Analysis of Discuz Forum security reinforcement

[BKJIA] Discuz! The Forum is favored by most websites for its comprehensive functions, efficiency, and load capabilities. There is no exclusive view. The Forum maintained by the author uses discuz! From the time I took over 7.2 To now x2.0, I had a lot of feelings after several times of secondary development and release.

To put it bluntly, this article describes how to reinforce the security of the discuz Forum from the aspects of nginx security reinforcement, discuz file directory, and mysql user permissions. I hope to give you some inspiration.

1. Nginx security reinforcement

As the front-end of the web, enhanced security protection is much more efficient than php. For discuz! The nginx security reinforcement for the X2.0 forum is as follows:

Location ~ * ^/(Data | images | config | static | source)/. * \. (php | php5) $
{
Deny all;
}
This means that directories such as data images config static source and all their php files cannot be accessed from the web. In this way, hackers cannot run the trojan files uploaded from the uploaded directories and Return Error 403. Of course, the most direct method is to first disable all the files to run, and then add the php and directory to be opened, which is the most direct and thorough.

For example: (for example, do not directly obtain your production environment! Otherwise, you will cry .)

Location ~ (Index | forumn | api | home |). * \. (php )? $
{
Allow all;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
2. discuz directory reinforcement

Do not set the directory to 777 on the Internet. In this case, any user can write or execute the directory. The correct method is as follows:

1) The user running nginx and php should set useradd-g www-d/data0/htdocs-s/sbin/nologin www as follows: create a www user root directory in/data0/htdocs and use shell:/sbin/nologin (LOGIN not allowed)

2) For discuz! You can set the directory permission for X2.0:

Go to the Forum root directory

Find source-type d-maxdepth 4-exec chmod 555 \{};
Find api-type d-maxdepth 4-exec chmod 555 \{};
Find static-type d-maxdepth 4-exec chmod 555 \{};
Find archive-type d-maxdepth 4-exec chmod 555 \{};
Find config-type d-maxdepth 4-exec chmod 555 \{};
Find data-type d-maxdepth 4-exec chmod 755 \ {}; # data needs to be written to the cache, so the permission is 755
Find template-type d-maxdepth 4-exec chmod 555 \{};
Find uc_client-type d-maxdepth 4-exec chmod 555 \{};
3) For discuz! You can set the File Permission for X2.0:

Go to the Forum root directory

Find. -type f-maxdepth-exec chmod 444 \ {}; # Set the file in the Forum directory to be readable only, and then set the files to be written. Generally, only files under data are allowed.
Find data-type f-maxdepth-exec chmod 755 \ {}; # Set the data file to 755
3. mysql permission settings:

1) mysql user permissions: the user's permissions should be strictly restricted, and all permissions should not be removed. For example, if you only need to execute the select statement and only operate on a database, you only need to grant the select permission and restrict it to a database. Do not add the delete update permission to the database. For example

 

2) source ip address restriction: This is the most easy to forget. It may be possible that the source ip address has been released for testing, but it was forgotten when it went online. However, the consequences are indeed unimaginable. Set the user's source ip address. For example, only the source ip address 192.168.1.2 can be connected. For example

 

Above I have discuz! The Forum security reinforcement is summarized in a little bit, because it takes a little time to sort out, so it is inevitable that there will be errors. I hope you will not give me any further advice. There is a saying that "security is relative, there is no absolute", and there may be new problems in the future. This requires us to analyze the new problems in detail and take the right medicine.

Author profile: Cui Xiaohui, network name corzd, public network system administrator, proficient in website system architecture, Unix technology. Gtalk: coralzd@gmail.com