Home > Cloud Computing > Cloud Security

PHP environment security performance check

Source: Internet
Author: User
Tags php session php error log random seed
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

PHP security configuration in Linux is a complex process, which involves many detailed settings. A script is sent here, this script is used to check whether your PHP environment has security risks and reinforce your PHP environment.
Function:

  • 1. Check the PHP Environment Security Configuration
  • (2) functions to be disabled.
  • 3. Dangerous settings may cause local or remote file inclusion.
  • 4. handle errors.
  • 5. A constant defined during compilation.

    • After installing the PHP environment, place the scripts of these three files in the Web directory of the website (audit. php php.xml's style.css


    12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917 0171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 <? PHP/*** PHP security auditor */audit class {static dedicated $ rules; static dedicated $ constant; static private phpVer; static public report;/*** conversion settings, for example, 1 M 1G 1 K Bytes equivalent academic value ** @ parameter string $ N * @ return string */static dedicated function convertToBytes ($ N) {// if n is-1, there is no limit. If ($ N =-1), return PHP_INT_MAX; Switch (SUBSTR (N,-1) {"B ": returns SUBSTR ($ N, 0,-1); "K": returns SUBSTR ($ N, 0,-1) * 1024; "M": returns SUBSTR ($ N, 0,-1) * 1024*1024; "G": returns SUBSTR ($ N, 0,-1) * 1024*1024*1024;} returns $ N ;} static private feature MakeReport ($ type, title) {ksort (self-employed: $ report [type]); HTML = '<H1> '<! ----> <! ----> <! ----> T <! -> <! ----> T <----> L <! ----> <! ----> <! ----> <! ----> <! ----> </H1> ups and downs <tr class = "h"> <TH> Settings </TH> <TH> current </times> <TH> Recomended </TH> <TH> description </th> </TR> '; foreach (from: $ report [type] is $ key = "$ value) {if ($ value ['P'] = 1) $ class = "r"; other class = "V"; HTML $. = '<TR> <td class = "e"> '. Vehicle (key ). "</TD> '. <TD class = "'class. "> ". Vehicle ($ value ['C']) '</TD> '. <TD class = "'class. "> ". Vehicle ($ value ['R']) '</TD> '. <TD class = "'class. "> ". Vehicle ($ value ['D']) '</TD> </TR>';} $ HTML. = '</TABLE>'; returns the HTML dollar;} static public function HTMLReport () {$ class = ""; $ HTML = '<! Doctype html public "-// W3C // dtd xhtml 1.0 transition // EN" "DTD/xhtml1-transitional.dtd"> ". <HTML> <! ----> Hour <! ----> <! ----> <----> D <! ---- >><! ----> "<! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <----> L <! ----> I <----> N <! --> K <----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> <! ----> </Header> <BODY> '; HTML dollar = self: MakeReport ("INI", "php ini"); HTML dollar = self :: makeReport ("disabled", "PHP disabled function"); HTML dollar = self: MakeReport ("constant", "php const"); HTML dollar. = '</HTML>'; echo ("n" of the HTML dollar);}/*** Add a project report array. ** @ Parameter string type-type (INI or const) * @ key of parameter string USD-variable name * @ parameter string $ current value-current ini or const value * @ parameter string $ recomended-recomended value * @ parameter string $ DESC -Problem Description * @ Boolean parameter-true, if no complaint is reported, false, if the report meets */static dedicated function (type, key, current value $, $ recomended, $ decline $ problem) {If (isset (self:: $ report [type] [$]) (report (from: $ [$ type] [$] ['R'] <$ recomended) & (self-employed:: $ report [type] [$ key ['P'] = 1) returned; from :: $ report [type] [Key] = array ("C" => $ current value, "R" => $ recomended "D" => $ decrease, "P" => $ problem);}/*** from XML Loading rule ** @ parameter string $ file */static public function LoadRules ($ file = "php. xml ") {(righteousness ('php _ VERSION_ID ') {$ version = Explosion (".", PHP_VERSION); self: $ phpVer = ($ version [0] * 10000 + $ version [1] * 100 + $ version [2]); Other self :: $ phpVer = PHP_VERSION_ID, from: $ constant = get_defined_constants (); self: $ rule = simplexml_load_file ($ file );} /*** handle the const and INI values in the XML rule set in PHP **/the static public function ProcessXML () {foreach (self-employed :: $ rule $ null => $ item) {ruleID USD = $> attribute ()-> ID; // check the PHP version. This rule applies to $ version = (string) $ entry version; (version! = "") {OP = (string) $ getting started> Version-> attribute ()-> operation; Switch (run) {when "only ": if ($ version <self: $ phpVer) continues 2; break;} // review rules, because we believe that the PHP version switch (string) of applys runs $ response type) {// check the constant value case "constant": Dollar key = (string) $ entry> key, // For example LIBXML_NOENT $ CVALUE = self :: $ constant [Key] // the right value of the current value = (string) $ entry> value; // recomended value DESC = $ (string) $> description // switch (string) $> value-> attribute ()-> operation) {context: Self: Report ("constant", $, $ CVALUE $ RVALUE, decrease ($ CVALUE = $ RVALUE); break;} break; // check the list of functions that should be restricted, in the case of "disable_function S option ": $ disable = ini_get (" disable_functions option "); $ list = Explosion (", "Disabled); $ XMLList = (array) ($ getting started> list ); $ XMLList = $ XMLList ['function']; foreach ($ XMLList is $ null => $ function) {$ = array_search ($ function list); from :: report ("disabled", $ function, ($ = 0 )? "Enabled": "disabled"), "disabled", "", ($ = 0 )? 1-0);} break; // check the value defined in the INI file "INI": Dollar key = (string) $ entry> key, // For example, display_errors $ CVALUE = trim (from: convertToBytes (ini_get ($) // current value $ right value = (string) $ entry> value; // Recomended value DESC = $ (string) $> description // If (is_numeric (Right Value) & $ CVALUE = ") $ CVALUE =" 0 "; // discount, which should be higher than one value to another. If (string) entry> value> attribute ()> type = "key") $ RVALUE = self :: convertToBytes (ini_get (string) $ entry> value); Switch (string) $ entry> value-> attribute ()-> operation) {// equals: SELF: Report ("INI", key to dollar, $ CVALUE, $ RVALUE, $ decrease ($ CVALUE = $ RVALUE); break; // if the value is less than or equal to the value of "LT": Self: Report ("INI ", $, $ CVALUE, "<$ RVALUE", $ decrease, ($ CVALUE <= $ RVALUE),); break; // when the value is greater than or equal to, "GT ": SELF: Report ("INI", $, $ CVALUE, "> $ RVALUE", $ decrease, ($ CVALUE >=$ RVALUE),); break; // "define" when not equal: $ neValue = (string) $> value-> attribute ()-> net; notBlank USD = (string) $> value-> attribute ()-> notblank; (notBlank = "true") {self: Report ("INI", key to USD, $ CVALUE, $ RVALUE, $ decrease, ($ CVALUE! = "); Break;} self: Report (" INI ", key, $ CVALUE, $ RVALUE, $ decrease, ($ CVALUE! = $ NeValue); break;} audit: LoadRules (); Audit: ProcessXML (); Audit: HTMLReport ();

    The php. xml Code is as follows:

    12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917 0171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303 304305306307308 <? XML version = 1.0 encoding = UTF-8 "? <Rules> <entry ID = "1"> <type> INI </type> <KEY> upload_max_filesize </KEY> <value OP = "LT"> 4194304 </value> <DESCRIPTION> set the maximum upload size. Reduce this DOS attack to reduce the risk. </Note> </> <entry ID = "29"> <type> INI </type> <KEY> upload_max_filesize </KEY> <value OP = "LT" type = "key"> <memory_limit> <DESCRIPTION> the maximum size of the upload should be applicable to avaliable memory restrictions. </Note> </entry> <entry ID = "30"> <type> INI </type> <KEY> post_max_size </KEY> <value OP = "LT" type = "key"> <memory_limit> <DESCRIPTION> the maximum size of data sent to the server should be avaliable memory. </Note> </> <entry ID = "32"> <type> INI </type> <KEY> always_populate_raw_post_data </KEY> <value OP = "EQ"> 0 </value> <description> element, this does not need to be used. The preferred method is php: // enter </description> </entry> <entry ID = "33"> <type> INI </type> <KEY> magic_quotes_gpc </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> sets the status of magic_quotes to GPC (get put cookie) data. Relying on this function is very discouraged. </Note> <url> HTTP: // WWW in <version OP = "before"> 50300 </version>. Php.net/manual/EN/information configuration. php # ini. magic quotes-GPC </> </> <entry ID = "34"> <type> INI </type> <KEY> magic_quotes_runtime </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> sets the status of magic_quotes, data from external data sources. Relying on this function is very discouraged. </Note> <url> HTTP: // WWW, php.net/manual/EN/information of <version OP = "before"> 50300 </version>. Configuration. php </URL> </> <entry ID = "35"> <type> INI </type> <KEY> Security mode </KEY> <value OP = "EQ "> 0 </value> <DESCRIPTION> this function has been deprecated for PHP 5.3.0. Relying on this function is very discouraged. </Note> <version OP = "before"> 50300 </version> </entry> <entry ID = "36"> <type> INI </type> <KEY> memory_limit of </key> <value OP = "LT"> 16777216 </value> <DESCRIPTION> the maximum memory limit should be 16 MB or smaller. </Note> </> <entry ID = "5"> <type> INI </type> <KEY> upload_max_filesize </KEY> <value OP = "LT" type = "key"> <post_max_size> <description> the maximum size of the uploaded element should be greater than or equal to the maximum size </description> </entry> <entry ID =" 2 "> <type> INI </type> <KEY> max_file_uploads </KEY> <value OP =" LT "> 10 </value> <DESCRIPTION> maximum mumber files can be uploaded 1. </Note> </> <entry ID = "3"> <type> INI </type> <KEY> record file_uploads </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> This may be impractical, however, if there is no necessary file upload, it should be disabled. </Note> </entry> <entry ID = "4"> <type> INI </type> <KEY> post_max_size </KEY> <value OP = "LT"> 4194304 </value> <DESCRIPTION> the maximum size should be reasonable for small DOS attacks, to reduce the risk. </Note> </> <entry ID = "6"> <type> INI </type> <KEY> register_long_arrays </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> Fill HTTP _ * _ VARS should not be used. </Note> <version OP = "before"> 50300 </version> </entry> <entry ID = "7"> <type> INI </type> <KEY> </key> <value OP = "EQ"> 0 </value> <DESCRIPTION> of register_globals, define variables. This should always be disabled. </Description> <OP = "before"> 50300 </version> </entry> <entry ID = "8"> <type> INI </type> <KEY> session. hash_function </key> <value OP = "EQ"> 1 </value> should replace <DESCRIPTION> MD5 and SHA-160, because it is a more complex and Security Hash algorithm. </Note> <version OP = ""> 50000 </version> </> <entry ID = "9"> <type> INI </type> <KEY> session. hash_bits_per_character </key> <value OP = ">"> </value> <DESCRIPTION> Number of bits of each session key character encoding. </Note> <version OP = ""> 50000 </version> </> <entry ID = "10"> <type> INI </type> <KEY> session. entropy_file </key> <value OP = "NE" net = "">/dev/random </value> <DESCRIPTION> provides a Random Seed generation session. </Note> </entry> <entry ID = "11"> <type> INI </type> <KEY> session. entropy_length </key> <value OP = ">"> 32 </value> <DESCRIPTION> bytes, read as the collection entropy. </Note> </entry> <entry ID = "12"> <type> INI </type> <KEY> session. name </key> <value OP = "NE" Net "PHPSESSID"> custom string </value> <DESCRIPTION> PHP session name. Recomended, which can be changed by default. </Note> </entry> <entry ID = "14"> <type> INI </type> <KEY> session. save_path </key> <value OP = "NE" net = "/tmp" notblank = "true">/custom/location </value> <DESCRIPTION> Save path, the default/tmp directory. </Note> </entry> <entry ID = "15"> <type> INI </type> <KEY> session. use_trans_sid </key> <valueop = "eq"> 0 </value> is not allowed for <DESCRIPTION> session GET paramaters. </Note> </entry> <entry ID = "18"> <type> INI </type> <KEY> display_errors </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> error message </DESCRIPTION> </entry> <entry ID = "19"> <type> INI </type> <KEY> allow_url_fopen option </key> <value OP = "EQ"> 0 </value> NO, the Remote File <DESCRIPTION> Should Be accessable with fopen. </Note> </entry> <entry ID = "20"> <type> INI </type> <KEY> allow_url_include </KEY> <value OP = "EQ"> 0 </value> You <DESCRIPTION> cannot include remote script usage </DESCRIPTION> </entry> <entry ID = "31"> <type> INI </ type> <KEY> session. cookie_httponly </key> <value OP = "EQ"> 1 </value> <DESCRIPTION> HttpOnly prefixed by default </DESCRIPTION> <version OP = ""> 50200 </version> </> <entry ID = "20"> <type> INI </type> <KEY> open_basedir </KEY> <value OP = "NE" Net = "/" notblank = "true"> // webroot </value> <DESCRI PTION> PHP webroot can open file restrictions. </Note> </entry> <entry ID = "32"> <type> INI </type> <KEY> upload_tmp_dir </KEY> <value OP = "NE" Net = "/tmp" notblank = "true">/custom/location </value> <DESCRIPTION> upload a file with a location change to initally </DESCRIPTION> </entry> <entry ID = "21"> <type> INI </type> <KEY> max_execution_time </KEY> <value OP = "LT"> 20 </value> <description> the execution time should be limited to 20 seconds or less. </Description> </entry> <entry ID = "22"> <type> INI </type> <KEY> max_input_nesting_level </KEY> <value OP = "LT"> 32 </value> <Note> maximum nested object 32 sufficent. </Note> </> <entry ID = "23"> <type> INI </type> <KEY> enable_dl </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> disable dynamic expansion of loading. </Note> </entry> <entry ID = "24"> <type> INI </type> <KEY> display_startup_errors Settings </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> startup errors should be blocked. </Note> </entry> <entry ID = "25"> <type> INI </type> <KEY> log_errors option </KEY> <value OP = "EQ "> 1 </value> <DESCRIPTION> All Errors generated by PHP should be recorded in a file. </Note> </entry> <entry ID = "26"> <type> INI </type> <KEY> log_errors_max_len </KEY> <value OP = ">"> 2048 </value> <DESCRIPTION> error messages with at least 2048 characters should be stored in error logs. </Note> </entry> <entry ID = "27"> <type> INI </type> <KEY> error_log </KEY> <value OP = "NE" net = "">/custom/location </value> <DESCRIPTION> the location of the PHP error log should be set. </Note> </entry> <entry ID = "28"> <type constant </type> <KEY> LIBXML_NOENT </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> XML parsing should be disabled for external entities </DESCRIPTION> </entry> <entry ID = "37"> <type> INI </type> <KEY> session. use_only_cookies </key> <value OP = "EQ"> 1 </value> should only pass the <DESCRIPTION> Session variable cookie. </Note> </entry> <entry ID = "29"> <type constant </type> <KEY> LIBXML_NONET </KEY> <value OP = "EQ"> 0 </value> <DESCRIPTION> the XML Parser for network access should be disabled. </Note> </entry> <entry ID = "38"> <type> disable_functions options </type> <LIST> <function> fsocket_open </function> <package> <function> escapeshellarg </function> <function> execution </function> <relay> <function> proc_close </function> <function> php_uname </function> <function> getmyuid </function> <function> getmypid </function> <relay> <function> <leakage <function> <diskfreespace> <function> TMPFILE </function> <function> link </function> <ignore_user_abort> <function> <set_time_limit> <function> <restriction> <function> execution </ function> <function> highlight_file </function> <function> show_source </function> <function> fpaththru </function> <virtual> <function> posix_ctermid </function> <function> posix_getcwd </function> <function> posix_getegid </function> <function> posix_geteuid </function> <function> posix_getgid </function> <function> posix_getgrgid </Function> <function> posix_getgrnam </function> <function> posix_getgroups </function> <function> posix_getlogin </function> <function> posix_getpgid </function> <function> posix_getpgrp </Function> <function> posix_getpid </function> <function> POSIX </function> <function> posix_getpwnam </function> <function> posix_getpwuid </function> <function> posix_getrlimit </function>/ function> <function> posix_getsid </function> <function> posix_getuid </function> <function> posix_isatty </function> <function> posix_kill </function> <function> posix_mkfifo </ function> <function> posix_setegid </function> <function> posix_seteuid </function> <function> posix_setgid </function> <function> posix_setpgid </function> <function> posix_setsid </function> <function> posix_setuid </function> <function> posix_times </function> <function> posix_ttyname </function> <function> posix_uname </function> <proc_open> <function> proc_close </function> <function> proc_get_status </function> <function> proc_nice </function> <function> proc_terminate </function> <phpinfo <function> <proc_open> <function shell_exec> <function> System </function> <set_time_limit> <function> ini_alter </function> <function> DL </ function> <function> POPEN </function> <function> parse_ini_file </function> </List> </getting started> </Rule>

    The code for style.css is as follows:

    1234567891011121314 @ CHARSET "UTF-8"; body {background color: # FFFFFF; color: #000000;} body, TD, TH, H1, H2 {font family: unlined ;} pre {deposit: 0PX; font family: Same width;} table {border crash: crash;} TD, TH {boundary: 1px solid #000000; font size: 75%; Vertical Alignment: baseline; fill left: Add 5px; Right: Add 5px;} H1 {font size: 150%;} H2 {font size: 125%;} P {text alignment: Left ;} E {background color: # CCCCFF font weight: bold; color: #000000 ;}h {background color: # 9999CC; font weight: bold; color: #000000 ;} v {background color: # CCCCCC; color: #000000; fill left: Add 5px;} R {background color: # c50000; color: #000000; fill left: Add 5px ;}

    Three files have been packaged: PHP security check.zip

    This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

    Related Keywords:
    check environment variables check environment variable windows security performance based questions php cli environment variables php set environment variable php environment variables list setup php environment
    Related Article
    Cloud security to achieve effective prevention of the future ...
    Focus on three major cloud security areas, you know?
    Decrypting Cisco type 5 password hashes
    Using redis to write webshell

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    What's Trending
    Top 10 Tags
    datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
    Top 10 Keywords
    microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    Get Started for Free

    • Sales Support

      1 on 1 presale consultation

      Chat Contact Sales

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

      Open a Ticket

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

      Learn More