Enhance php security by configuring some server-side features of php. Through the configuration of some server characteristics of php to Enhance php Security bysan@xfocus.org front like ShaunClowes and rfp are more detailed introduction of php, cgi program in the programming process encountered by the php some server-side features are configured to Enhance php Security
By san@xfocus.org
Previously, Shaun Clowes and rfp both described in detail the problems encountered by php and cgi programs during programming and how to connect them
Application vulnerability breakthrough system. In this article, we will configure some server-side features of php to Enhance php Security. Write
When using cgi scripts, we must pay attention to various security issues and strictly filter user input. However, there are no wet shoes on the shore.
No Sesame seeds are lost when you eat sesame cakes, and even famous phpnuke, phpMyAdmin and other programs have experienced severe problems.
Not to mention the problem. So now we assume that php scripts have serious problems, such
Phpnuke's ability to upload php scripts is a big problem. how can we solve this problem by configuring the server?
System.
1. pay attention to the known vulnerabilities during compilation.
Since 4.0.5, php's mail function has added the fifth parameter, but it has not been well filtered, making php applications break through
To execute the command. So when using 4.0.5 and 4.0.6, we need to modify the php source package before compiling.
Ext/standard/mail. c File. disable the fifth parameter of the mail function or filter shell characters. In the mail. c file 152nd
Line, that is, the following line:
If (extra_cmd! = NULL ){
Add extra_cmd = NULL; or extra_cmd = php_escape_shell_cmd (extra_cmd); then compile php
Then we fix this vulnerability.
2. modify the php. ini configuration file.
Modify it based on php. ini-dist of the php release version.
1) Error handling and logging
Some settings can be made in the Error handling and logging sections. First find:
Display_errors = On
By default, the error message is displayed in php. we will change it:
Display_errors = Off
After the error display is disabled, the php function execution error information will not be displayed to the user, which can prevent attackers from
The error information tells the physical location of the script and some other useful information, which at least causes certain obstacles to the attacker's black box detection.
. These error messages may be useful to us and can be written to a specified file. modify the following:
Log_errors = Off
Changed:
Log_errors = On
And the specified file. find the following line:
; Error_log = filename
Remove the comment and change filename to the specified file, such as/usr/local/apache/logs/php_error.log.
Error_log =/usr/local/apache/logs/php_error.log
In this way, all errors will be written to the php_error.log file.
2) Safe Mode
The safe_mode function of php limits or disables many functions, which can solve php security problems to a great extent. In
Find the Safe Mode part:
Safe_mode = Off
Changed:
Safe_mode = On
The safe_mode function is enabled. Shell_exec () and ''functions that can execute system commands are disabled.
Some execution functions such as exec (), system (), passthru (), and popen () will be restricted and can only be executed.
Safe_mode_exec_dir specifies the program in the directory. If you want to execute some commands or programs, find the following:
Safe_mode_exec_dir =
Specifies the path of the program to be executed, for example:
Safe_mode_exec_dir =/usr/local/php/exec
Then, copy the program to the/usr/local/php/exec Directory. in this way, the restricted function can execute this directory.
.
For details about restricted functions in safe mode, refer to the instructions on the php main site:
Http://www.php.net/manual/en/features.safe-mode.php
3) disable_functions
If you are not clear about the dangers of some functions and are not using them, simply disable them. Find the following line:
Disable_functions =
Add the function to be disabled after "=". multiple functions are separated by "and.
3. modify httpd. conf
If you only allow your php script program to operate in the web directory, you can also modify the httpd. conf file to limit the php operation path. Ratio
If your web directory is/usr/local/apache/htdocs, add the following lines in httpd. conf:
Php_admin_value open_basedir/usr/local/apache/htdocs
In this way, if the script is to read files other than/usr/local/apache/htdocs, it will not be allowed. if the error is displayed, it will be opened.
The following error is prompted:
Warning: open_basedir restriction in effect. File is in wrong directory in
/Usr/local/apache/htdocs/open. php on line 4
And so on.
4. compile php code
Zend contributes a lot to php. The php P4 engine uses Zend, and it also develops ZendOptimizer and ZendEncode.
And many other php enhancement components. The Optimizer ZendOptimizer is available for free only when registered in the http://www.zend.com,
The following are ZendOptimizer for 4.0.5 and 4.0.6. the file names are for their respective systems:
ZendOptimizer-1.1.0-PHP_4.0.5-FreeBSD4.0-i386.tar.gz
ZendOptimizer-1.1.0-PHP_4.0.5-Linux_glibc21-i386.tar.gz
ZendOptimizer-1.1.0-PHP_4.0.5-Solaris-sparc.tar.gz
ZendOptimizer-1.1.0-PHP_4.0.5-Windows-i386.zip
The Optimizer is very convenient to install. the package contains detailed instructions. Take the UNIX version as an example.
The ZendOptimizer. so file is extracted to a directory. assume it is under/usr/local/lib, and add two sentences in php. ini:
Zend_optimizer.optimization_level = 15
Zend_extension = "/usr/local/lib/ZendOptimizer. so"
You can. Use phpinfo () to see the following text on the left of the Zend icon:
With Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies
The Optimizer is mounted successfully.
But the compiler ZendEncode is not free, here to provide you with a http://www.PHPease.com Ma Yong design
The compiler housing. if used for commercial purposes, contact the http://www.zend.com for a license agreement.
After the php script is compiled, the execution speed of the script increases a lot. only a bunch of garbled characters can be seen in the script file, which will prevent attackers from further analyzing the server.
The script program on the server, and the password originally stored in plain text in the php script is also kept confidential, such as the mysql password. However
Changing scripts on the server is troublesome. you can change the script locally and upload it again.
5. file and directory permission settings
In addition to the upload directory, the permissions on other directories and files in the web directory must not allow the nobody user to have the write permission. Otherwise, attackers can
To modify the homepage file, you must set the permissions for the web Directory.
Also, the owner of the php script must not be root, because the function of reading files in safe_mode is restricted to the owner of the read files.
It can be read only when it is the same as the owner of the script being executed. Otherwise, if an error is displayed, the following errors will be displayed:
Warning: safe mode Restriction in effect. The script whose uid is 500 is not
Allowed to access/etc/passwd owned by uid 0 in/usr/local/apache/htdocs/open. php
On line 3
This prevents many system files from being read, such as/etc/passwd.
The owner of the upload directory and the upload script must be set to the same type. otherwise, errors may occur. pay attention to these errors in safe_mode.
6. mysql startup permission settings
Mysql should note that it is better to create another mysqladm user instead of using root to start mysql. It can be in/etc/rc. local and other systems
Add the following sentence to the startup script:
Su mysqladm-c "/usr/local/mysql/share/mysql. server start"
After the system is restarted, the mysql process is automatically started with the mysqladmin user.
7. Audit and upload of log files and directories
There is a lot to do with viewing logs and human inertia. it is necessary to search for attack traces from such a large log file, and there may not be a haystack.
Files in the directory uploaded on the web should also be checked frequently. maybe the program is faulty. the user uploads some illegal files, such as the execution script.
.
8. operating system patches
Similarly, patches for known system vulnerabilities are the most basic responsibilities of the system administrator. this is the last line of defense.
After the above configuration, although it cannot be fixed, it also causes a lot of trouble for attackers to test, even if the php script
Serious vulnerabilities occur in sequence, and attackers cannot cause actual damage.
If you still have a more eccentric and abnormal configuration method, I hope you can share it with me.) (source: viphot)
Sort by san@xfocus.org front like Shaun Clowes and rfp are more detailed introduction of php, cgi programs encountered in the programming process...
