Enhance PHP security by configuring PHP server features

Through the configuration of some server-side characteristics of php, php security is enhanced. ShaunClowes and rfp both have compared specific headers that php and cgi programs encounter during programming, and how to break through the system by exploiting program vulnerabilities.

Enhance php security by configuring some server-side features of php

Similar to Shaun Clowes and rfp, Shaun first introduced the titles of php and cgi programs during programming and how to break through the system by exploiting program vulnerabilities, in this article, we will configure some server-side features of php to Enhance php Security. When writing cgi scripts, we must pay attention to various security headers and strictly filter user input. However, when we often go to the shore, there will be no wet shoes or sesame seeds, people have lost their feet, and even the famous phpnuke, phpMyAdmin and other programs have presented very serious titles. What's more, they are similar to the scripts I have written by me. So now let's assume that the php script has already displayed a serious title, for example, the phpnuke can upload the title of the php script for a while ago, by configuring the server, we cannot break through the system by rendering the script with such titles.

1. pay attention to the known vulnerabilities during compilation.

From the beginning of 4.0.5, php's mail function participated in the fifth parameter, but it did not properly filter, so that php can use the program to break through the safe_mode restrictions and execute the command. Therefore, before compiling the application 4.0.5 and 4.0.6, we need to modify the ext/standard/mail. c file in the php source code package to disable the fifth parameter of the mail function or filter shell characters. In line 2 of the mail. c file, that is, the following line:

If (extra_cmd! = NULL ){

Add extra_cmd = NULL; or extra_cmd = php_escape_shell_cmd (extra_cmd); then compile php and fix this vulnerability.

2. modify the php. ini configuration file.

The php. ini-dist of the php release version is used as the basis for modification.

1) Error handling and logging

Some settings can be made in the Error handling and logging sections. First find:

Display_errors = On

By default, the error message is displayed in php. we will change it:

Display_errors = Off

After an error is closed, the php function will not display the error information to the user. This will prevent attackers from learning the physical status of the script from the error information to a certain extent, and some other useful information, which at least causes certain obstacles to the attacker's black box detection. These error messages may be useful to us and can be written to a specified file. correct the following:

Log_errors = Off

Changed:

Log_errors = On

And the specified file. find the following line:

; Error_log = filename

Comment out and change filename to a specified file, such as/usr/local/apache/logs/php_error.log.

Error_log =/usr/local/apache/logs/php_error.log

In this way, all errors will be written to the php_error.log file.

2) Safe Mode

The safe_mode function of php limits or disables many functions, which can solve the security Title of php to a large extent. In the Safe Mode section, find:

Safe_mode = Off

Changed:

Safe_mode = On

In this way, the safe_mode function is enabled. Shell_exec () and ''functions that can execute system commands are not allowed. other functions such as exec (), system (), passthru (), popen () only programs in the directory specified by safe_mode_exec_dir will be restricted. If you really want to execute some commands or programs, find the following:

 

Safe_mode_exec_dir =

Specifies the path of the program to be executed, for example:

Safe_mode_exec_dir =/usr/local/php/exec

Then, copy the program to the/usr/local/php/exec Directory. in this way, the restricted function can still execute the program in this directory.

For details about restricted functions in safe mode, refer to the php main site's explanation:

Http://www.php.net/manual/en/features.safe-mode.php;

3) disable_functions

If you are not familiar with the force hazard of some functions and have not applied them, simply disable these functions. Find the following line:

Disable_functions =

Add the function to be disabled after "=". multiple functions are separated by "and.

3. modify httpd. conf.

If you only want your php script to be controlled in the web directory, you can also modify the httpd. conf file to limit the php control path. For example, if your web directory is/usr/local/apache/htdocs, add the following lines in httpd. conf:

Php_admin_value open_basedir/usr/local/apache/htdocs

In this way, if the script is to read files other than/usr/local/apache/htdocs, it will not be agreed. if the error is displayed, the following error will be prompted:

Warning: open_basedir restriction in effect. File is in wrong directory in

/Usr/local/apache/htdocs/open. php on line 4 and so on.

4. compile php code

Zend contributes a lot to php. The php P4 engine uses Zend, and it also develops many php enhancement components such as ZendOptimizer and ZendEncode. The Optimizer ZendOptimizer can be obtained free of charge only by http://www.zend.com registration. The following are ZendOptimizer for 4.0.5 and 4.0.6, file name resolution for their respective systems:

ZendOptimizer-1.1.0-PHP_4.0.5-FreeBSD4.0-i386.tar.gz

ZendOptimizer-1.1.0-PHP_4.0.5-Linux_glibc21-i386.tar.gz

ZendOptimizer-1.1.0-PHP_4.0.5-Solaris-sparc.tar.gz

ZendOptimizer-1.1.0-PHP_4.0.5-Windows-i386.zip

It is very convenient to install the optimizer. the package contains specific instructions. Take the UNIX version as an example to check the control system and set ZendOptimizer in the package. extract the so file to a directory. assume it is in/usr/local/lib. add two sentences to ini:

Zend_optimizer.optimization_level = 15

Zend_extension = '/usr/local/lib/ZendOptimizer. so. Use phpinfo () to see the following text on the left of the Zend icon:

With Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies

The Optimizer is mounted successfully.

But the compiler ZendEncode is not free, here supply should be a large http://www.PHPease.com Ma Yong design of the compiler shell, if used for trade goals, please contact the http://www.zend.com to obtain the protocol.

After the php script is compiled, the execution speed of the script increases a lot. only a bunch of garbled characters can be seen in the script file, which will prevent attackers from further analyzing the server.

The script program on the server, and the password originally stored in plain text in the php script is also kept confidential, such as the mysql password. However, it is more difficult to change the script on the server. you can change the script locally and upload it again.

 

5. file and directory permission settings

In addition to the upload directory, the permissions of other directories and files in the web directory must not allow the nobody user to have the write permission. Otherwise, attackers can modify the home page file, so the permissions of the web Directory must be set.

Also, the owner of the php script cannot be the root user, because the function of reading files in safe_mode is restricted to the owner of the read file, it must be the same as the owner of the current script to be read, otherwise, an error such as the following will be displayed:

Warning: safe mode Restriction in effect. The script whose uid is 500 is not

Allowed to access/etc/passwd owned by uid 0 in/usr/local/apache/htdocs/open. php

On line 3

This prevents many system files from being read, such as/etc/passwd.

The owner of the upload directory and the upload script should also be set to the same. otherwise, errors may occur. pay attention to this in safe_mode.

6. mysql startup permission settings

Mysql should be careful not to use root to start mysql. it is best to create another mysqladm user. You can add the following statement to the/etc/rc. local startup script:

Su mysqladm-c '/usr/local/mysql/share/mysql. server start'

After the system is restarted, the mysql process is also started by the mysqladmin user.

7. Audit and upload of log files and directories

There is a lot to do with viewing logs and human inertia. it is necessary to search for attack traces from such a large log file, and there may not be a haystack.

Files in the web-uploaded directory should also be checked frequently. maybe the program has a title, and the user uploads some illegal files, such as scripts.

8. Control System patches

Similarly, patches for known system vulnerabilities are the most basic responsibilities of system administrators. this is the last line of defense.

After the above configuration, although it cannot be said, it also causes a lot of trouble for attackers to test, even if the php script shows a serious vulnerability, attackers cannot cause actual damage.

If you still have a more strange and *** configuration method, I hope you can share it with me ;)