PHP security configuration in Linux is a complex process, which involves many detailed settings. A script is sent here, this script is used to check whether your PHP environment has security risks and reinforce your PHP environment.
Function:
1. Check the PHP Environment Security Configuration
(2) functions to be disabled.
3. Dangerous settings may cause local or remote file inclusion.
4. handle errors.
5. A constant defined during compilation.
After installing the PHP environment, place the scripts of these three files in the Web directory of the website (audit. php php.xml's style.css
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917 0171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 <? PHP/*** PHP security auditor */audit class {static dedicated $ rules; static dedicated $ constant; static private phpVer; static public report;/*** conversion settings, for example, 1 M 1G 1 K Bytes equivalent academic value ** @ parameter string $ N * @ return string */static dedicated function convertToBytes ($ N) {// if n is-1, there is no limit. If ($ N =-1), return PHP_INT_MAX; Switch (SUBSTR (N,-1) {"B ": returns SUBSTR ($ N, 0,-1); "K": returns SUBSTR ($ N, 0,-1) * 1024; "M": returns SUBSTR ($ N, 0,-1) * 1024*1024; "G": returns SUBSTR ($ N, 0,-1) * 1024*1024*1024;} returns $ N ;} static private feature MakeReport ($ type, title) {ksort (self-employed: $ report [type]); HTML = '<H1> '<! ----> <! ----> <! ----> T <! -> <! ----> T <----> L <! ----> <! ----> <! ----> <! ----> <! ----> </H1> ups and downs <tr class = "h"> <TH> Settings </TH> <TH> current </times> <TH> Recomended </TH> <TH> description </th> </TR> '; foreach (from: $ report [type] is $ key = "$ value) {if ($ value ['P'] = 1) $ class = "r"; other class = "V"; HTML $. = '<TR> <td class = "e"> '. Vehicle (key ). "</TD> '. <TD class = "'class. "> ". Vehicle ($ value ['C']) '</TD> '. <TD class = "'class. "> ". Vehicle ($ value ['R']) '</TD> '. <TD class = "'class. "> ". Vehicle ($ value ['D']) '</TD> </TR>';} $ HTML. = '</TABLE>'; returns the HTML dollar;} static public function HTMLReport () {$ class = ""; $ HTML = '<! Doctype html public "-// W3C // dtd xhtml 1.0 transition // EN" "DTD/xhtml1-transitional.dtd"> ". <HTML> <! ----> Hour <! ----> <! ----> <----> D <! ---- >><! ----> "<! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <----> L <! ----> I <----> N <! --> K <----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> </Header> <BODY> '; HTML dollar = self: MakeReport ("INI", "php ini"); HTML dollar = self :: makeReport ("disabled", "PHP disabled function"); HTML dollar = self: MakeReport ("constant", "php const"); HTML dollar. = '</HTML>'; echo ("n" of the HTML dollar);}/*** Add a project report array. ** @ Parameter string type-type (INI or const) * @ key of parameter string USD-variable name * @ parameter string $ current value-current ini or const value * @ parameter string $ recomended-recomended value * @ parameter string $ DESC -Problem Description * @ Boolean parameter-true, if no complaint is reported, false, if the report meets */static dedicated function (type, key, current value $, $ recomended, $ decline $ problem) {If (isset (self:: $ report [type] [$]) (report (from: $ [$ type] [$] ['R'] <$ recomended) & (self-employed:: $ report [type] [$ key ['P'] = 1) returned; from :: $ report [type] [Key] = array ("C" => $ current value, "R" => $ recomended "D" => $ decrease, "P" => $ problem);}/*** from XML Loading rule ** @ parameter string $ file */static public function LoadRules ($ file = "php. xml ") {(righteousness ('php _ VERSION_ID ') {$ version = Explosion (".", PHP_VERSION); self: $ phpVer = ($ version [0] * 10000 + $ version [1] * 100 + $ version [2]); Other self :: $ phpVer = PHP_VERSION_ID, from: $ constant = get_defined_constants (); self: $ rule = simplexml_load_file ($ file );} /*** handle the const and INI values in the XML rule set in PHP **/the static public function ProcessXML () {foreach (self-employed :: $ rule $ null => $ item) {ruleID USD = $> attribute ()-> ID; // check the PHP version. This rule applies to $ version = (string) $ entry version; (version! = "") {OP = (string) $ getting started> Version-> attribute ()-> operation; Switch (run) {when "only ": if ($ version <self: $ phpVer) continues 2; break;} // review rules, because we believe that the PHP version switch (string) of applys runs $ response type) {// check the constant value case "constant": Dollar key = (string) $ entry> key, // For example LIBXML_NOENT $ CVALUE = self :: $ constant [Key] // the right value of the current value = (string) $ entry> value; // recomended value DESC = $ (string) $> description // switch (string) $> value-> attribute ()-> operation) {context: Self: Report ("constant", $, $ CVALUE $ RVALUE, decrease ($ CVALUE = $ RVALUE); break;} break; // check the list of functions that should be restricted, in the case of "disable_function S option ": $ disable = ini_get (" disable_functions option "); $ list = Explosion (", "Disabled); $ XMLList = (array) ($ getting started> list ); $ XMLList = $ XMLList ['function']; foreach ($ XMLList is $ null => $ function) {$ = array_search ($ function list); from :: report ("disabled", $ function, ($ = 0 )? "Enabled": "disabled"), "disabled", "", ($ = 0 )? 1-0);} break; // check the value defined in the INI file "INI": Dollar key = (string) $ entry> key, // For example, display_errors $ CVALUE = trim (from: convertToBytes (ini_get ($) // current value $ right value = (string) $ entry> value; // Recomended value DESC = $ (string) $> description // If (is_numeric (Right Value) & $ CVALUE = ") $ CVALUE =" 0 "; // discount, which should be higher than one value to another. If (string) entry> value> attribute ()> type = "key") $ RVALUE = self :: convertToBytes (ini_get (string) $ entry> value); Switch (string) $ entry> value-> attribute ()-> operation) {// equals: SELF: Report ("INI", key to dollar, $ CVALUE, $ RVALUE, $ decrease ($ CVALUE = $ RVALUE); break; // if the value is less than or equal to the value of "LT": Self: Report ("INI ", $, $ CVALUE, "<$ RVALUE", $ decrease, ($ CVALUE <= $ RVALUE),); break; // when the value is greater than or equal to, "GT ": SELF: Report ("INI", $, $ CVALUE, "> $ RVALUE", $ decrease, ($ CVALUE >=$ RVALUE),); break; // "define" when not equal: $ neValue = (string) $> value-> attribute ()-> net; notBlank USD = (string) $> value-> attribute ()-> notblank; (notBlank = "true") {self: Report ("INI", key to USD, $ CVALUE, $ RVALUE, $ decrease, ($ CVALUE! = "); Break;} self: Report (" INI ", key, $ CVALUE, $ RVALUE, $ decrease, ($ CVALUE! = $ NeValue); break;} audit: LoadRules (); Audit: ProcessXML (); Audit: HTMLReport ();
The php. xml Code is as follows:
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917 0171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303 304305306307308 <? XML version = 1.0 encoding = UTF-8 "? <Rules> <entry ID = "1"> <type> INI </type> <KEY> upload_max_filesize </KEY> <value OP = "LT"> 4194304 </value> <DESCRIPTION> set the maximum upload size. Reduce this DOS attack to reduce the risk. </Note> </> <entry ID = "29"> <type> INI </type> <KEY> upload_max_filesize </KEY> <value OP = "LT" type = "key"> <memory_limit> <DESCRIPTION> the maximum size of the upload should be applicable to avaliable memory restrictions. </Note> </entry> <entry ID = "30"> <type> INI </type> <KEY> post_max_size </KEY> <value OP = "LT" type = "key"> <memory_limit> <DESCRIPTION> the maximum size of data sent to the server should be avaliable memory. </Note> </> <entry ID = "32"> <type> INI </type> <KEY> always_populate_raw_post_data </KEY> <value OP = "EQ"> 0 </value> <description> element, this does not need to be used. The preferred method is php: // enter </description> </entry> <entry ID = "33"> <type> INI </type> <KEY> magic_quotes_gpc </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> sets the status of magic_quotes to GPC (get put cookie) data. Relying on this function is very discouraged. </Note> <url> HTTP: // WWW in <version OP = "before"> 50300 </version>. Php.net/manual/EN/information configuration. php # ini. magic quotes-GPC </> </> <entry ID = "34"> <type> INI </type> <KEY> magic_quotes_runtime </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> sets the status of magic_quotes, data from external data sources. Relying on this function is very discouraged. </Note> <url> HTTP: // WWW, php.net/manual/EN/information of <version OP = "before"> 50300 </version>. Configuration. php </URL> </> <entry ID = "35"> <type> INI </type> <KEY> Security mode </KEY> <value OP = "EQ "> 0 </value> <DESCRIPTION> this function has been deprecated for PHP 5.3.0. Relying on this function is very discouraged. </Note> <version OP = "before"> 50300 </version> </entry> <entry ID = "36"> <type> INI </type> <KEY> memory_limit of </key> <value OP = "LT"> 16777216 </value> <DESCRIPTION> the maximum memory limit should be 16 MB or smaller. </Note> </> <entry ID = "5"> <type> INI </type> <KEY> upload_max_filesize </KEY> <value OP = "LT" type = "key"> <post_max_size> <description> the maximum size of the uploaded element should be greater than or equal to the maximum size </description> </entry> <entry ID =" 2 "> <type> INI </type> <KEY> max_file_uploads </KEY> <value OP =" LT "> 10 </value> <DESCRIPTION> maximum mumber files can be uploaded 1. </Note> </> <entry ID = "3"> <type> INI </type> <KEY> record file_uploads </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> This may be impractical, however, if there is no necessary file upload, it should be disabled. </Note> </entry> <entry ID = "4"> <type> INI </type> <KEY> post_max_size </KEY> <value OP = "LT"> 4194304 </value> <DESCRIPTION> the maximum size should be reasonable for small DOS attacks, to reduce the risk. </Note> </> <entry ID = "6"> <type> INI </type> <KEY> register_long_arrays </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> Fill HTTP _ * _ VARS should not be used. </Note> <version OP = "before"> 50300 </version> </entry> <entry ID = "7"> <type> INI </type> <KEY> </key> <value OP = "EQ"> 0 </value> <DESCRIPTION> of register_globals, define variables. This should always be disabled. </Description> <OP = "before"> 50300 </version> </entry> <entry ID = "8"> <type> INI </type> <KEY> session. hash_function </key> <value OP = "EQ"> 1 </value> should replace <DESCRIPTION> MD5 and SHA-160, because it is a more complex and Security Hash algorithm. </Note> <version OP = ""> 50000 </version> </> <entry ID = "9"> <type> INI </type> <KEY> session. hash_bits_per_character </key> <value OP = ">"> </value> <DESCRIPTION> Number of bits of each session key character encoding. </Note> <version OP = ""> 50000 </version> </> <entry ID = "10"> <type> INI </type> <KEY> session. entropy_file </key> <value OP = "NE" net = "">/dev/random </value> <DESCRIPTION> provides a Random Seed generation session. </Note> </entry> <entry ID = "11"> <type> INI </type> <KEY> session. entropy_length </key> <value OP = ">"> 32 </value> <DESCRIPTION> bytes, read as the collection entropy. </Note> </entry> <entry ID = "12"> <type> INI </type> <KEY> session. name </key> <value OP = "NE" Net "PHPSESSID"> custom string </value> <DESCRIPTION> PHP session name. Recomended, which can be changed by default. </Note> </entry> <entry ID = "14"> <type> INI </type> <KEY> session. save_path </key> <value OP = "NE" net = "/tmp" notblank = "true">/custom/location </value> <DESCRIPTION> Save path, the default/tmp directory. </Note> </entry> <entry ID = "15"> <type> INI </type> <KEY> session. use_trans_sid </key> <valueop = "eq"> 0 </value> is not allowed for <DESCRIPTION> session GET paramaters. </Note> </entry> <entry ID = "18"> <type> INI </type> <KEY> display_errors </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> error message </DESCRIPTION> </entry> <entry ID = "19"> <type> INI </type> <KEY> allow_url_fopen option </key> <value OP = "EQ"> 0 </value> NO, the Remote File <DESCRIPTION> Should Be accessable with fopen. </Note> </entry> <entry ID = "20"> <type> INI </type> <KEY> allow_url_include </KEY> <value OP = "EQ"> 0 </value> You <DESCRIPTION> cannot include remote script usage </DESCRIPTION> </entry> <entry ID = "31"> <type> INI </ type> <KEY> session. cookie_httponly </key> <value OP = "EQ"> 1 </value> <DESCRIPTION> HttpOnly prefixed by default </DESCRIPTION> <version OP = ""> 50200 </version> </> <entry ID = "20"> <type> INI </type> <KEY> open_basedir </KEY> <value OP = "NE" Net = "/" notblank = "true"> // webroot </value> <DESCRI PTION> PHP webroot can open file restrictions. </Note> </entry> <entry ID = "32"> <type> INI </type> <KEY> upload_tmp_dir </KEY> <value OP = "NE" Net = "/tmp" notblank = "true">/custom/location </value> <DESCRIPTION> upload a file with a location change to initally </DESCRIPTION> </entry> <entry ID = "21"> <type> INI </type> <KEY> max_execution_time </KEY> <value OP = "LT"> 20 </value> <description> the execution time should be limited to 20 seconds or less. </Description> </entry> <entry ID = "22"> <type> INI </type> <KEY> max_input_nesting_level </KEY> <value OP = "LT"> 32 </value> <Note> maximum nested object 32 sufficent. </Note> </> <entry ID = "23"> <type> INI </type> <KEY> enable_dl </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> disable dynamic expansion of loading. </Note> </entry> <entry ID = "24"> <type> INI </type> <KEY> display_startup_errors Settings </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> startup errors should be blocked. </Note> </entry> <entry ID = "25"> <type> INI </type> <KEY> log_errors option </KEY> <value OP = "EQ "> 1 </value> <DESCRIPTION> All Errors generated by PHP should be recorded in a file. </Note> </entry> <entry ID = "26"> <type> INI </type> <KEY> log_errors_max_len </KEY> <value OP = ">"> 2048 </value> <DESCRIPTION> error messages with at least 2048 characters should be stored in error logs. </Note> </entry> <entry ID = "27"> <type> INI </type> <KEY> error_log </KEY> <value OP = "NE" net = "">/custom/location </value> <DESCRIPTION> the location of the PHP error log should be set. </Note> </entry> <entry ID = "28"> <type constant </type> <KEY> LIBXML_NOENT </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> XML parsing should be disabled for external entities </DESCRIPTION> </entry> <entry ID = "37"> <type> INI </type> <KEY> session. use_only_cookies </key> <value OP = "EQ"> 1 </value> should only pass the <DESCRIPTION> Session variable cookie. </Note> </entry> <entry ID = "29"> <type constant </type> <KEY> LIBXML_NONET </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> the XML Parser for network access should be disabled. </Note> </entry> <entry ID = "38"> <type> disable_functions options </type> <LIST> <function> fsocket_open </function> <package> <function> escapeshellarg </function> <function> execution </function> <relay> <function> proc_close </function> <function> php_uname </function> <function> getmyuid </function> <function> getmypid </function> <relay> <function> <leakage <function> <diskfreespace> <function> TMPFILE </function> <function> link </function> <ignore_user_abort> <function> <set_time_limit> <function> <restriction> <function> execution </ function> <function> highlight_file </function> <function> show_source </function> <function> fpaththru </function> <virtual> <function> posix_ctermid </function> <function> posix_getcwd </function> <function> posix_getegid </function> <function> posix_geteuid </function> <function> posix_getgid </function> <function> posix_getgrgid </Function> <function> posix_getgrnam </function> <function> posix_getgroups </function> <function> posix_getlogin </function> <function> posix_getpgid </function> <function> posix_getpgrp </Function> <function> posix_getpid </function> <function> POSIX </function> <function> posix_getpwnam </function> <function> posix_getpwuid </function> <function> posix_getrlimit </function>/ function> <function> posix_getsid </function> <function> posix_getuid </function> <function> posix_isatty </function> <function> posix_kill </function> <function> posix_mkfifo </ function> <function> posix_setegid </function> <function> posix_seteuid </function> <function> posix_setgid </function> <function> posix_setpgid </function> <function> posix_setsid </function> <function> posix_setuid </function> <function> posix_times </function> <function> posix_ttyname </function> <function> posix_uname </function> <proc_open> <function> proc_close </function> <function> proc_get_status </function> <function> proc_nice </function> <function> proc_terminate </function> <phpinfo <function> <proc_open> <function shell_exec> <function> System </function> <set_time_limit> <function> ini_alter </function> <function> DL </ function> <function> POPEN </function> <function> parse_ini_file </function> </List> </getting started> </Rule>
The code for style.css is as follows:
1234567891011121314 @ CHARSET "UTF-8"; body {background color: # FFFFFF; color: #000000;} body, TD, TH, H1, H2 {font family: unlined ;} pre {deposit: 0PX; font family: Same width;} table {border crash: crash;} TD, TH {boundary: 1px solid #000000; font size: 75%; Vertical Alignment: baseline; fill left: Add 5px; Right: Add 5px;} H1 {font size: 150%;} H2 {font size: 125%;} P {text alignment: Left ;} E {background color: # CCCCFF font weight: bold; color: #000000 ;}h {background color: # 9999CC; font weight: bold; color: #000000 ;} v {background color: # CCCCCC; color: #000000; fill left: Add 5px;} R {background color: # c50000; color: #000000; fill left: Add 5px ;}
Three files have been packaged: PHP security check.zip