Enhance php security by configuring server features

Enhance php security by configuring server-side features. author: san <xuzhikun@nsfocus.com>
Home: http://www.nsfocus.com
Date: 2001-11-15

Previously, Shaun Clowes and rfp described in detail the problems encountered by php and cgi programs during programming and how to break through the system through application vulnerabilities, in this article, we will configure some server-side features of php to Enhance php Security. When writing cgi scripts, we must pay attention to various security issues and strictly filter user input. However, when we often go to the shore, there will be no wet shoes, and there will be no Sesame seeds when we eat biscuits, people have lost their feet, and even the famous phpnuke, phpMyAdmin and other programs have encountered serious problems. What's more, they are like the scripts I am waiting. So now let's assume that php scripts have serious problems, such as the large problem that phpnuke could Upload php scripts a while ago, we cannot break through the system by configuring the server so that the script has such a problem.

1. pay attention to the known vulnerabilities during compilation.

Since 4.0.5, php's mail function has added the fifth parameter, but it does not properly filter it, so that php applications can break through the safe_mode restrictions to execute commands. So when using 4.0.5 and 4.0.6, we need to modify the php source package before compiling.
Ext/standard/mail. c File. disable the fifth parameter of the mail function or filter shell characters. In mail. c
The second line of the file, that is, the following line:
If (extra_cmd! = NULL ){
Add extra_cmd = NULL; or extra_cmd = php_escape_shell_cmd (extra_cmd );
Then compile php, then we fix this vulnerability.

2. modify the php. ini configuration file.

Modify it based on php. ini-dist of the php release version.
1) Error handling and logging
Some settings can be made in the Error handling and logging sections. First find:
Display_errors = On
By default, the error message is displayed in php. we will change it:
Display_errors = Off

After the error display is disabled, the php function execution error information will not be displayed to the user.
To some extent, attackers are prevented from learning the physical location of the script from the error information, as well as some other useful information, which may at least cause certain obstacles to the hacker's black box detection. These error messages may be useful to us and can be written to a specified file. modify the following:
Log_errors = Off
Changed:
Log_errors = On

And the specified file. find the following line:
; Error_log = filename
Remove the comment and change filename to the specified file, as shown in figure
/Usr/local/apache/logs/php_error.log

Error_log =/usr/local/apache/logs/php_error.log
In this way, all errors will be written to the php_error.log file.

2) Safe Mode

The safe_mode function of php limits or disables many functions, which can solve php's
Security issues. In the Safe Mode section, find:
Safe_mode = Off
Changed:
Safe_mode = On

The safe_mode function is enabled. Shell_exec () and ''functions that can execute system commands are prohibited. other execution functions include exec (), system (), passthru (), and popen () only programs in the directory specified by safe_mode_exec_dir can be executed. If you want to execute some commands or programs, find the following:
Safe_mode_exec_dir =
Specifies the path of the program to be executed, for example:
Safe_mode_exec_dir =/usr/local/php/exec

Copy the program to the/usr/local/php/exec directory.
Can also execute programs in this directory.

For details about restricted functions in safe mode, refer to the instructions on the php main site:
Http://www.php.net/manual/en/features.safe-mode.php

3) disable_functions

If you are not clear about the dangers of some functions and are not using them, simply disable them.
Stopped. Find the following line:
Disable_functions =
Add the function to be disabled after "=". multiple functions are separated by "and.

3. modify httpd. conf

If you only allow your php script program to operate in the web directory, you can also modify the httpd. conf file to limit the php operation path. For example, if your web directory is/usr/local/apache/htdocs
Add the following lines to httpd. conf:


Php_admin_value open_basedir/usr/local/apache/htdocs


In this way, if the script is to read files other than/usr/local/apache/htdocs,
If the error is displayed

The following error is prompted:
Warning: open_basedir restriction in effect. File is in wrong directory in
/Usr/local/apache/htdocs/open. php on line 4
And so on.

4. compile php code

Zend contributes a lot to php. The php P4 engine uses Zend, and it also develops ZendOptimizer.
And ZendEncode. The Optimizer ZendOptimizer only needs
Http://www.zend.com registration can be obtained for free, the following are for 4.0.5 and 4.0.6
ZendOptimizer:

Zendoptimizer-11_12.16.1.0-php_4.0.5-freebsd4.0-i386.tar.gz
Zendoptimizer-11_12.16.1.0-php_4.0.5-linux_glibc21-i386.tar.gz
Zendoptimizer-11_12.16.1.0-php_4.0.5-solaris-sparc.tar.gz
Zendoptimizer-11_12.16.1.0-php_4.0.5-windows-i386.zip


The Optimizer is very convenient to install. the package contains detailed instructions. Take the UNIX version as an example.
System, decompress the ZendOptimizer. so file in the package to a directory, for example,/usr/local/lib
In php. ini, add the following two sentences:
Zend_optimizer.optimization_level = 15
Zend_extension = "/usr/local/lib/ZendOptimizer. so"

You can. Use phpinfo () to see the following text on the left of the Zend icon:
With Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies

The Optimizer is mounted successfully.
However, the ZendEncode compiler is not free of charge. Here we provide you with
The http://www.PHPease.com's Ma Yong design of the compiler housing, if used for commercial purposes, please contact
The http://www.zend.com contacts to obtain the license agreement.

After the php script is compiled, the execution speed of the script increases a lot, and only a bunch of garbled characters can be seen in the script file.
Attackers are prevented from further analyzing script programs on the server and stored in plain text in php scripts.
The password is also kept confidential, such as the mysql password. However, it is troublesome to change the script on the server,
Modify the local file and upload it again.


5. file and directory permission settings

In addition to the upload directory, the permissions of other directories and files in the web Directory cannot be granted to the nobody user
Permission. Otherwise, attackers can modify the home page file. Therefore, you must set the permissions for the web Directory.
. In addition, the owner of the php script cannot be root, because the function of reading files in safe_mode is limited.
The owner of the file to be read must be the same as the owner of the script being executed. Otherwise, if
If an error is displayed, the following errors are displayed:

Warning: safe mode Restriction in effect. The script whose uid is 500 is not
Allowed to access/etc/passwd owned by uid 0 in/usr/local/apache/htdocs/open. php
On line 3
This prevents many system files from being read, such as/etc/passwd.

The owner of the upload directory and the upload script must be set to the same. Otherwise, an error will occur, in safe_mode.
Note these.

6. mysql startup permission settings


Mysql should note that it is better to create another mysqladm user instead of using root to start mysql. You can
Add the following statement to the/etc/rc. local system startup script:
Su mysqladm-c "/usr/local/mysql/share/mysql. server start"

After the system is restarted, the mysql process is automatically started with the mysqladmin user.

7. Audit and upload of log files and directories

There is a lot to do with viewing logs and human inertia. it is necessary to search for attack traces from such a large log file, and there may not be a haystack. Files in the directory uploaded by the web should also be checked frequently. maybe
The program has a problem. The user uploads some illegal files, such as scripts.

8. operating system patches

Similarly, patches for known system vulnerabilities are the most basic responsibilities of the system administrator. this is the last line of defense.


After the above configuration, although it cannot be fixed, it also causes a lot of trouble for attackers to test, even if the php script program has a serious vulnerability, attackers cannot cause actual damage. If you still have a more eccentric and abnormal configuration method, I hope you can share it with me ;)