Security Hardening Configuration for PHP Web site under Linux

PHP Security Configuration:
1, disable_functions = Passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini _restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,phpinfo #禁用的函数
2.
expose_php = Off #避免暴露PHP信息
3.
Display_errors = Off #关闭错误信息提示
4.
Register_globals = Off #关闭全局变量
5.
ENABLE_DL = Off #不允许调用dl
6.
Allow_url_include = Off #避免远程调用文件
7.
Session.cookie_httponly = 1 #http only Open
8.
Upload_tmp_dir =/tmp #明确定义upload目录
9.
Open_basedir =./:/tmp:/home/wwwroot/#限制用户访问的目录

Open_basedir parameter explanation

Open_basedir can limit the active range of user access files to the specified area, usually the path of their home directory, and also the symbols "." To represent the current directory. Note that the limit specified with Open_basedir is actually a prefix, not a directory name.

For example: if "Open_basedir =/home/wwwroot", then the directory "/home/wwwroot" and "/home/wwwroot1" are accessible. So if you want to restrict access to only the specified directory, end the path name with a slash.

MySQL Security settings:

     在数据库只需供本机使用的情况下，使用–skip-networking参数禁止监听网络 。

Make sure that the user running MySQL is a general user, such as MySQL, and note that the Data directory permission is MySQL.

Vi/etc/my.cnf
user = MySQL

Turn on the MySQL binary log, and in the case of accidental deletion of data, you can recover to a point in time by binary log

Vi/etc/my.cnf
Log_bin = Mysql-bin
Expire_logs_days = 7

Certifications and authorizations

The root account is not allowed to access the database from the network, and the root account only allows login from the local host.
Mysql>grant all privileges The ' root ' @localhost identified by ' Password ' with GRANT option;
Mysql>flush priveleges;

Delete anonymous account and empty password account:
Mysql>use MySQL;
Mysql>delete from user where user=;
Mysql>delete from user where password=;
Mysql>delete from DB where user=;

Web server security:
if ($query _string ~ ". [\;‘ \<\>].* ") {
return 404;
}

Turn off PHP parsing for directories that hold data uploads:
Location ~ ^/(attachments|data)/... (PHP|PHP5) ${
Deny all;
}

For Apache: Disable PHP parsing of directory/upload directories such as:
<files ~ ". php" >
Order Allow,deny
Deny from all
</Files>

Trojan Avira and Prevention:

Grep-r--include=*.php ' [^a-z]eval ($_post '/home/wwwroot/

Grep-r--include=. php ' file_put_contents (. $_post[.*]); '/home/wwwroot/

Using Find Mtime to find the last two days or the days of discovering a trojan, which PHP files have been modified:
Find-mtime-2-type F-name *.php

To change directory and file properties:
Find-type f-name *.php-exec chomd 644 {} \;
Find-type d-exec chmod 755 {} \;
Chown-r www.www/home/wwwroot/www.test.com

To prevent cross-site infection, you need to do virtual host directory isolation:
The simple implementation method of Nginx:
Use Nginx to run multiple virtual hosts, accustomed to the php.ini open_basedir configuration:

Open_basedir =./:tmp:/home/wwwroot/

Note:/home/wwwroot/is the Web path where all virtual hosts are placed

Hackers can use any one of the site's Webshell into the/home/wwwroot/directory anywhere, so that the harm to each virtual host is very large

Example: There are 2 virtual hosts in the/data/www/wwwroot directory

Modify PHP.ini

Open_basedir =./:/tmp:/home/wwwroot/www.test.com:/home/wwwroot/aaa.test.com

This way the user uploads the Webshell and cannot be accessed across directories.

Apache implementation approach, controlling cross-Directory Access

In the virtual machine host configuration file, add

Php_admin_value Open_basedir "/tmp:/home/wwwroot/www.test.com"

Security Hardening Configuration for PHP Web site under Linux