Discuz Forum security reinforcement

Discuz can be regarded as an excellent bbs program in php. Recently, the company has added the discuz application. However, running the php program on the server is less secure than the java program. Sure enough, the website was hacked shortly after running. Previously, this machine had been running jsp safely for more than a year. Of course, this does not mean that java is better than php. There were two reasons for the absence of problems before running jsp programs: first, java itself had relatively secure features; second, it had made a lot of efforts in O & M and program code itself, prevents SQL injection and upload vulnerabilities. Therefore, I believe that php is a fast and efficient development language. If security reinforcement is well performed, It is not inferior to java code. The security reinforcement for discuz is as follows: 1. Access to the PHP files in the data | images | config | static | source | template directories that can be uploaded is prohibited. (A safer option is to list and allow all other items .)

location ~* ^/(data|images|config|static|source|template)/.*\.(php|php5)$   {   deny all;   }

 

According to the above configuration, even if the upload vulnerability occurs and the PHP files are uploaded to the directories configured above, 403 error may occur and cannot be executed. The safer method is to allow some parts, and all others are prohibited, for example:

location ~ (index|forum|group|archiver|api|uc_client|uc_server).*\.(php)?$    {                allow all;                fastcgi_pass  127.0.0.1:9000;                fastcgi_index index.php;                include fcgi.conf;}

 

However, the above is just an example. The php file in the root directory is not fully listed here. Another problem is that every time a new version is released, if the directory structure is changed or the PHP file is added to the root directory, the nginx security configuration should be modified accordingly. 2. Optimize nginx and php-fpm program running users. For example, if the user is www, the www user does not have a home directory or shell and cannot log in. Nginx and php-fpm programs are switched to www users through the root Internal call. Similar to mysql startup. The specific statement to add is as follows: useradd www-d/dev/null-s/sbin/nologin. If you do not feel safe enough, you can use programs such as chroot and sudo, restrict the directories that www users can access and the commands that can be called. 3. directory permission control. Except for the data directory under discuz, the write permission is revoked from all other directories. In this step, the following shell commands are listed on the Internet:

find source -type d -maxdepth 4 -exec chmod 555 {} \;find api -type d -maxdepth 4 -exec chmod 555 {} \;find static -type d -maxdepth 4 -exec chmod 555 {} \;find archive -type d -maxdepth 4 -exec chmod 555 {} \;find config -type d -maxdepth 4 -exec chmod 555 {} \;find data -type d -maxdepth 4 -exec chmod 755 {} \;find template -type d -maxdepth 4 -exec chmod 555 {} \;find uc_client -type d -maxdepth 4 -exec chmod 555 {} \;

 

However, there is a warning when executing such shell statements. the specific report content is as follows: find: warning: you have specified the-maxdepth option after a non-option argument-type, but options are not positional (-maxdepth affects tests specified before it as well as those specified after it ). please specify options before other arguments. the standard format is:

find source -maxdepth 4 -type d -exec chmod 555 {} \;find api -maxdepth 4 -type d -exec chmod 555 {} \;find static -maxdepth 4 -type d -exec chmod 555 {} \;find archive -maxdepth 4 -type d -exec chmod 555 {} \;find config -maxdepth 4 -type d -exec chmod 555 {} \;find data -maxdepth 4 -type d -exec chmod 755 {} \;find template -maxdepth 4 -type d -exec chmod 555 {} \;find uc_client -maxdepth 4 -type d -exec chmod 555 {} \;

 

Note: The '-maxdepth 4' above can also be canceled. After setting the directory, you must configure the permission for the file: find. -type f-exec chmod 444 {}\; # Set the file in the Forum directory to be readable and set the files to be written. Generally, only files under data are allowed. Find data-type f-exec chmod 755 {}\; # Set the data file to 7554, prohibit php-related function calls and cross-site. Enable the following two functions in the php. ini file:

open_basedir = .:/tmp/disable_functions = passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,escapeshellcmd,dll,popen,disk_free_space,checkdnsrr,checkdnsrr,getservbyname,getservbyport,disk_total_space,posix_ctermid,posix_get_last_error,posix_getcwd, posix_getegid,posix_geteuid,posix_getgid, posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid, posix_getrlimit, posix_getsid,posix_getuid,posix_isatty, posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid, posix_setpgid,posix_setsid,posix_setuid,posix_strerror,posix_times,posix_ttyname,posix_uname

 

The above is mainly to prohibit all function calls at the system level. 5. Isolate the KVM host. Unable to connect to other hosts. The configuration in this step is conditional. In the KVM environment, you can use KVM to isolate applications. The web access mode is physical machine iptables nat-KVM virtual machine or web portal-physical machine iptables nat-KVM virtual machine. 6. Database Control. When creating a user in mysql, the first is to assign the required permissions to the user, and the second is to limit the source IP address when creating the user. For example:

CREATE USER 'discuz'@'192.168.0.%' IDENTIFIED BY '66ZX811a';grant select,insert,update,delete,create,index,trigger,create temporary tables on discuz.* to 'discuz'@'192.168.0.%';