Accurately set the php-fpm sub-process to improve website security and prevent Trojans

Source: Internet
Author: User
Tags ftp connection website server
Correctly set the php-fpm sub-process user to improve website security and prevent Trojans. Summary: The user used by the php-fpm sub-process cannot be the website file owner. Any violation of this principle does not comply with the minimum permission principle .? According to continuous feedback in the production environment, php websites are found to be infected with Trojans, most of which are caused by improper permission settings. Because the server software or php correctly sets the php-fpm sub-process to improve website security and prevent Trojans from being mounted

Core summary: the user used by the php-fpm sub-process cannot be the website file owner. Any violation of this principle does not comply with the minimum permission principle.

?

According to continuous feedback in the production environment, php websites are found to be infected with Trojans, most of which are caused by improper permission settings. It is inevitable that vulnerabilities exist in server software or php programs. in this case, if you can correctly set the Linux website directory permission and php process permission, therefore, the security of the website can be guaranteed.

?

So what are the causes of website Trojans?

?

1. the ftp connection information is cracked. The feasible method for this reason is to use a very complex FTP user name (do not use a common user name). if it is a fixed job, you can use iptables firewall to restrict source IP addresses. However, in some scenarios, VPN may be required for remote maintenance. That is to say, when the website maintainer needs to use FTP to modify the website file, he must first log on to the VPN server of the IDC data center and then perform subsequent operations.

?

2. vulnerabilities in website server software/configuration/php programs are exploited.
Before discussing this issue, describe the concepts of file and process permissions:

A .? If an FTP user has the maximum modification permission on the website directory, the file owner of the website must belong to FTP, which is beyond doubt ,? Otherwise, how can I modify the file?

B .? The php-fpm process and nginx process require at least the permission to read the website files. for example, run the following command to view the accounts used by the two processes:



We can find that the nginx and php-fpm sub-process accounts are nobody.

?

Then we can view the website file directory permissions:

If you find that the website file owner is a www account, the description is as follows:

|? Nginx and php have only the read permission and no write permission on the website.

L? If the php program requires write permission on some files on the website, you must manually change the file or directory permission to 777.

L? Because the php-fpm sub-process is running in nobody, the new file owner generated by php-fpm is also nobody ,? In this case, the ftp user will not be able to modify these files, and the contact person will be required to unbind the bell. after the php generates the file, you need to call chmod ("/somedir/somefile ",? 0777) change the file permission to 777 so that FTP users can also modify the file.

L? Developers often ask me to reset the permissions on files generated by php.

?

L? If the php-fpm sub-process runs as the user of the website file owner, it means that the php-fpm process has writable permissions on the entire website directory. this is the nightmare.

?

However, we found that many system administrators set the php-fpm process to run with the account of the website file owner in order to save trouble and violate the principle of minimizing Linux permissions, of course, this may make it easier for php developers (the php-fpm process has writable permissions on the entire website directory). However, in this way, the file system permission principle of the Linux system will be broken, all security measures will be ineffective. As you can imagine, in case of a vulnerability in the php program, attackers can Upload Trojans to modify all the files on the website, and the homepage is hacked.

?

Step back, if we set strict permissions, even if there is a vulnerability in the php program, attackers can only tamper with the directory with the permission of 777, and other files cannot be rewritten, isn't the website more secure?

?

Core summary: the user used by the php-fpm sub-process cannot be the website file owner. Any violation of this principle does not comply with the minimum permission principle.

?

After reading nginx on the Internet ,? Articles and tutorials on php-fpm configuration and some books on the market have found many people misled by these articles and directly run the php-fpm sub-process with the account of the website owner, for example, Zhang banquet's "actual nginx? The 52 pages of apache's high-performance Web server contains the following settings:

Www

Www


On the seventh page, set the website file owner to a www user:

Chown? -R? Www: www? /Data0/htdocs/blog

Obviously, this part of this book is misleading to beginners. to address this issue, I have sent an email to the author, hoping that it will emphasize the statement in the second edition, to avoid some security risks caused by excessive loose permission configuration.

?

In the official configuration file, the php-fpm sub-process uses the nobody user, which is completely reasonable and does not need to be modified.

?

In this case, how do I set nginx sub-process users reasonably? I recommend that you use nobody (which has no impact on writing error logs) as follows:

Set the first line of the nginx. conf file to user ???? Nobody ;?,? Then execute nginx? -S? Reload.

?

Php-fpm sub-process user setting method:

Edit file php-fpm.conf (typically located in/usr/local/php/etc/php-fpm.conf ,? Depending on the installation parameters), find the definitions of the user and group parameters, set them to nobody (the default value is already nobody), and then restart the php-fpm process.

?

?

Special notes on website writable directories

The writeable here is relative to the php-fpm sub-process. The easiest security problem for a website is the writable directory. if the permission for the writable directory is strictly controlled, the security factor will be greatly improved.

We believe that a website can be written into the following directories:

1. the php Data cache Directory, such as the discuz forumdata Directory, stores a large number of data cache files. This type of directory generally prohibits direct access by users, but discuz stores a lot of js files in this directory ,? Css file, we cannot simply deny users access to this directory. Obviously, all files in this directory cannot be directly handed over to php for parsing. we will provide a solution later.

2. attachment Upload directory. Obviously, access to these directories must be enabled, but cannot be parsed by the php engine (that is, all files in this directory are considered normal static files ).

3. Directory generated by static files. all files under such directories should be regarded as static files.

4. log directories usually reject direct access.

?

That is to say, for website developers, static and static separation should be implemented for writable directories. files with different performance should be treated differently, so that the system administrator can easily set reasonable nginx rules, to improve security.

?

Simply removing the execution permission of the php file does not prevent the php-fpm process from parsing.

?

Next, based on the above summary, how does the system administrator Configure nginx directory rules to ensure better security?

1. data cache directory? /Cache/
This directory requires 777 permissions and does not need to be provided for user access. you can configure nginx as follows:

Location ?~? "^/Cache "? {

Return? 403;

}

?

Location ?~? "\. Php $ "? {

Fastcgi_pass? 127.0.0.0: 9000;

....................

}

?

At this time, no user can access the/cache/directory content, even if

2. attachment Upload directory? Attachments

This directory requires open access, but all files cannot be parsed by the php engine (including Trojan files whose suffix is changed to gif)

Location ?~? "^/Attachments "? {

?

}

?

Location ?~? "\. Php $ "? {

Fastcgi_pass? 127.0.0.0: 9000;

....................

}

?

Note that there are no statements in the location definition of the attachments directory. Nginx has the highest priority in matching the location of a regular expression. Any location defined by a regular expression ,? The location defined by other regular expressions will not be matched once.

?

Now, create a php script file in the attachments directory and access the file security in the browser. we find that the browser prompts you to download the file. This indicates that nginx treats the file in the attachments directory as a static file, not delivered to php? Fastcgi processing. In this way, even if the writable directory is implanted with a Trojan, the website is safer because it cannot be executed.

?

Obviously, do not place important php configuration files in this directory.

?

3. What is the directory for generating static files? Public
These directories are generally saved directories of static pages generated by php. Obviously, they are similar to the attachment Directory. you can set them according to the permission of the attachment directory.

It is foreseeable that if we set strict permissions, even if the website's php program has vulnerabilities, Trojan scripts can only be written to a directory with a permission of 777, with the strict directory permission control, Trojans cannot be triggered, and the security of the entire system is obviously improved.

?

However, developers are the only one who knows the role and permissions of the website's writable directory. In this regard, php developers need to actively communicate with the system administrator. Before a project is launched, developers can provide the function and permissions of website writable directories in the form of documents. the system administrator can set permissions for different directories. If either party modifies the website directory permission but is not reflected in the document, we believe it is against the workflow.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.