PHP Security is a major concern for the vast majority of developers. While PHP provides reliable security from the inside out, these security mechanisms need to be properly implemented by developers. We will introduce several PHP security essentials for Linux administrators in this article. These points will help you secure your Web application and ensure that it works in the long run.
Before we begin, it is necessary to understand the systems we are dealing with. For demonstration purposes, we use Fedora. However, these points should apply to the Ubuntu version or any other Linux distribution. See the user manual for your operating system release for more information.
Take a closer look at some of the key files in our system environment. Your file should resemble or correspond to the following:
Default Web server: Apache
Documentroot:/var/www/html
PHP configuration file:/etc/php.ini
Extended Configuration directory:/etc/php.d/
Security files:/etc/php.d/security.ini
These tips will protect your site from different types of common attacks such as SQL injection, XSS, cross-site request forgery attacks, Eval (), and file uploads. You can view a list of common attacks here (https://www.sitepoint.com/top-10-php-security-vulnerabilities/).
1. Remove unnecessary modules.
PHP comes with a built-in PHP module. They are useful for many tasks, but they are not required for every project. Simply enter the following command to view the available PHP modules:
# php-m
Once you have viewed the list, you can now delete unnecessary modules. Reducing the number of modules helps improve the performance and security of the Web applications you work with.
2. Limit the disclosure of PHP information.
Platform leaks critical information is commonplace. For example, PHP will leak some information, such as the version and the fact that it is installed on the server. This can be done through the expose_php command. To prevent leaks, you need to set the command off in/etc/php.d/security.ini.
Expose_php=off
If you need to know the version and its status, just run a simple curl command against the site address to get that information.
Curl-i http://www.livecoding.tv/index.php
The previous command returns the following information:
http/1.1 OK x-powered-by:php/7.0.10 content-type:text/html; charset=utf-8
3. Disable remote code execution.
Remote code execution is one of the common security vulnerabilities in PHP security systems. By default, remote code execution is enabled on your system. The "allow_url_fopen" command allows functions such as request (require), including (include) or URL-aware fopen wrappers to access PHP files directly. Remote access is implemented by using the HTTP or FTP protocol, which can cause the system to be unable to defend against code injection security vulnerabilities.
To ensure that your system is safe and secure from remote code execution, you can set the command to "OFF" as follows:
Allow_url_fopen=off Allow_url_include=off
4. Log the PHP error.
Another easy way to enhance Web application security is to not display errors to visitors. This will ensure that hackers simply cannot compromise the security of the site. Need to be edited in the/etc/php.d/security.ini file.
Display_errors=off
Now you might think: After this step, "How does the developer debug without the help of the error message?" Developers can use the log_errors command for debugging purposes. They only need to set the Log_errors command to "on" in the Security.ini file.
Log_errors=on Error_log=/var/log/httpd/php_scripts_error.log
5. Reasonable control of resources.
To ensure the security of your application, it is important to control resources. To ensure proper execution and security, you need to limit the execution of PHP scripts. In addition, you should limit the time spent parsing the requested data. If execution time is controlled, other resources such as memory used by the script should also be configured accordingly. All of these metrics can be managed by editing the Security.ini file.
# Set in seconds max_execution_time = Max_input_time = Memory_limit = 30M
6. Disable the dangerous PHP function
PHP comes with utility functions for development, but there are a number of functions that hackers can use to break into Web applications. Disabling these functions can improve overall security and ensure that you are not affected by the dangerous PHP functions.
To do this, you first edit the php.ini file. Once you enter the file, locate the disable_functions command and disable the dangerous function inside. To do this, you just copy/paste the following code.
Disable_functions =exec,passthru, shell_exec,system,proc_open,popen,curl_exec, curl_multi_exec,parse_ Ini_file,show_source
Here (http://www.php.cn/) You can learn more about disabling PHP functions that are dangerous.
7. Upload the file.
If your application does not need to upload any files, disabling the ability to upload files can help improve security. To prevent users from uploading files, simply edit the Security.ini file in the/etc/php.d/directory and set the File_uploads command to OFF.
File_uploads=off
8. Keep the version up to date.
Developers work uninterrupted in 24/7, patching the technology you use. PHP is the same. Because it has an open source community, patches and revisions are regularly released. The update also provides security patches for first-day vulnerabilities and other security vulnerabilities. If you focus on the security of your application, always make sure that your PHP solution is the latest version. In addition, the latest patches for other related technologies will ensure maximum security.
9. Control file system access.
By default, PHP can use functions such as fopen () to access files. The Open_basedir command provides access. First, always set the Open_basedir command to the/var/www/html directory. Setting it to any other directory can cause security issues.
Open_basedir= "/var/www/html/"
10. Control the post size.
Our last PHP security key is to control the post size function. The HTTP post function uses the client's browser to send data to the Web server. For example, a user might upload a certificate and then send it to a Web browser for processing. Everything runs smoothly until one day hackers attempt to send huge files to run out of server resources. This is likely to cause the server to crash or slow to respond. To protect the server from this vulnerability, you need to set the post size. The post size can be set in the/etc/php.d/security.ini file.
post_max_size=1k
Conclusion
Security is one of the most interesting issues for Web developers and Linux administrators. If you take the above points, you are bound to enhance the security of your development environment and your PHP Web application. If you think we missed out on important content, please add a message.
The above is a detailed description of the Linux administrator should know the top ten PHP Security essentials details of the content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
