Some security settings for PHP (optimization)

Due to many reasons of scripting language and early version design, PHP projects have many security risks. From the configuration options, the following optimizations can be made.

1. Shield PHP error output.

In /etc/php.ini (default configuration file location), change the following configuration value to Off

display_errors=Off

Do not output error stack information directly to the web page to prevent hackers from using related information.

The correct approach is:

Write the error log to the log file to facilitate troubleshooting.

2. Block the PHP version.

By default, the PHP version will be displayed in the return header, such as:

Response Headers X-powered-by: PHP/7.2.0

Change the following configuration value in php.ini to Off

expose_php=Off

3. Close Global variables.

If global variables are enabled, some data submitted by the form will be automatically registered as global variables. The code is as follows:

<form action="/login" method="post">
<input name="username" type="text">
<input name="password" type="password">
<input type="submit" value="submit" name="submit">
</form>

If global variables are enabled, the server-side PHP script can use $username and $password to obtain the username and password, which will cause great danger of script injection.

The method to turn it on is to modify it in php.ini as follows:

register_globals=On

It is recommended to turn it off. The parameters are as follows:

register_globals=Off

When turned off, relevant parameters can only be obtained from $_POST, $_GET, $_REQUEST.

4. File system restrictions

You can use open_basedir to limit the system directories that PHP can access.

If you use the following script code (hack.php) without restrictions, you can get the system password.

<?php
echo file_get_contents(&#39;/etc/passwd&#39;);

When set, an error will be reported and relevant information will no longer be displayed, so that system directory b will not be illegally accessed:

PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3
Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3 PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3
Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3

The setting method is as follows:

open_basedir=/var/www

5. Prohibit remote resource access.

allow_url_fopen=Off
allow_url_include=Off

Other third-party security extensions

6.Suhosin.

Suhosin is a protection system for PHP programs. It was originally designed to protect servers and users from known or unknown flaws in PHP programs and PHP core (it feels quite practical and can resist some minor attacks). Suhosin has two independent parts, which can be used separately or combined.

The first part is a patch for PHP core, which can resist buffer overflow or format string weaknesses (this is a must!);

The second part is a powerful PHP Extension (the extension mode is very good, easy to install...), including all other protection measures.

Install extension

wget http://download.suhosin.org/suhosin-0.9.37.1.tar.gz
tar zxvf suhosin-0.9.37.1.tar.gz
cd suhosin-0.9.37.1/
phpize
./configure  --with-php-config=/usr/local/bin/php-config
make
make install
在php.ini下加入suhosin.so即可
extension=suhosin.so

Features

● Emulator protected mode

● Add two functions sha256() and sha256_file( ) to the PHP core

● All platforms, add CRYPT_BLOWFISH to the function crypt()

● Turn on transparent protection for the phpinfo() page

● SQL database user protection (Testing phase)

Runtime protection

● Encrypted cookies

● Prevent different types of inclusion vulnerabilities (remote URL inclusion is not allowed (hack/ Whitelist); does not allow uploaded files to be included; prevents directory traversal attacks)

● Allows prohibition of preg_replace()

● Allows prohibition of eval() function

● Pass Configure a maximum execution depth to prevent infinite recursion

● Support each vhost to configure black and white lists

● Provide separate function black and white lists for code execution

● Prevent HTTP responses Splitting vulnerability

● Prevent scripts from controlling the memory_limit option

● Protect PHP superglobals, such as functions extract(), import_request_vars()

● Prevent the new mail() function Line attack

● Prevent preg_replace() attack

Session protection

● Encrypt session data

● Prevent session from being hijacked

● Prevent overly long session id

● Prevent malicious session id

The data in SESSION is usually stored in clear text on the server. Here, $_SESSION is encrypted and decrypted on the server side. In this way, when the Session handle is stored in Memcache or the database, it will not be easily broken. Many times our session data will store some sensitive fields.

This feature is enabled by default and can also be modified through php.ini:

suhosin.session.encrypt = On
suhosin.session.cryptkey = zuHywawAthLavJohyRilvyecyondOdjo
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On
;; IPv4 only
suhosin.session.cryptraddr = 0
suhosin.session.checkraddr = 0

Cookie Encryption

The HTTP header transmitted by the cookie in the client browser is also in clear text. By encrypting cookies, you protect your application against numerous attacks, such as

Cookie tampering: an attacker may try to guess other reasonable cookie values ​​to attack the program.

Using Cookies Across Applications: Improperly configured applications may have the same session storage. For example, all sessions are stored in the /tmp directory by default. Cookies from one application may never be reused for another. One application, as long as the encryption keys are different.

Cookie encryption configuration in php.ini:

suhosin.cookie.encrypt = On
;; the cryptkey should be generated, e.g. with 'apg -m 32'
suhosin.cookie.cryptkey = oykBicmyitApmireipsacsumhylWaps1
suhosin.cookie.cryptua = On
suhosin.cookie.cryptdocroot = On
;; whitelist/blacklist (use only one)
;suhosin.cookie.cryptlist = WALLET,IDEAS
suhosin.cookie.plainlist = LANGUAGE
;; IPv4 only
suhosin.cookie.cryptraddr = 0
suhosin.cookie.checkraddr = 0
Blocking Functions
测试
##默认PHP的Session保存在tmp路径下
ll  -rt /tmp | grep sess
##扩展未开启时查看某条sesson的数据
cat  sess_ururh83qvkkhv0n51lg17r4aj6
//记录是明文的
##扩展开启后查看某条sesson 的数据
cat  sess_ukkiiiheedupem8k4hheo0b0v4
//记录是密文的
可见加密对安全的重要性

Blocking function

Whitelist

##显式指定指定白名单列表
suhosin.executor.func.whitelist = htmlentities,htmlspecialchars,base64_encode
suhosin.executor.eval.whitelist = htmlentities,htmlspecialchars,base64_encode
<?php
echo htmlentities(&#39;<test>&#39;);
eval(&#39;echo htmlentities("<test>");&#39;);

Blacklist

##显式指定指定黑名单列表
suhosin.executor.func.blacklist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand
suhosin.executor.eval.whitelist = assert,unserialize,exec,popen,proc_open,passthru,shell_exec,system,hail,parse_str,mt_srand
通过日志来查看非法调用黑白名单
suhosin.simulation = 1
suhosin.log.file = 511
suhosin.log.file.name = /tmp/suhosin-alert.log

Other configuration items

suhosin.executor.include.max_traversal    扩目录的最大深度，可以屏蔽切换到非法路径
suhosin.executor.include.whitelist        允许包含的URL，用逗号分隔
suhosin.executor.include.blacklist        禁止包含的URL，用逗号分隔
suhosin.executor.disable_eval = On        禁用eval函数
suhosin.upload.max_uploads
suhosin.upload.disallow_elf
suhosin.upload.disallow_binary
suhosin.upload.remove_binary
suhosin.upload.verification_script        上传文件检查脚本，可以来检测上传的内容是否包含webshell特征

使用Suhosin，你可以得到一些错误日志，你能把这些日志放到系统日志中，也可以同时写到其他任意的日志文件中去;

它还可以为每一个虚拟主机创建黑名单和白名单;

可以过滤GET和POST请求、文件上载和cookie;

你还能传送加密的会话和cookie，可以设置不能传送的存储上线等等;

它不像原始的PHP强化补丁，Suhosin是可以被像Zend Optimizer这样的第三方扩展软件所兼容的。

更多相关php知识，请访问php教程！

The above is the detailed content of Some security settings for PHP (optimization). For more information, please follow other related articles on the PHP Chinese website!