.conf


# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

#This is for shadowsocks
fs.file-max = 51200

net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_max_tw_buckets = 5000


# increase TCP max buffer size settable using setsockopt()
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
# increase Linux autotuning TCP buffer limit
#net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
# increase the length of the processor input queue
net.core.netdev_max_backlog = 30000
# recommended for hosts with jumbo frames enabled
net.ipv4.tcp_mtu_probing=1

net.ipv4.tcp_fastopen=3
net.ipv4.tcp_congestion_control=htcp
#net.ipv4.tcp_congestion_control = hybla

sysctl -p立即生效，这里可以分别做一个hybla和一个htcp的配置文件，放在crontab里根据时间来切换.

streaming with ffmpeg

In this article I want to explain how to install ffserver for streaming with libx264 and mp3lame on ubuntu 11.04 with clean process.

1) Download FFMpeg ( ffmpeg-0.6.3 )

2) Install libx264-dev, libmp3lame-dev, libasound2-dev from distribution repository

3) ./configure --enable-gpl --enable-libx264 --enable-libmp3lame and make

4) Use this as config file for ffserver and put it into doc directory as ffserver.conf

Port 9090
BindAddress 0.0.0.0
MaxHTTPConnections 2000
MaxClients 1000
MaxBandwidth 10000
CustomLog -
NoDaemon

File /tmp/feed1.ffm
FileMaxSize 100M
ACL allow 127.0.0.1

Feed feed1.ffm
Format flv

#audio AudioBitRate 64
AudioChannels 1
AudioSampleRate 11025
AVOptionAudio flags +global_header

#video
VideoBitRate 256
VideoBufferSize 400
VideoFrameRate 25
VideoBitRateTolerance 100
VideoSize 704x480
VideoGopSize 12
AudioCodec libmp3lame
VideoCodec libx264
AVOptionVideo coder 0
AVOptionVideo bf 0
AVOptionVideo flags2 +mixed_refs+fastpskip
AVOptionVideo flags +loop
AVOptionVideo cmp +chroma
AVOptionVideo partitions +parti8x8+parti4x4+partp8x8+partb8x8
AVOptionVideo me_method hex
AVOptionVideo subq 7
AVOptionVideo me_range 16
AVOptionVideo g 250
AVOptionVideo keyint_min 10
AVOptionVideo sc_threshold 40
AVOptionVideo i_qfactor 0.71
AVOptionVideo b_strategy 1
AVOptionVideo qcomp 0.6
AVOptionVideo qmin 10
AVOptionVideo qmax 51
AVOptionVideo qdiff 4
AVOptionVideo refs 3
AVOptionVideo directpred 1
AVOptionVideo trellis 1
AVOptionVideo wpredp 0
AVOptionVideo flags +global_header
#NoAudio
#NoVideo
#VideoQMin 1
#VideoQMax 31
#Preroll 5
StartSendOnKey

Feed feed1.ffm
Format swf

#audio
AudioBitRate 64
AudioChannels 1
AudioSampleRate 11025
AVOptionAudio flags +global_header

#video
VideoBitRate 256
VideoBufferSize 400
VideoFrameRate 25
VideoBitRateTolerance 100
VideoSize 704x480
VideoGopSize 12
#NoAudio
#NoVideo
#VideoQMin 1
#VideoQMax 31
#Preroll 5
StartSendOnKey

Format status

# Only allow local people to get the status
ACL allow localhost
ACL allow 192.168.0.0 192.168.255.255

# Redirect index.html to the appropriate site

URL http://www.ffmpeg.org/

#this permit to obtain 2 streams, one for flv streaming (h264+mp3) and the other for swf streaming (flv+mp3)

5) Run ./ffserver -f doc/ffserver.conf

6) Now the source

• Axis camera 232D+: use './ffmpeg -i rtsp://192.168.0.35/mpeg4/media.amp -f alsa -ac 2 -i hw:0,0 http://127.0.0.1:9090/feed1.ffm' command line for connect ffserver with axis camera video using pc sound card as sound input
• Axis camera M-1031W: use './ffmpeg -i rtsp://192.168.0.95/axis-media/media.amp http://127.0.0.1:9090/feed1.ffm' command line for connect ffserver with axis camera video/sound
• File: use this command line for streaming a file live './ffmpeg -i /home/dexmac/record.avi http://127.0.0.1:9090/feed1.ffm'

7) For live view use videolan (install it from ubuntu repository) with address http://127.0.0.1:9090/test1.flv or test1.swf, if you well done, you may see your stream

8) If you want to put this on line use flowplayer and follow my "streaming with flowplayer and ffserver" how-to.

from http://www.dexmac.com/index.php/how-to/74-streaming-with-ffserver

-------------------------------------------------------------------

With "Streaming with FFServer" i explain how to setup a streaming server with FFServer,
now, in this article, i explain how to setup a web page containing FlowPlayer connected to an FFServer (with the same previous setup).

1)Download flowplayer-3.2.5.zip and unzip it.

2)On your Apache htdocs create a new folder called videos.

3)Put flowplayer.controls-3.2.3.swf, flowplayer-3.2.5.swf style.css here.

4)Save flowplayer.html and put it into videos folder.

5)Execute ffserver and ffmpeg and as explained in my how-to, open you browser with this file and you will view live streaming.

from http://www.dexmac.com/index.php/how-to/75-flowplayer-with-ffserver

根据端口设置路由

from

http://michael.gorven.za.net/blog/2008/08/15/routing-port-number


Due to a very restrictive firewall at the CHPC, I need to run a VPN to get access to things like email, Jabber and SSH. This however degrades my web browsing experience, since that gets tunnelled as well. I therefore wanted a setup where only ports which are blocked get tunnelled through the VPN, while everything else goes out normally.
The routing part was fairly straightforward, which consists of an iptables rule to mark certain packets, and an alternate routing table for these marked packets. I first created a name for the new table by adding the following to /etc/iproute2/rt_tables.

10  vpn

I then added a default route to the new table specifying the IP address of the VPN server and the VPN interface, and a rule to use this table for packets marked by iptables.

ip route add default via 10.8.0.3 dev tun0 table vpn
ip rule add fwmark 0x1 table vpn

The following iptables rule will mark packets destined to the listed port numbers. Note that this is for packets originating from the firewall host — if you want this to apply to packets forwarded for other hosts it must be in the PREROUTING chain.

iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 22,995,587,5223 -j MARK --set-mark 0x1

The actual routing worked, but packets were being sent with the wrong source IP. I therefore needed to NAT packets going out on the VPN interface (the IP address is the local IP of the VPN connection).

iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to 10.8.0.4

I could then see packets going out on the VPN interface with the correct source IP as well as the replies, but it still wasn’t working. I eventually discovered that rp_filter must be disabled in order for this to work.

echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter

iptables转发规则

较为简明易懂的解释
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html

http://straylink.wordpress.com/2006/08/16/using-iptables-to-redirect-packets/
REDIRECT to localhost
Lets say you want to take packets on one interface and want them forwarded to a service running on localhost – i.e. a database server that requires limited external exposure (no thats not what I’m working on, like I’d reveal my cards so easily!) Ok – googling ‘iptables forward localhost’ results in some mail list postings essentially saying ‘you cannot forward packets from a real interface to a local loopback interface’. True enough. However, IPTables does support REDIRECTing them, like so

iptables -t nat -A PREROUTING -p tcp -d 198.168.1.254 --dport 80
-j REDIRECT --to-ports 8080

The above rule adds a PREROUTING command to your nat table, stating any TCP packets destined for 192.168.1.254 on port 80 should be redirected to localhost port 8080. So breaking down the above example into template format, you have

iptables -t nat -A PREROUTING -p tcp -d DEST_IP --dport DEST_PORT
-j REDIRECT --to-ports LOCAL_PORTS

htaccess Trick: Enable File or Directory Access to Your Password-Protected Site

In this brief tutorial, we are going to enable users to access any file or directory of a site that is password-protected via htaccess. There are many reasons for wanting to employ this technique, including:

• Share public resources from an otherwise private site
• Enable visitors to access content during site maintenance
• Testing and formatting of layout and design during development

As a webmaster, I have used this technique on several occasions. This trick works great for allowing access to any number of files, directories, and/or combination of both. We will begin with a generalized example, proceed with an explanatory discussion, and wrap things up with a couple of useful modifications.

A Generalized Example

Here is the basic htaccess code enabling users to access a specific directory and file on your domain:

# password protection allowing directory and file access
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null 
Require valid-user
SetEnvIf Request_URI "(path/to/directory/)$" allow
SetEnvIf Request_URI "(path/to/file\.php)$"  allow
Order allow,deny
Allow from env=allow
Satisfy any

To use this tasty little nugget, copy & paste into your site’s root (or target directory) htaccess file and edit the following parameters:

• The phrase “Restricted Area” will be displayed on the password-prompt dialogue box — edit accordingly.
• Edit the AuthUserFile path to match that of your htaccess password file (e.g., “/home/path/.htpasswd”).
• Edit the first Request_URI path to match that of your target directory, and/or the second Request_URI path to match that of your target file (delete either one if not needed).

Afterwards, ensure that everything is functioning properly by attempting to access both your password-protected content and newly accessible directory and/or file. To reassure yourself, try using a few free proxies (Google: “free proxy”) to access your various resources.

Discussion

So, how exactly does this fine slice of htaccess code operate? Let’s break it on down..

AuthType Basic

This line specifies the authorization type, enabling Apache to run the correct function. In this case, and in 99% of the cases I have seen, the authorization type is “Basic”.

AuthName "Restricted Area"

Here we are specifying the message that will be displayed with the password-prompt dialogue box. This is a great place to inform visitors of any publicly available content. For example, you could display something like: “Private Site – Public content available at http://domain.tld/content/”

AuthUserFile /home/path/.htpasswd

In this line, we are specifying the location of the user authentication file. This file should not be available via the Internet (i.e., place in a directory above public_html) because it contains the password verification.

AuthGroupFile /dev/null

Here we are specifying the location of the group authorization file, if any. In this example, because we are not authorizing any groups, we specify a “null” value.

Require valid-user

This line instructs Apache to implement the password protection, essentially saying, “require a valid password” before allowing access.

SetEnvIf Request_URI "(path/to/directory/)$" allow

In this line, we are setting the specified URL request as an allow variable. This variable will be checked later in the script. This line essentially says, “associate the specified URL (i.e., path/to/directory/) with an allow variable.”

SetEnvIf Request_URI "(path/to/file\.php)$" allow

As in the previous line, here we are setting the specified URL request as an allow variable. This variable will be checked later in the script. This line essentially says, “associate the specified URL (i.e., path/to/file\.php) with an allow variable.”

Order allow,deny

Here we designate the order in which access parameters will be evaluated. In this case, we want to consider allowed access before denied access. Especially in this example, the order of these two parameters is critical.

Allow from env=allow

In this line, we are telling Apache to allow access to any resource associated with an allow variable.

Satisfy any

Finally, we wrap things up by instructing Apache to apply the directives for any condition in which the specified parameters have been satisfied ;)

Some tweaks and modifications..

Let’s take a look at a couple of potentially useful modifications..

Allow access to multiple site resources

To allow public user access to more resources, set additional allow variables:

# password protection allowing multiple resources
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null 
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI "(path/to/directory_01/)$"         allow
SetEnvIf Request_URI "(path/to/directory_02/)$"         allow
SetEnvIf Request_URI "(path/to/file\.php)$"             allow
SetEnvIf Request_URI "(path/to/file\.html)$"            allow
SetEnvIf Request_URI "(path/to/another/resource/)$"     allow
SetEnvIf Request_URI "(path/to/yet/another/resource/)$" allow
Order allow,deny
Allow from env=allow
Satisfy any

Of course, you will want to customize this code to reflect the various resources for which you would like to allow public access.

Allow webmaster and other sites open access to entire site

Here’s the scene: you have the entire site password-protected via htaccess. You also have allowed open, public access to various site resources, directories, etc. Now, what if you also want to provide unrestricted access to the entire domain for certain, key individuals and sites? Easy, just use this lil’ chunk of htaccess goodness:

# password protection allowing multiple resources
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null 
Require valid-user
# allow public access to the following resources
SetEnvIf Request_URI "(path/to/directory_01/)$"         allow
SetEnvIf Request_URI "(path/to/directory_02/)$"         allow
SetEnvIf Request_URI "(path/to/file\.php)$"             allow
SetEnvIf Request_URI "(path/to/file\.html)$"            allow
SetEnvIf Request_URI "(path/to/another/resource/)$"     allow
SetEnvIf Request_URI "(path/to/yet/another/resource/)$" allow
Order allow,deny
Allow from env=allow
# allow open access to entire site for select ips and sites
Allow from 777.777.77.7
Allow from 888.888.88.8
Allow from 999.999.99.9
Allow from domains.tld
Allow from website.tld
Allow from example.tld
Satisfy any

To use this code, replace/edit each “Allow from …” line to reflect either the IP address or URL of any sites for which you would like to allow open, unrestricted access. For example, you may want to allow the site administrator(s) open access, along with perhaps a few key validation sites. This is the stuff that web-development dreams are made of!!
Well, that does it for this post. A big thank you goes out to our friend Dave Atkins for inquiring about this technique. And, as always, please share your comments, criticisms, and suggestions with the rest of us ;)
Update: The original version of this article presented a method for allowing open feed access at password-protected sites. Unfortunately, the code did not work as intended thanks to Apache’s virtually complete lack of support for query strings. Needless to say, this article has been rewritten to demonstrate a generalized technique for enabling access to files and directories.
Peace!

Related articles：

• Customize Password-Protected Posts
• Password Protected Post
• Allow Google Reader Access to Hotlink-Protected Images
• Allow Feedburner Access to Hotlink-Protected Images
• Stupid htaccess Tricks
• Stupid htaccess Tricks Redux
• Temporary Site Redirect for Visitors during Site Updates

 from http://perishablepress.com/enable-file-or-directory-access-to-your-htaccess-password-protected-site/

xhEditor-开源的HTML编辑器

 

xhEditor是一个基于jQuery开发的简单迷你并且高效的可视化HTML编辑器，基于网络访问并且兼容IE 6.0+,Firefox 3.0+,Opera 9.6+,Chrome 1.0+,Safari 3.22+。

精简迷你

编辑器初始加载4个文件，包括：1个js(50k)+2个css(10k)+1个图片(5k)，总共65k。若js和css文件进行gzip压缩传输，可以进一步缩减为24k左右。

使用简单

简单的调用方式，加一个class属性就能将您的textarea立马变成一个功能丰富的可视化HTML编辑器。

无障碍访问

提供WAI-ARIA全面支持，全键盘精细操作，全程语音向导，提供完美无障碍访问体验，让残疾人也能够谱写精彩人生。

强大Ajax上传

内置强大的Ajax上传，包括HTML4和HTML5上传支持(多文件上传、真实上传进度及文件拖放上传)，剪切板上传及远程抓取上传，追求完美的用户上传体验。

Word完美支持

实现Word代码自动检测并清理，提供高效完美的Word代码过滤方案，生成代码最优化精简，但是却不丢失任何细节效果。

安全的UBB

提供完美的UBB可视化编辑器解决方案，在您获得安全高效代码存储的同时，又能享受可视化编辑的便捷。 

from http://xheditor.com/
------------------------------------
 开源在线可视化HTML编辑器 – xhEditor

xhEditor是一款开源的在线可视化HTML编辑器，主要应用于在线编辑HTML代码。我们平时在留言板留言、论坛发贴、编写Blog日志的时候，经常需要编辑HTML代码以求实现文字信息的形象更加美观。比如：加粗、下划线、字体大小和颜色设置等等。这时xhEditor在线HTML编辑器就可以帮上你的大忙了，它可以使文字效果更加丰富多彩，使你的贴子或日志更加美观大方而引人注目，同时xhEditor还提供各种方便快捷的操作功能，最大限度的提高了编辑的工作效率。

       对于广大站长来说，如果你的网站程序默认的编辑器不够强大，那么把xhEditor安装到自己的网站上，便会大大方便网友们的使用，对提升自己网站的回头率也会很有帮助。

程序下载：http://xheditor.com/download

使用说明：http://xheditor.com/manual

程序演示：http://xheditor.com/demo

清除dll后门方法大比拼

当 安全意识提升到一定高度的时候，”后门”的危害自然不用多说。随着杀毒软件的”大力支持”，传统”后门”已经可以通过”查端口”、”看进程”堵住。然而， 如果”后门”开到了动态链接程序库，也就算将后门做成了DLL（动态链接程序库）文件，然后由某一个EXE做为载体，或者使用Rundll32.exe来 启动，这样就不会有进程，不开端口等特点，也就实现了进程、端口的隐藏。
实际上，动态链接程序库（Dynamic Link Library，简称DLL），作用在于为应用程序提供扩展功能。应用程序想要调用DLL文件，需要跟其进行”动态链接”从编程的角度，应用程序需要知道 DLL文件导出的API函数方可调用。由此可见，DLL文件本身并不可以运行，需要应用程序调用。正因为DLL文件运行时必须插入到应用程序的内存模块当 中，所以DLL文件无法删除，而且由于这是Windows内部机制造成的，所以正在运行的程序不能关闭。于是，DLL后门由此而生。如何处理这些特殊的 DLL文件？
以三款比较有名的DLL后门例，分别为”SvchostDLL.dll”、”BITS.dll”，下面详细讲解其手工清除方法。
宿主Svchost
在介绍清除dll后门方法之前，先来简单的介绍一下svchost.exe这个系统的关键服务:
　　Svchost只是做为服务的宿主，本身并不实现什么功能，如果需要使用Svchost来启动服务，则某个服务是以DLL形式实现的，该DLL 的载体Loader指向svchost，所以，在启动服务的时候由svchost调用该服务的DLL来实现启动的目的。使用svchost启动某个服务的 DLL文件是由注册表中的参数来决定的，在需要启动服务的下边都有一个Parameters子键，其中的ServiceDll表明该服务由哪个DLL文件 负责，并且这个DLL文件必须导出一个ServiceMain()函数，为处理服务任务提供支持。
在注册表的HKEY_LO CAL_MACHINE\SOFTWARE\ Microsoft\WindowsNT\Current Version\Svchost，里边存放着Svchost启动的组和组内的各个服务，其中netsvcs组的服务最多。要使用Svchost启动某个服 务，则该服务名就会出现在HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost下。
这里有四种方法来实现:
　　1、添加一个新的组，在组里添加服务名。
　　2、在现有组里添加服务名。
　　3、直接使用现有组里的一个服务名，但是本机没有安装的服务。
　　4、修改现有组里的现有服务，把它的ServiceDll指向自己的DLL后门。
PortLess BackDoor
这是一款功能非常强大的DLL后门程序，除了可以获得Local System权限的Shell之外，还支持如”检测克隆帐户”、”安装终端服务”等一系列功能，适用Windows2000/xp/2003等系统。程序 使用svchost.exe来启动，平常不开端口，可以进行反向连接，对于有防火墙的主机来说，这个功能破坏能力很强。
　　后门的Loader把SvchostDLL.dll插入Svchost进程当中，所以，先打开Windows优化大师中的Windows进程管 理2.5，查看Svchost进程中的模块信息，可以看到，SvchostDLL.dll已经插入到Svchost进程中了，在根据上述原理，可以断定， 在”管理工具”-”服务”中会有一项新的服务。通过查看可以证明:此服务名称为:IPRIP，由Svchost启动，-k netsvcs表示此服务包含在netsvcs服务组中。
　　我们把该服务停掉，然后打开注册表编辑器(开始-运行–regedit)，来到HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Services\IPRIP下，查看其Parameters子键。Program键的键值SvcHostDLL.exe为后门的 Loader;ServiceDll的键值C:\WINNT\system32\ svcho stdll.dll为调用的DLL文件，这正是后门的DLL文件。现在我们删除IPRIP子键(或者用SC来删除)，然后在来到 HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost下，编辑netsvcs服务组，把49 00 70 00 72 00 69 00 70 00 00 00删除，这里对应的就是IPRIP的服务名。然后退出，重启。重启之后删除WINNT\system32目录下的后门文件即可。
　　PortLess BackDoor使用的就是svchost的第三种方法。所以，清除PortLess BackDoor的方法就是在注册表的Svchost键下做文章。
BITS.dll
　　这是榕哥的作品，也是DLL后门，和SvchostDLL.dll原理基本一样，不过这里使用的是上边介绍的第四种方法，即”修改现有组里的现 有服务，把它的ServiceDll指向自己的DLL后门”。换句话说，该后门修改现有的某一个服务，把其原有服务的DLL指向自己(也就是 BITS.dll)，这样就达到了自动加载的目的;其次，该后门没有自己的Loader，而是使用系统自带的Rundll32.exe来加载。我们还是用 Windows 进程管理2.5来查看，我们可以看到bits.dll已经插入到Svchost进程当中。
现在来看看具体的清除方法，由于该后门是修改现有服务，而我们并不知道具体是修改了哪个服务，所以，在注册表中搜索bits.dll，最后在 HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\ Services\RasAuto下搜索到了bits.dll，查看Parameters子键下的ServiceDll，其键值为C:\WINNT \system32\bits.dll。原来，该后门把RasAuto服务原来的DLL文件替换为bits.dll了，这样来实现自动加载。知道了原因就 好办了，现在我们把ServiceDll的键值修改为RasAuto服务原有的DLL文件，即%SystemRoot%\System32 \rasauto.dll，退出，重启。之后删除WINNT\system32目录下的bits.dll即可。
防范DLL
也许大家已经了解了如何清除DLL后门，但在现实中，DLL后门并不会使用默认的文件名，所以用户也就不能肯定是否中了DLL后门。对于DLL后门，system32目录下是个好地方，大多数后门也是如此，所以这里要非常注意。
　　1、安装好系统和所有的应用程序之后，备份system32目录下的EXE和DLL文件:打开CMD，来到WINNT\system32目录 下，执行:dir *.exe>exe.txt & dir *.dll>dll.txt，这样，就会把所有的EXE和DLL文件备份到exe.txt和dll.txt文件中；日后，如发现异常，可以使用相同 的命令再次备份EXE和DLL文件(这里我们假设是exe0.txt和dll0.txt)，并使用:fc exe.txt exe0.txt>exedll.txt & fc dll.txt dll0.txt>exedll.txt，其意思为使用FC命令比较两次的EXE文件和DLL文件，并将比较结果保存到exedll.txt文件 中。通过这种方法，我们就可以发现多出来的EXE和DLL文件，并通过文件大小，创建时间来判断是否是DLL后门。
　　2、使用内存/模块工具来查看进程调用的DLL文件，比如Windows优化大师中的Windows 进程管理 2.5。这样，可以发现进程到底调用了什么DLL文件，在结合上边用FC命令比较出来的结果，又能进一步来确定是否中了DLL后门。如果没有优化大师，可 以使用TaskList，这个小工具也可以显示进程调用的DLL文件(Tasklist /M)，而且还有源代码，方便修改。
　　3、通后门连接需要打开特定的端口，DLL后门也不例外，不管它怎么隐藏，连接的时候都需要打开端口。我们可以用netstat -an来查看所有TCP/UDP端口的连接，以发现非法连接。大家平时要对自己打开的端口心中有数，并对netstat -an中的state属性有所了解。当然，也可以使用Fport来显示端口对应的进程，这样，系统有什么不明的连接和端口，都可以尽收眼底。
　　4、定期检查系统自动加载的地方，比如：注册 表，Winstart.bat，Autoexec.bat，win.ini，system.ini，wininit.ini，Autorun.inf，Config.sys 等。其次是对服务进行管理，对系统默认的服务要有所了解，在发现有问题的服务时，可以使用Windows 2000 Server Resource Kit中的SC来删除。
　　通过使用上面的方法，笔者想大多数DLL后门都可以”现形”，事实上，只要我们平时多做一些备份，那对查找DLL后门会起到事半功倍的效果.