25 PHP security practices for system administrators, php_PHP tutorial for system administrators

<p></p> <h2>25 PHP security practices written for system administrators, written for system administrators php</h2> <p> PHP is a widely used open source server-side scripting language. Apache web services allow users to access files or content through the HTTP or HTTPS protocols. Misconfiguration of server-side scripting languages ​​can cause various problems. Therefore, PHP should be used with caution. Here are 25 practical examples for system administrators on how to securely configure PHP. </p> <p><img src="http://www.bkjia.com/uploads/allimg/141105/164PKU0-0.JPG" alt=""></p> <p> Sample PHP settings used below</p> <ul> <li>DocumentRoot:/var/www/html</li> <li>Default web service: Apache (can use Lighttpd or Nginx instead) </li> <li>Default PHP configuration file: /etc/php.ini</li> <li>Default PHP Extensions configuration directory: /etc/php.d/</li> <li>PHP security configuration sample file: /etc/php.d/security.ini (you need to use a text editor to create this file) </li> <li>Operating system: RHEL/CentOS/Fedora Linux (the instructions should run normally under all other Linux distributions, such as Debian/Ubuntu, or Unix-like operating systems, such as OpenBSD/FreeBSD/HP-UX)</li> <li>Default TCP/UDP port for PHP service: none</li> </ul> <p> Most of the operations listed this afternoon are based on the assumption that the root user can perform operations on bash or other modern shells. </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">$ php -</code><code class="bash functions">v</code> </td> </tr> </tbody> </table> <p>Sample output</p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 </td> <td class="code"> <code class="bash plain">PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)</code> <code class="bash spaces"> </code><code class="bash plain">Copyright (c) 1997-2010 The PHP Group</code> <code class="bash spaces"> </code><code class="bash plain">Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies</code> </td> </tr> </tbody> </table> <p> Operating system used in this article </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">$ </code><code class="bash functions">cat</code> <code class="bash plain">/etc/redhat-release</code> </td> </tr> </tbody> </table> <p>Sample output</p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">Red Hat Enterprise Linux Server release 6.1 (Santiago)</code> </td> </tr> </tbody> </table> <p><strong> #1: Know the enemy </strong></p> <p> Applications based on PHP face a variety of attacks: </p> <ul> <li>XSS: For PHP web applications, cross-site scripting is a vulnerable point. Attackers can use it to steal user information. You can configure Apache, or write more secure PHP code (validate all user input) to prevent XSS attacks</li> <li>SQL injection: This is a vulnerable point of attack in the database layer of PHP applications. The prevention methods are the same as above. A common method is to use mysql_real_escape_string() to escape parameters and then perform SQL queries. </li> <li>File Upload: It allows visitors to place (i.e. upload) files on the server. This will cause a series of problems, such as deleting server files, databases, and obtaining user information. You can use PHP to prohibit file uploads, or write more secure code (such as verifying user input and only allowing uploading of image formats such as png and gif) </li> <li>Contains local and remote files: An attacker can make the remote server open the file, run any PHP code, and then upload or delete the file, installing a backdoor. You can prevent it by canceling the remote file execution setting</li> <li>eval(): This function can make a string execute like PHP code. It is commonly used by attackers to hide code and tools on servers. This is achieved by configuring PHP and canceling the eval() function call</li> <li>Sea-surt Attack (Cross-site request forgery, CSRF. Cross-site request forgery): This attack causes the end user to perform unspecified behavior under the current account. This compromises end-user data and operational security. If the target end user's account is used with administrator privileges, the entire web application will be compromised. </li> </ul> <p><strong>　#2: Reduce built-in PHP modules </strong></p> <p> Execute the following command to view the modules currently compiled by PHP </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">$ php -m</code> </td> </tr> </tbody> </table> <p> Sample output: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 </td> <td class="code"> <code class="bash plain">[PHP Modules]</code> <code class="bash spaces"> </code><code class="bash plain">apc</code> <code class="bash spaces"> </code><code class="bash plain">bcmath</code> <code class="bash spaces"> </code><code class="bash plain">bz2</code> <code class="bash spaces"> </code><code class="bash plain">calendar</code> <code class="bash spaces"> </code><code class="bash plain">Core</code> <code class="bash spaces"> </code><code class="bash plain">ctype</code> <code class="bash spaces"> </code><code class="bash plain">curl</code> <code class="bash spaces"> </code><code class="bash functions">date</code> <code class="bash spaces"> </code><code class="bash plain">dom</code> <code class="bash spaces"> </code><code class="bash plain">ereg</code> <code class="bash spaces"> </code><code class="bash plain">exif</code> <code class="bash spaces"> </code><code class="bash plain">fileinfo</code> <code class="bash spaces"> </code><code class="bash plain">filter</code> <code class="bash spaces"> </code><code class="bash functions">ftp</code> <code class="bash spaces"> </code><code class="bash plain">gd</code> <code class="bash spaces"> </code><code class="bash plain">gettext</code> <code class="bash spaces"> </code><code class="bash plain">gmp</code> <code class="bash spaces"> </code><code class="bash functions">hash</code> <code class="bash spaces"> </code><code class="bash plain">iconv</code> <code class="bash spaces"> </code><code class="bash plain">imap</code> <code class="bash spaces"> </code><code class="bash plain">json</code> <code class="bash spaces"> </code><code class="bash plain">libxml</code> <code class="bash spaces"> </code><code class="bash plain">mbstring</code> <code class="bash spaces"> </code><code class="bash plain">memcache</code> <code class="bash spaces"> </code><code class="bash plain">mysql</code> <code class="bash spaces"> </code><code class="bash plain">mysqli</code> <code class="bash spaces"> </code><code class="bash plain">openssl</code> <code class="bash spaces"> </code><code class="bash plain">pcntl</code> <code class="bash spaces"> </code><code class="bash plain">pcre</code> <code class="bash spaces"> </code><code class="bash plain">PDO</code> <code class="bash spaces"> </code><code class="bash plain">pdo_mysql</code> <code class="bash spaces"> </code><code class="bash plain">pdo_sqlite</code> <code class="bash spaces"> </code><code class="bash plain">Phar</code> <code class="bash spaces"> </code><code class="bash plain">readline</code> <code class="bash spaces"> </code><code class="bash plain">Reflection</code> <code class="bash spaces"> </code><code class="bash plain">session</code> <code class="bash spaces"> </code><code class="bash plain">shmop</code> <code class="bash spaces"> </code><code class="bash plain">SimpleXML</code> <code class="bash spaces"> </code><code class="bash plain">sockets</code> <code class="bash spaces"> </code><code class="bash plain">SPL</code> <code class="bash spaces"> </code><code class="bash plain">sqlite3</code> <code class="bash spaces"> </code><code class="bash plain">standard</code> <code class="bash spaces"> </code><code class="bash plain">suhosin</code> <code class="bash spaces"> </code><code class="bash plain">tokenizer</code> <code class="bash spaces"> </code><code class="bash plain">wddx</code> <code class="bash spaces"> </code><code class="bash plain">xml</code> <code class="bash spaces"> </code><code class="bash plain">xmlreader</code> <code class="bash spaces"> </code><code class="bash plain">xmlrpc</code> <code class="bash spaces"> </code><code class="bash plain">xmlwriter</code> <code class="bash spaces"> </code><code class="bash plain">xsl</code> <code class="bash spaces"> </code><code class="bash plain">zip</code> <code class="bash spaces"> </code><code class="bash plain">zlib</code> <code class="bash spaces"> </code><code class="bash plain">[Zend Modules] </code> <code class="bash spaces"> </code><code class="bash plain">Suhosin</code> </td> </tr> </tbody> </table> <p> From the perspective of performance and security, I recommend reducing unnecessary modules when using PHP. For example the sqlite3 above is unnecessary. Then you can cancel it by deleting or renaming the /etc/php.d/sqlite3.ini file: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># rm /etc/php.d/sqlite3.ini</code> </td> </tr> </tbody> </table> <p> or </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable</code> </td> </tr> </tbody> </table> <p> Some modules can only be removed by recompiling and installing PHP. For example, after downloading the PHP source code from php.net, use the following instructions to compile GD, fastcgi and MySQL support: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">.</code><code class="bash plain">/configure</code> <code class="bash plain">--with-libdir=lib64 --with-gd --with-mysql --prefix=</code><code class="bash plain">/usr</code> <code class="bash plain">--</code><code class="bash functions">exec</code><code class="bash plain">-prefix=</code><code class="bash plain">/usr</code> <code class="bash plain">--bindir=</code><code class="bash plain">/usr/bin</code> <code class="bash plain">--sbindir=</code><code class="bash plain">/usr/sbin</code> <code class="bash plain">--sysconfdir=</code><code class="bash plain">/etc</code> <code class="bash plain">--datadir=</code><code class="bash plain">/usr/share</code> <code class="bash plain">--includedir=</code><code class="bash plain">/usr/include</code> <code class="bash plain">--libexecdir=</code><code class="bash plain">/usr/libexec</code> <code class="bash plain">--localstatedir=</code><code class="bash plain">/var</code> <code class="bash plain">--sharedstatedir=</code><code class="bash plain">/usr/com</code> <code class="bash plain">--mandir=</code><code class="bash plain">/usr/share/man</code> <code class="bash plain">--infodir=</code><code class="bash plain">/usr/share/info</code> <code class="bash plain">--cache-</code><code class="bash functions">file</code><code class="bash plain">=..</code><code class="bash plain">/config</code><code class="bash plain">.cache --with-config-</code><code class="bash functions">file</code><code class="bash plain">-path=</code><code class="bash plain">/etc</code> <code class="bash plain">--with-config-</code><code class="bash functions">file</code><code class="bash plain">-scan-</code><code class="bash functions">dir</code><code class="bash plain">=</code><code class="bash plain">/etc/php</code><code class="bash plain">.d  --</code><code class="bash functions">enable</code><code class="bash plain">-fastcgi --</code><code class="bash functions">enable</code><code class="bash plain">-force-cgi-redirect</code> </td> </tr> </tbody> </table> <p>For more information, please see: how to compile and reinstall php on Unix like operating system</p> <p><strong> #3: Prevent PHP information leakage </strong></p> <p> You can limit PHP information leakage by canceling export_php. Edit /etc/php.d/security.ini as follows: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">expose_php=Off</code> </td> </tr> </tbody> </table> <p> Expose_php will add PHP information on the server, including version, to the HTTP Header (for example, X-Powered-By: PHP/5.3.3). At the same time, PHP's global unified identifier will also be exposed. If export_php is enabled, you can check the PHP version information through the following command: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">$ curl -I http:</code><code class="bash plain">//www</code><code class="bash plain">.cyberciti.biz</code><code class="bash plain">/index</code><code class="bash plain">.php</code> </td> </tr> </tbody> </table> <p> Sample output: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 7 </td> <td class="code"> <code class="bash plain">HTTP</code><code class="bash plain">/1</code><code class="bash plain">.1 200 OK</code> <code class="bash spaces"> </code><code class="bash plain">X-Powered-By: PHP</code><code class="bash plain">/5</code><code class="bash plain">.3.3</code> <code class="bash spaces"> </code><code class="bash plain">Content-</code><code class="bash functions">type</code><code class="bash plain">: text</code><code class="bash plain">/html</code><code class="bash plain">; charset=UTF-8</code> <code class="bash spaces"> </code><code class="bash plain">Vary: Accept-Encoding, Cookie</code> <code class="bash spaces"> </code><code class="bash plain">X-Vary-Options: Accept-Encoding;list-contains=</code><code class="bash functions">gzip</code><code class="bash plain">,Cookie;string-contains=wikiToken;string-contains=wikiLoggedOut;string-contains=wiki_session</code> <code class="bash spaces"> </code><code class="bash plain">Last-Modified: Thu, 03 Nov 2011 22:32:55 GMT </code> <code class="bash spaces"> </code><code class="bash plain">...</code> </td> </tr> </tbody> </table> <p> It is recommended to hide the Apache version and other information at the same time: ServerTokens and ServerSignature directives in httpd.conf to hide Apache version </p> <p><strong>　#4: Minimize loadable PHP modules (dynamic Extension) </strong></p> <p> PHP supports "Dynamic Extensions". By default, RHEL will load all Extension modules in the /etc/php.d/ directory. If you need to enable or cancel a certain module, just comment out the module in the configuration file in the /etc/php.d/ directory. You can also delete the file or rename the module's configuration file. To optimize PHP performance and security, only the Extensions required by your web application should be enabled. For example, use the following command to cancel the GD module: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 </td> <td class="code"> <code class="bash comments"># cd /etc/php.d/</code> <code class="bash spaces"> </code><code class="bash comments"># mv gd.{ini,disable}</code> <code class="bash spaces"> </code><code class="bash comments"># <span> <tbody> <tr> <td class="gutter"> 1 2 </td> <td class="code"> <code class="bash comments"># mv gd.{disable,ini}</code> <code class="bash spaces"> </code><code class="bash comments"># <span> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">display_errors=Off</code> </td> </tr> </tbody> </table> <p> Make sure to log all error messages to the log file </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 </td> <td class="code"> <code class="bash plain">log_errors=On</code> <code class="bash plain">error_log=</code><code class="bash plain">/var/log/httpd/php_scripts_error</code><code class="bash plain">.log</code> </td> </tr> </tbody> </table> <p><strong> #6: Disable file uploads </strong></p> <p> For security reasons, edit /etc/php.d/security.ini as follows to cancel file upload </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">file_uploads=Off</code> </td> </tr> </tbody> </table> <p> If the user really needs to upload files, then enable it and then limit the maximum file size accepted by PHP: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 </td> <td class="code"> <code class="bash plain">file_uploads=On</code> <code class="bash comments"># user can only upload upto 1MB via php</code> <code class="bash plain">upload_max_filesize=1M</code> </td> </tr> </tbody> </table> <p><strong> #7: Turn off remote code execution </strong></p> <p> If this feature is enabled, PHP can obtain remote data such as FTP or web content in file_get_contents(), include, and require through allow_url_fopen. Programmers often forget to sanitize user input, and if these functions call this data, an injection vulnerability develops. In PHP-based web applications, a large number of injection vulnerabilities in the code are caused by this. This feature can be turned off by editing /etc/php.d/security.ini: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">allow_url_fopen=Off</code> </td> </tr> </tbody> </table> <p> In addition, it is recommended to cancel allow_url_include: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">allow_url_include=Off</code> </td> </tr> </tbody> </table><p><strong>　#8: Enable SQL safe mode</strong></p> <p> Modify /etc/php.d/security.ini as follows: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">sql.safe_mode=On</code> </td> </tr> </tbody> </table> <p> When this feature is enabled, mysql_connect() and mysql_pconnect() will ignore all parameters passed in. At the same time, you need to make corresponding changes in the code. Third-party and open source applications, such as WordPress, may not work properly in sql.safe_mode. It is also recommended to turn off the magic_quotes_gpc filtering of PHP version 5.3.x, because it is simple, crude and inefficient. It would be better to use mysql_escape_string() and a custom filter function</p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">magic_quotes_gpc=Off</code> </td> </tr> </tbody> </table> <p><strong>　#9: Control the data size of POST</strong></p> <p> HTTP POST is usually used by clients as part of a request to send data to the Apache web server, such as uploading files or submitting forms. Attackers will try to send extremely large POST requests to consume server resources. Edit /etc/php.d/security.ini as follows to limit the maximum size of POST: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 </td> <td class="code"> <code class="bash plain">; 在这里设置一个靠谱的数值</code> <code class="bash spaces"> </code><code class="bash plain">post_max_size=1K</code> </td> </tr> </tbody> </table> <p> The maximum size of 1K is set here. This setting affects file uploads. To upload large files, this value needs to be larger than update_max_filesize. <br />It is recommended to limit the available request methods in Apache. Edit httpd.conf as follows: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 </td> <td class="code"> <code class="bash plain"><Directory </code><code class="bash plain">/var/www/html</code><code class="bash plain">></code> <code class="bash spaces">     </code><code class="bash plain"><LimitExcept GET POST></code> <code class="bash spaces">         </code><code class="bash plain">Order allow,deny</code> <code class="bash spaces">     </code><code class="bash plain"><</code><code class="bash plain">/LimitExcept</code><code class="bash plain">></code> <code class="bash spaces"> </code><code class="bash comments">## Add rest of the config goes here... ##</code> <code class="bash spaces"> </code><code class="bash plain"><</code><code class="bash plain">/Directory</code><code class="bash plain">></code> </td> </tr> </tbody> </table> <p><strong>　#10: Resource Control (DoS Control) </strong></p> <p> Set the maximum running time of each PHP script. It is also recommended to limit the maximum time spent processing requested data, as well as the maximum amount of available memory. </p> <p>　# Unit: second</p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 </td> <td class="code"> <code class="bash plain">max_execution_time = 30</code> <code class="bash plain">max_input_time = 30</code> <code class="bash plain">memory_limit = 40M</code> </td> </tr> </tbody> </table> <p><strong>　#11: Install Suhosin advanced protection system for PHP </strong></p> <p> For details, please refer to the Suhosin project page: project page </p> <p><strong>　#12: Cancel dangerous PHP functions</strong></p> <p> PHP has a large number of functions that can be used to invade the server. If used improperly, they will become vulnerabilities. Cancel these functions as follows: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">disable_functions =</code><code class="bash functions">exec</code><code class="bash plain">,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source</code> </td> </tr> </tbody> </table> <p><strong> #13: PHP Fastcgi/CGI – cgi.force_redirect management </strong></p> <p> PHP can work with Fastcgi. Fastcgi can reduce the memory footprint of the web server and improve PHP performance. You can refer to this to configure Apache2+PHP+FastCGI. In this configuration, cgi.force_redirect will prevent users from calling PHP by accessing the URL. For security reasons, enable this feature: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 </td> <td class="code"> <code class="bash plain">; Enable cgi.force_redirect </code><code class="bash keyword">for</code> <code class="bash plain">security reasons </code><code class="bash keyword">in</code> <code class="bash plain">a typical *Apache+PHP-CGI</code><code class="bash plain">/FastCGI</code><code class="bash plain">* setup</code> <code class="bash spaces"> </code><code class="bash plain">cgi.force_redirect=On</code> </td> </tr> </tbody> </table> <p><strong>　#14: PHP user and user group ID</strong></p> <p> Mod_fastcgi is a cgi module of Apache Web service that can connect to external FASTCGI server. You need to make sure PHP is running as a non-root user. If it uses root or user rights with a UID less than 100, it can access even operating system files. PHP CGI can be executed under an unprivileged user via Apache’s suEXEC or mod_suPHP. suEXEC can be that the user ID of Apache calling the CGI program is different from the user ID of running Apache. As follows: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># ps aux | grep php-cgi</code> </td> </tr> </tbody> </table> <p> Sample output: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 7 </td> <td class="code"> <code class="bash plain">phpcgi      6012  0.0  0.4 225036 60140          S    Nov22   0:12 </code><code class="bash plain">/usr/bin/php-cgi</code> <code class="bash plain">phpcgi      6054  0.0  0.5 229928 62820          S    Nov22   0:11 </code><code class="bash plain">/usr/bin/php-cgi</code> <code class="bash plain">phpcgi      6055  0.1  0.4 224944 53260          S    Nov22   0:18 </code><code class="bash plain">/usr/bin/php-cgi</code> <code class="bash plain">phpcgi      6085  0.0  0.4 224680 56948          S    Nov22   0:11 </code><code class="bash plain">/usr/bin/php-cgi</code> <code class="bash plain">phpcgi      6103  0.0  0.4 224564 57956          S    Nov22   0:11 </code><code class="bash plain">/usr/bin/php-cgi</code> <code class="bash plain">phpcgi      6815  0.4  0.5 228556 61220          S    00:52   0:19 </code><code class="bash plain">/usr/bin/php-cgi</code> <code class="bash plain">phpcgi      6821  0.3  0.5 228008 61252          S    00:55   0:12 </code><code class="bash plain">/usr/bin/php-cgi</code> </td> </tr> </tbody> </table> <p> You can use spawn-fcgi to generate a remote or local FastCGI process for the phpcgi user (provided that this user exists): </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># spawn-fcgi -a 127.0.0.1 -p 9000 -u phpcgi -g phpcgi -f /usr/bin/php-cgi</code> </td> </tr> </tbody> </table> <p> Now you can configure Apache, Lighthttpd or Nginx web services to call FastCGI running at 127.0.0.1:9000. </p> <p><strong>　#15: Restrict PHP access to the file system</strong></p> <p> Open_basedir will limit the running directory of PHP, such as directories accessible through functions such as fopen(). If the accessed directory is not within open_basedir, PHP will deny the access. Don't use soft links as workspaces. For example, only allow access to /var/www/html but not /var/www, /tmp or /etc directories: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 7 </td> <td class="code"> <code class="bash plain">; Limits the PHP process from accessing files outside </code> <code class="bash spaces"> </code><code class="bash plain">; of specifically designated directories such as </code><code class="bash plain">/var/www/html/</code> <code class="bash spaces"> </code><code class="bash plain">open_basedir=</code><code class="bash string">"/var/www/html/"</code> <code class="bash spaces"> </code><code class="bash plain">; ------------------------------------</code> <code class="bash spaces"> </code><code class="bash plain">; Multiple </code><code class="bash functions">dirs</code> <code class="bash plain">example </code> <code class="bash spaces"> </code><code class="bash plain">; open_basedir=</code><code class="bash string">"/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/"</code> <code class="bash spaces"> </code><code class="bash plain">; ------------------------------------</code> </td> </tr> </tbody> </table> <p><strong>　#16: Session path</strong></p> <p> PHP Session users provide data saving function for subsequent access. This can make the app more customizable and more attractive. All Session-related data will be saved in session.save_path. The default settings for RHEL/CentOS/Fedora Linux are as follows: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 </td> <td class="code"> <code class="bash plain">session.save_path=</code><code class="bash string">"/var/lib/php/session"</code> <code class="bash spaces"> </code><code class="bash plain">; Set the temporary directory used </code><code class="bash keyword">for</code> <code class="bash plain">storing files when doing </code><code class="bash functions">file</code> <code class="bash plain">upload</code> <code class="bash spaces"> </code><code class="bash plain">upload_tmp_dir=</code><code class="bash string">"/var/lib/php/session"</code> </td> </tr> </tbody> </table> <p> Confirm that this path is outside /var/www/html and cannot be accessed by other system users: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># ls -Z /var/lib/php/</code> </td> </tr> </tbody> </table> <p> Sample output: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">drwxrwx---. root apache system_u:object_r:httpd_var_run_t:s0 session</code> </td> </tr> </tbody> </table> <p> Note: ls -Z will display SELinux security information, such as file mode, user, group, security information, file name, etc. </p> <p><strong>　#17: Ensure that PHP, software and operating system are updated to the latest </strong></p> <p> An important part of maintaining Linux, Apache, PHP and MySQL servers is updating security patches. All PHP security updates should be reviewed and updated as soon as possible. You can use the following command (if you installed PHP through the package manager): </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># yum update</code> </td> </tr> </tbody> </table> <p> or </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># apt-get update && apt-get upgrade</code> </td> </tr> </tbody> </table> <p> You can configure Red Hat/CentOS/Fedora Linux to send yum package update reminders via email, or apticron under Debian/Ubuntu Linux to send reminders. Or update through cron scheduled tasks. </p> <p> Note: Check php.net for the latest PHP version information </p> <p><strong>　#18: Restrict file and directory access</strong></p> <p> Make sure to run Apache as a non-root user such as Apache or www. The owner of the /var/www/html directory should also be a non-root user: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># chown -R apache:apache /var/www/html/</code> </td> </tr> </tbody> </table> <p> Files under DocumentRoot should be prohibited from running or being created. Set the file permissions in this directory to 0444 (read-only): </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># chmod -R 0444 /var/www/html/</code> </td> </tr> </tbody> </table> <p> Set the permissions of all folders in this directory to 0445</p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># find /var/www/html/ -type d -print0 | xargs -0 -I {} chmod 0445 {}</code> </td> </tr> </tbody> </table> <p><strong>　#19: Write protection for Apache, PHP, MySQL configuration files</strong></p> <p> Use the chattr command to add write protection to these configuration files: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 </td> <td class="code"> <code class="bash comments"># chattr +i /etc/php.ini</code> <code class="bash comments"># chattr +i /etc/php.d/*</code> <code class="bash comments"># chattr +i /etc/my.ini</code> <code class="bash comments"># chattr +i /etc/httpd/conf/httpd.conf</code> <code class="bash comments"># chattr +i /etc/</code> </td> </tr> </tbody> </table> <p> You can also write-protect the /var/www/html directory </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># chattr +i /var/www/html/file1.php# chattr +i /var/www/html/</code> </td> </tr> </tbody> </table> <p><strong>　#20: Use Linux security extensions (such as SELinux) </strong></p> <p>Linux has various security solutions to prevent misconfiguration or vulnerabilities of service programs. Use SELinux or other Linux security solutions to restrict networks and programs whenever possible. For example, SELinux provides different security policies for the Linux kernel or Apache web services. Use the following command to list all Apache protection information: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># getsebool -a | grep httpd</code> </td> </tr> </tbody> </table> <p> Sample output: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 </td> <td class="code"> <code class="bash plain">allow_httpd_anon_write --> off</code> <code class="bash plain">allow_httpd_mod_auth_ntlm_winbind --> off</code> <code class="bash plain">allow_httpd_mod_auth_pam --> off</code> <code class="bash plain">allow_httpd_sys_script_anon_write --> off</code> <code class="bash plain">httpd_builtin_scripting --> on</code> <code class="bash plain">httpd_can_check_spam --> off</code> <code class="bash plain">httpd_can_network_connect --> off</code> <code class="bash plain">httpd_can_network_connect_cobbler --> off</code> <code class="bash plain">httpd_can_network_connect_db --> off</code> <code class="bash plain">httpd_can_network_memcache --> off</code> <code class="bash plain">httpd_can_network_relay --> off</code> <code class="bash plain">httpd_can_sendmail --> off</code> <code class="bash plain">httpd_dbus_avahi --> on</code> <code class="bash plain">httpd_enable_cgi --> on</code> <code class="bash plain">httpd_enable_ftp_server --> off</code> <code class="bash plain">httpd_enable_homedirs --> off</code> <code class="bash plain">httpd_execmem --> off</code> <code class="bash plain">httpd_read_user_content --> off</code> <code class="bash plain">httpd_setrlimit --> off</code> <code class="bash plain">httpd_ssi_exec --> off</code> <code class="bash plain">httpd_tmp_exec --> off</code> <code class="bash plain">httpd_tty_comm --> on</code> <code class="bash plain">httpd_unified --> on</code> <code class="bash plain">httpd_use_cifs --> off</code> <code class="bash plain">httpd_use_gpg --> off</code> <code class="bash plain">httpd_use_nfs --> off</code> </td> </tr> </tbody> </table> <p> To cancel Apache cgi support, you can enter: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash comments"># setsebool -P httpd_enable_cgi off</code> </td> </tr> </tbody> </table> <p> Detailed reference: Red Hat SELinux guide</p> <p><strong>　#21: Install Mod_security</strong></p> <p>ModSecurity is an open source intrusion detection and prevention web application engine. Install mod_security to protect Apache and PHP applications from XSS and other attacks: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 7 </td> <td class="code"> <code class="bash comments">## A few Examples ##</code> <code class="bash spaces"> </code><code class="bash comments"># Do not allow to open files in /etc/</code> <code class="bash spaces"> </code><code class="bash plain">SecFilter </code><code class="bash plain">/etc/</code>   <code class="bash spaces"> </code><code class="bash comments"># Stop SQL injection</code> <code class="bash spaces"> </code><code class="bash plain">SecFilter </code><code class="bash string">"delete[[:space:]]+from"</code> <code class="bash spaces"> </code><code class="bash plain">SecFilter </code><code class="bash string">"select.+from"</code> </td> </tr> </tbody> </table> <p><strong>　#22: If possible, run Apache/PHP under a Chroot Jail</strong></p> <p> Running Apache/PHP under a Chroot Jail can minimize possible damage to a small area under the file system. Apache can be configured using a normal chroot: chroot kind of setup with Apache. However I recommend using FreeBSD jails, XEN, KVM or OpenVZ virtualization. </p> <p><strong> #23: Use a firewall to limit outgoing connections </strong></p> <p> Attackers will use tools like wget to download files from your web server. Use iptables to block outgoing connections for Apache users. The ipt_owner module assigns different roles to the generators of local packets. It is only valid for OUTPUT chain. The following command allows vivek users to access externally through port 80: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 </td> <td class="code"> <code class="bash plain">/sbin/iptables</code> <code class="bash plain">-A OUTPUT -o eth0 -m owner --uid-owner vivek -p tcp --dport 80 -m state --state NEW,ESTABLISHED  -j ACCEPT</code> </td> </tr> </tbody> </table> <p> The following example blocks outgoing connections from all Apache users and only allows the smtp service and spam identification API service to pass: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 </td> <td class="code"> <code class="bash comments"># ....  </code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--new-chain apache_user</code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--append OUTPUT -m owner --uid-owner apache -j apache_user</code> <code class="bash spaces"> </code><code class="bash comments"># allow apache user to connec to our smtp server </code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--append apache_user -p tcp --syn -d 192.168.1.100 --dport 25 -j RETURN</code> <code class="bash spaces"> </code><code class="bash comments"># Allow apache user to connec to api server for spam validation</code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--append apache_user -p tcp --syn -d  66.135.58.62 --dport 80 -j RETURN</code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--append apache_user -p tcp --syn -d  66.135.58.61 --dport 80 -j RETURN</code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--append apache_user -p tcp --syn -d  72.233.69.89 --dport 80 -j RETURN</code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--append apache_user -p tcp --syn -d  72.233.69.88 --dport 80 -j RETURN</code> <code class="bash spaces"> </code><code class="bash comments">#########################</code> <code class="bash spaces"> </code><code class="bash comments">## Add more rules here ##</code> <code class="bash spaces"> </code><code class="bash comments">#########################</code> <code class="bash spaces"> </code><code class="bash comments"># No editing below</code> <code class="bash spaces"> </code><code class="bash comments"># Drop everything for apache outgoing connection</code> <code class="bash spaces"> </code><code class="bash plain">/sbin/iptables</code> <code class="bash plain">--append apache_user -j REJECT</code> </td> </tr> </tbody> </table> <p><strong>　#24: View and review logs</strong></p> <p> View Apache log files: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 </td> <td class="code"> <code class="bash comments"># tail -f /var/log/httpd/error_log</code> <code class="bash comments"># grep 'login.php' /var/log/httpd/error_log</code> <code class="bash comments"># egrep -i "denied|error|warn" /var/log/httpd/error_log</code> </td> </tr> </tbody> </table> <p> View PHP log file: </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 </td> <td class="code"> <code class="bash comments"># tail -f /var/log/httpd/php_scripts_error.log</code> <code class="bash comments"># grep "...etc/passwd" /var/log/httpd/php_scripts_error.log</code> </td> </tr> </tbody> </table> <p> Viewing log files can let you know what kind of attacks the server is undergoing and analyze whether the current security level is sufficient. Enable the audit service for system audit, which can audit SELinux time, verification events, file modifications, account modifications, etc. It is recommended to use Linux System Monitoring Tools to monitor web servers. </p> <p><strong>　#25: Separate services to different servers or virtual machines</strong></p> <p> For a relatively large installation configuration, it is recommended to separate the operation, database, static and dynamic content into different servers </p> <table border="0" cellspacing="0" cellpadding="0"> <tbody> <tr> <td class="gutter"> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 </td> <td class="code"> <code class="bash plain">///////////////</code> <code class="bash spaces"> </code><code class="bash plain">/ ISP</code><code class="bash plain">/Router</code> <code class="bash plain">/</code> <code class="bash spaces"> </code><code class="bash plain">//////////////</code> <code class="bash spaces">   </code><code class="bash plain"></code> <code class="bash spaces">    </code><code class="bash plain">|</code> <code class="bash spaces">    </code><code class="bash plain">Firewall</code> <code class="bash spaces">      </code><code class="bash plain"></code> <code class="bash spaces">       </code><code class="bash plain">|</code> <code class="bash spaces">      </code><code class="bash plain">+------------+</code> <code class="bash spaces">      </code><code class="bash plain">| LB01       |</code> <code class="bash spaces">      </code><code class="bash plain">+------------+                 +--------------------------+</code> <code class="bash spaces">                   </code><code class="bash plain">|                 | static.lan.cyberciti.biz |</code> <code class="bash spaces">                   </code><code class="bash plain">+-----------------+--------------------------+</code> <code class="bash spaces">                                     </code><code class="bash plain">| phpcgi1.lan.cyberciti.biz|</code> <code class="bash spaces">                                     </code><code class="bash plain">+--------------------------+</code> <code class="bash spaces">                                     </code><code class="bash plain">| phpcgi2.lan.cyberciti.biz|</code> <code class="bash spaces">                                     </code><code class="bash plain">+--------------------------+</code> <code class="bash spaces">                                     </code><code class="bash plain">| mysql1.lan.cyberciti.biz |</code> <code class="bash spaces">                                     </code><code class="bash plain">+--------------------------+</code> <code class="bash spaces">                                     </code><code class="bash plain">| mcache1.lan.cyberciti.biz|</code> <code class="bash spaces">                                     </code><code class="bash plain">+--------------------------+</code> </td> </tr> </tbody> </table> <p> Running different network services under different servers or virtual machines can reduce the impact of intrusion on other services. For example, if an attacker invades Apache, he can access other services under the same server (such as MySQL, email service, etc.). But not in the above example: </p> <ul> <ul> <li>static.lan.cybercity.biz – Use lighttpd or nginx to store static resources such as js/css/images</li> <li>phpcgi1.lan.cyberciti.biz and phpcgi2.lan.cyberciti.biz – Apache web service + PHP for generating dynamic content </li> <li>mysql1.lan.cyberciti.biz – MySQL database service</li> <li>mcache1.lan.cyberciti.biz – Memcached service (MySQL’s caching system). It uses libevent or epoll to accommodate an arbitrary number of connections. And it uses non-blocking network IO. </li> <li>LB01 – An Nginx server, reverse proxy for Web and Apache front-end. All access connections will be directly processed or distributed to the corresponding web server through the nginx proxy service. LB01 provides simple load balancing. </li> </ul> </ul> <div class="header2"><span class="icon i-relatedanswer"><h3>How to use PHP to write permission settings? It is divided into two permissions. The super administrator can delete ordinary administrators. Nothing else. I need detailed code, </h3></span></div> <div class="best-replyer"></div> <p class="ft"> What dz does is to write the uid of the founder in the configuration file. If multiple <br><br> are deleted, it is enough to determine whether the deleted party is not the founder. <br><br> This does not require data involvement. Changing the table (adding a field identifier) ​​is relatively convenient. <br><br>I don’t have the detailed code^_^<br> </p> <div class="header2"><span class="icon i-relatedanswer"><h3>Which one is more secure, asp or php?</h3></span></div> <div class="best-replyer"></div> <p class="ft p1">There is no distinction between high and low security in development languages.<br>There are only programmers with high and low security awareness.<br><br>I don’t know how many times the security of windows is higher than that of mac system or LUNIX system<br>But security vulnerabilities in Windows systems are constantly being discovered. Is the Mac system more secure? The answer is definitely no. <br><br>Why? Because people are using Windows, and hacker masters are studying Windows. <br><br>Think about it, what’s the point of a master hacker studying mac? After finally researching it, he can be depressed to death because he can’t find the MAC system to hack. <br><br>Some hackers are targeted. For example, if I want to hack a company's server, but the other party's server has a Windows system, do you think I will still research the vulnerabilities of the Mac system? <br><br>Similarly. <br><br>asp and php are the same. <br>The key is to be a programmer who writes programs. <br> </p> <p align="left"></p> <div style="display:none;"> <span id="url" itemprop="url">http://www.bkjia.com/PHPjc/905901.html</span><span id="indexUrl" itemprop="indexUrl">www.bkjia.com</span><span id="isOriginal" itemprop="isOriginal">true</span><span id="isBasedOnUrl" itemprop="isBasedOnUrl">http: //www.bkjia.com/PHPjc/905901.html</span><span id="genre" itemprop="genre">TechArticle</span><span id="description" itemprop="description">25 PHP security practices written for system administrators, written for system administrators php PHP is a widely used open source Server-side scripting language. Through the HTTP or HTTPS protocols, the Apache web service allows users to access...</span> </div> <div class="art_confoot"></div>