Apache/php/mysql Security Configuration

Source: Internet
Author: User
Tags create directory php script phpinfo safe mode

MySQL Basic security settings
1. Set or modify the MySQL root password:

Default post-installation blank password, set password with mysqladmin command:

Mysqladmin-uroot Password "password"

MySQL command set Password:

mysql> Set password for [email protected]=password (' password ');

Change Password:

Update Mysql.user set Password=password (' Password ') where user= ' root '; flush privileges;

2. Delete the default database and user

Drop database Test;use mysql;delete from Db;delete by user where not (host= "localhost" and user= "root"); flush privileges;

3. Change the default root account name:

Update Mysql.user set user= "admin" where user= "root"; flush privileges;

4. local File Security:

Set-variable=local-infile=0

5. Disable remote connection to MySQL, remote administration via phpMyAdmin, edit my.cnf in [mysqld] add:

Skip-networking

6. Least Privileged User:

Create DATABASE Db1;grant Select,insert,update,delete,create,drop privileges on database.* to [email protected] Identified by ' passwd ';

7. Restrict normal users to browse other databases, edit my.cnf in [mysqld] add:

--skip-show-database

8. Quick fix MySQL Database
Repairing the database

Mysqlcheck-a-o-r-P

Repairing the specified database

Mysqlcheck-o-R Database-p

9. Select the MySQL configuration file according to the size of the memory:

MY-SMALL.CNF # > MY-MEDIUM.CNF # 32m-64mmy-large.cnf # memory = 512mmy-huge.cnf # 1g-2g
MY-INNODB-HEAVY-4G.CNF # 4GB
----------------------------------------------------------------------------
Change the Apache Default Web site Directory

Create directory in root directory 1 mkdir data2 CD data3 mkdir website operation steps: 1, vi/etc/httpd/conf/httpd.conf find DocumentRoot "/var/www/html" This paragraph #apa Che's root directory to change the/var/www/html directory to/data/website and find #定义apache/var/www/html this area to change/var/www/html to/data/ Website so we'll get rid of the default path of APAHCE 1 service httpd restart #重启Apache服务器2, access to localhost, will find access denied, this is why? Mainly because your/home/wwwroot/web1/htdocs permissions are 750,apache This user does not have permission to access, you need to change the permissions, can be changed 1 chmod-r 755/data/website then go to access Discovery is working correctly (Apache User: Apache running Apache Group: Apache) At this point, the Apache default site directory changes successfully.

Then move your project to the configured directory.
---------------------------------------------------------------------------------------------------------
Apache Security Configuration

1. Hide Banner Information

Servertokens OS modified to: Servertokens Prod (the name of the server operating system is not displayed when the error page appears)

Serversignature on modified to: Serversignature OFF (does not echo Apache version information)

2. Delete the default website and page

Remove default pages to prevent server information from being compromised

3. Can modify banner Information 4. Configuring httpd.conf to disable directory browsing

Change Options Indexes followsymlinks to Options-indexes followsymlinks

5. Configure HTTPD.CONF to set default documents

DirectoryIndex index.html

6. Proper configuration of Apache running accounts

Create a separate running account and account group for Apache and configure it in httpd.conf

User Apachegroup Apache

9. Reasonable control of Apache run account write to disk, execute permissions

Cancel the Apache run account Write permission to the site directory, except the upload directory, other non-site directory to try not to give permission

10. Reasonable control of Apache run account to SH and other execution rights

Cancel the execution of the run account to SH, etc. to prevent Webshell from executing the command via the default sh

11. Configure httpd.conf to cancel PHP execution permissions on the uploaded directory

<directory "/VAR/WWW/HTML/AAA" > <filesmatch ". (PHP|PHP5) $ "> Deny from all </FilesMatch> </Directory>

12. Configure httpd.conf to restrict access to folders, such as the background directory

<directory "/VAR/WWW/HTML/AAA" > Deny from all </Directory>

13. Configure httpd.conf to restrict specific IP access for some special directories, such as internal interfaces.

<directory "/VAR/WWW/HTML/AAA" > Order deny,allow Deny from all to allow from 192.168.1.111 </direct Ory>

14. Configure httpd.conf to restrict access to some file types, such as TXT log

<files ~ ". txt$" > Order allow,deny deny from all </Files>

15. Configure httpd.conf Modify the listening port to prevent some internal systems from being scanned

This will prevent some hackers who directly scan port 80

Listen 12345

16. Turn off support for. htaccess

AllowOverride all to allowoverride None
-------------------------------------------------------------------- ----------------------------------------------------security optimizations for
 php.ini

(1) Open PHP Safe mode PHP's security mode is a very important embedded security mechanism, can control some functions in PHP, such as System (), while many file operation functions have permission control, and do not allow the files of some key files, such as/etc/passwd,  But the default php.ini is not open safe mode, we turn it on: Safe_mode = on  (2) User group security when Safe_mode is turned on, Safe_mode_gid is turned off, and the PHP script is able to access the file, and the same  Users of the group are also able to access the files. The recommended setting is: Safe_mode_gid = off if not set, we may not be able to manipulate the files in our server's web directory, such as when we need to manipulate the files.   (3) Execute Program home directory in Safe mode if Safe mode is turned on, but it is the time to execute some programs, you can specify the home directory where you want to execute the program: Safe_mode_exec_dir = D:/usr/bin In general, there is no program to execute, Therefore, it is recommended not to execute the System program directory, can point to a directory, and then the need to execute the program to copy the past, such as: Safe_mode_exec_dir = D:/tmp/cmd But, I recommend not to execute any program, then you can point to our web directory: Safe_mode _exec_dir = d:/usr/www  (4) Safe mode contains files if you want to include some common files in Safe mode, modify the option: Safe_mode_include_dir = d:/usr/www/include/actually a Like PHP script contains files are in the program itself has been written, this can be set according to the specific needs.   (5) control the directory that PHP scripts can access using the OPEN_BASEDIR option to control the PHP script to access only the specified directory, so that the PHP script can not access the files should not be accessed, to a certain extent limiting the harm of Phpshell, We can generally be set to access only the site Directory: Open_basedir = d:/usr/www  (6) Close dangerous function If Safe mode is turned on, then the function prohibition is not necessary, but we consider it to be safe. For example, we do not want to execute a PHP function that includes the system (), such as the ability to execute commands, or a phpinfo () function that can view PHP information, whichWe can disable them: Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo If you want to disable the operation of any file or directory, you can close many file operations disable _functions = Chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, Rmdir,rename,file, File_get_contents,fputs,fwrite,chgrp,chmod,chown above is just a list of not commonly used file processing functions, you can also carry out the above command function and this function, you will be able to resist most of the Phpshell.   (7) Turn off the PHP version information in the HTTP header. To prevent hackers from getting the PHP version of the server, you can close the information in the HTTP header: expose_php = off such as hackers in Telnet www.12345.com 80 , you will not be able to see the PHP information.    (8) Close registered global variables the variables submitted in PHP, including those using post or get commits, are automatically registered as global variables and can be accessed directly, which is very insecure to the server, so we can't register the global variable with the Register global variable option off: Register_globals = Off Of course, if this is set, then the corresponding variable should be used in a reasonable way, such as get the variable var of get commit, then use $_get[' var ' to obtain, this PHP programmer should pay attention to.   (9) Open MAGIC_QUOTES_GPC to prevent SQL injection SQL injection is a very dangerous problem, small site background was invaded, heavy the entire server fell, so must be careful. There is a setting in php.ini: MAGIC_QUOTES_GPC = Off is off by default, and if it is turned on, it will automatically convert the user to the SQL query, such as ' turn to \ ', which has a significant effect on preventing SQL injection. So we recommend setting to: MAGIC_QUOTES_GPC = on  (10) Error message control generally PHP is not connected to the database or otherwise, there will be a prompt error, the general error message will contain the PHP script current path information or querySQL statements and other information, such information is not safe to provide to hackers, so the general server recommends that you suppress the error prompt: Display_errors = Off If you are trying to display an error message, be sure to set the level of display errors, such as displaying only the warning messages: Error_ Reporting = e_warning & E_error Of course, I recommend turning off the error prompt.  
Details: http://www.centoscn.com/CentOS/Intermediate/2013/1126/2147.html
--------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------
Mysql
1. Connect the native MySQL

Example 1: Connect to MySQL on this computer.

First open the DOS window, and then enter the directory Mysqlbin, and then type the command mysql-uroot-p, enter after the prompt you to lose the password, if just installed MySQL, superuser root is no password, so directly enter into MySQL, MySQL prompt It's:mysql>.

2. Connect to remote MySQL

Example 2: Connect to MySQL on a remote host. Assume the remote host IP is: 110.110.110.110, the user name is root, the password is abcd123. Type the following command:

Mysql-h110.110.110.110-uroot-pabcd123

(Note: You and root can be used without spaces, others are the same)


3. Modify Login Password

MySQL does not have a password by default, the importance of increasing the password is self-evident.

Format: Mysqladmin-u username-P Old password password new password

4. Start
After the MySQL installation is complete, start the file MySQL in the/ETC/INIT.D directory and run the following command when it needs to start.

[[email protected] init.d]#/etc/init.d/mysql start

5. Stop

/usr/bin/mysqladmin-u root-p shutdown

6. Automatically start to see if MySQL is in the auto-start list

[Email protected] local]#/sbin/chkconfig–list

Add MySQL to your system's startup service group

[[email protected] local]#/sbin/chkconfig–add MySQL

Remove MySQL from the Startup service group.

[[email protected] local]#/sbin/chkconfig–del MySQL

7. Change the MySQL directory

The default data file storage directory for MySQL is/var/lib/mysql.

The following steps are required if you want to move the directory to/home/data:

7.1. Set up the data directory in the home directory

Cd/home mkdir Data

7.2. Stop the MySQL service process:

Mysqladmin-u root-p shutdown

7.3. Move/var/lib/mysql Entire directory to/home/data

mv/var/lib/mysql/home/data/

This will move the MySQL data file to/home/data/mysql.

7.4. Locate the MY.CNF configuration file

If there is no MY.CNF configuration file under the/etc/directory, locate the *.cnf file under/usr/share/mysql/, and copy one of them to/etc/and rename it to MY.CNF).

The command is as follows:

[Email protected] mysql]# CP/USR/SHARE/MYSQL/MY-MEDIUM.CNF/ETC/MY.CNF

7.5. Edit the MySQL configuration file/etc/my.cnf

To ensure that MySQL works correctly, you need to indicate where the Mysql.sock file is generated.

Modify the value in the Socket=/var/lib/mysql/mysql.sock line to the right of the equals sign:/home/mysql/mysql.sock.

The operation is as follows:

VI my.cnf

(Use VI tool to edit the my.cnf file, find the following data modification)

# the MySQL server [mysqld]

Port = 3306

#socket =/var/lib/mysql/mysql.sock (original content, in order to be more secure with "#" Comment this line)

Socket =/home/data/mysql/mysql.sock (plus this line)

7.6. Modify MySQL startup script/etc/rc.d/init.d/mysql

Finally, the MySQL startup script needs to be modified/etc/rc.d/init.d/mysql, the path to the right of the equal sign in the Datadir=/var/lib/mysql line is changed to your current actual storage path: Home/data/mysql.

[Email protected] etc]# Vi/etc/rc.d/init.d/mysql

#datadir =/var/lib/mysql (Note this line)

Datadir=/home/data/mysql (plus this line)

7.7. Restart MySQL Service

/etc/rc.d/init.d/mysql start

or restart Linux with the reboot command

If the work is moving properly, otherwise check the previous 7 steps.

Viii. common operations for MySQL

Note: Each command in MySQL is followed by a semicolon;

8.1, MySQL common operation command 8.1.1, display database list:

show databases;

Just started with two databases: MySQL and test. MySQL Library is very important it has the MySQL system information, we change the password and the new user, is actually using this library to operate.

8.1.2, display the data table in the library:

use MySQL;//Open the library, learn foxbase must not be unfamiliar with it

Show tables;

8.1.3, display the structure of the data table:

describe table name;

8.1.4, building the library:

Create database name;

8.1.5, Build table:

Use library name;

CREATE TABLE table name (field settings list);

8.1.6, deletion and deletion of tables:

drop database name;

drop table name;

8.1.7, empty the records in the table:

Delete from table name;

8.1.8, displays the records in the table:

SELECT * from table name;

8.1.9, add record

For example: Add a few related records.

mysql> INSERT into name values (' ', ' Zhang San ', ' Male ', ' 1971-10-01 ');

mysql> INSERT into name values (' ', ' white Clouds ', ' female ', ' 1972-05-20 ');

You can use the Select command to verify the results.

Mysql> select * from name;

8.1.10, change of record

For example: Change Zhang San's birth date to 1971-01-10

Mysql> Update name set csny= ' 1971-01-10 ' where xm= ' Zhang San ';

8.1.11, deleting Records

For example: Delete the Zhang San record.

mysql> Delete from name where xm= ' Zhang San ';

8.2. An instance of building and building tables and inserting data

Drop database if exists school; Delete if school is present

Create Database School; Building a library School

Use school; Open Library School

CREATE TABLE teacher//Create tables Teacher

(

ID int (3) auto_increment NOT null primary key,

Name Char (TEN) is not NULL,

Address varchar (+) Default ' Shenzhen ',

Year Date

); End of Build table

The following is the Insert field

Insert into teacher values (' ', ' Glchengang ', ' Shenzhen One ', ' 1976-10-10 ');

Insert into teacher values (' ', ' Jack ', ' Shenzhen One ', ' 1975-12-23 ');

Ix. Modifying the structure of the database

9.1. Field Operation 9.1.1, add field

ALTER TABLE dbname Add column < field name >< field Options >

9.1.2, modifying fields

ALTER TABLE dbname change < old field name > < new field name >< options >

9.1.3, deleting fields

ALTER TABLE dbname drop column < field name >

Apache/php/mysql Security Configuration

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.