PHP Security Settings Tips:
DocumentRoot:/var/www/1. Reduce PHP built-in modules
To enhance performance and security, it is highly recommended to reduce the modules in PHP. Take a look at the following module, which was installed by the command.
1 # php? m
You will get a similar result:
You will get a similar result:
[PHP Modules]
Delete a module and execute this command. Example: Deleting a module sqlite3
1 # Rm/etc/php.d/sqlite3.ini
Or
1 # Mv/etc/php.d/sqlite3.ini/etc/php.d/sqlite3.disablerestrict
2. Minimizing PHP Information disclosure
In the default PHP, a line is generated in each response, such as x-powered-by:php/5.2.10, at the HTTP header. And this creates a very valuable message for the attacker in the system information.
HTTP Example:
1 http/1.1 OK2 x-powered-by:php/5.2.103 content-type:text/html; charset=utf-84 Vary: Accept-encoding, Cookie5 X-vary-options:accept-encoding;list-contains=gzip,cookie;string-contains=wikitoken ; 6 string-contains=wikiloggedout;string-contains=wiki_session7 Last-modified:thu, Geneva 22:32:55 GMT8 ...
Therefore, we strongly recommend that you prohibit the disclosure of PHP information, want to prohibit it, we want to edit/etc/php.d/secutity.ini, and set the following command:
1 Expose_php=off
3. Minimizing PHP loading modules
By default, all modules that are loaded by Rhel can be found in the/etc/php.d/directory. To disable or enable a specific module, simply note the module name in the configuration file/etc/php.d/directory. In order to optimize PHP performance and security, we strongly recommend that you enable extended functionality when your application needs it. For example: When you disable the GD extension, type the following command:
1 # CD/ETC/PHP.D/2 # mv gd.{ini,disable}3 #/etc/init.d/apache2 RestartIn order to extend the PGP GD module, then type the following command:
1 # mv gd.{disable,ini}2 #/sbin/service httpd restart4. Log PHP error messages
To improve the security of your system and Web applications, PHP error messages cannot be exposed. To do this, you need to edit the/etc/php.d/security.ini file and set the following directives:
1 Display_errors=off
All PHP error messages should be recorded in the log in order to facilitate bug fixes by developers.
1 log_errors=on2 error_log=/var/log/httpd/php_scripts_error.log
5. Disabling Remote code Execution
If you are remotely executing code, allow PHP code to retrieve data from remote functions such as FTP or the Web through PHP to perform the build function. For example: file_get_contents ().
Many programmers use these features to get data remotely via FTP or HTTP protocols. However, this approach creates a large vulnerability in PHP-based applications. The vulnerability was injected when a security vulnerability was opened and code was created because most programmers did not have the proper filtering capabilities to deliver the user-supplied data. To resolve this issue, you need to disable _url_fopen In/etc/php.d/security.ini and set the following command:
1 Allow_url_fopen=off
In addition to this, I also recommend disabling _url_include to improve the security of your system.
1 Allow_url_include=off
6. Disable the dangerous function in PHP
There are many dangerous built-in features in PHP that could crash your system if used improperly. You can create a list of PHP built-in features by editing/etc/php.d/security.ini to disable it.
1 disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_ File,show_source
7. Resource Control
To improve the stability of the system, it is highly recommended to set the time each script takes to parse the request data and the maximum amount of memory that the script may consume. Proper configuration of these parameters prevents any PHP script from consuming too much resources or memory, thereby avoiding system insecurity or reducing the safety factor.
1 # Set in seconds2 max_execution_time = 303 max_input_time = 304 memory_limit = 40M
8. Restrict php access to the file system
The directory specified by the OPEN_BASEDIR directive is a feature that allows PHP access to use fopen (). If any script attempts to access a path file beyond the Open_basdir definition, PHP will refuse to open it. It is important to note that you cannot use a symbolic link as a workaround.
1 ; Limits the PHP process from accessing files Outside2 ; of specifically designated directories such as/var/www/html/3< C7/>open_basedir= "/var/www/html/" 4 ;------------------------------------5 ; Multiple dirs example6 ; open_basedir= "/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/ html/:/home/httpd/vhost/theos.in/html/"7 ;------------------------------------
9. restricting File/directory Access
Make the appropriate security settings: Make sure Apache runs as a non-root user, such as www-data or www. For files and directories under/var/www/also belong to non-root users. To change the owner, execute the following command:
1 # Chown-r apache:apache/var/www/
10. Compile the configuration file to protect apache,php and MySQL
To compile the protection configuration file using the CHARRT command
1 # chattr +i/etc/php.ini2 # chattr +i/etc/php.d/*3 # chattr +i/etc/my.ini4 # chattr +i/etc/httpd/conf /httpd.conf5 # chattr +i/etc/
Use the CHARRT command to compile a directory that protects PHP files or/var/www/html in files:
1 # chattr +i/var/www/html/file1.php2 # chattr +i/var/www/html/
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
