Improve PHP security by configuring some of the server-side features of PHP

Security | Front of the server like Shaun Clowes and RFP, etc. are more detailed introduction of PHP, CGI program in the programming process encountered problems, and how to use the Application vulnerability Breakthrough System, this article we have some of PHP server-side features to configure to enhance PHP security. When writing CGI scripts, we do pay attention to various security issues, the user input for strict filtration, but often in the shore to go where there is not wet shoes, eat sesame seeds where there is no horse, people have lost shoes, even the famous Phpnuke, phpMyAdmin and other procedures have been very serious problems, Not to mention the script that I've been writing for little punks. So now let's assume that the PHP script has serious problems, such as the big problem of uploading PHP scripts like the previous Phpnuke, and how we can make the script appear so problematic through the configuration of the server that it doesn't break the system.

1, compile time to pay attention to the known vulnerabilities

Starting with 4.0.5, PHP's Mail function added the fifth parameter, but it didn't filter properly, allowing the PHP application to break through the safe_mode limit and execute the command. So when using 4.0.5 and 4.0.6, we need to modify the ext/standard/mail.c file in the PHP source package before compiling it, prohibit the mail function's fifth parameter or filter the shell character. In the 152th line of the mail.c file, which is the following line:

if (extra_cmd!= NULL) {

followed by extra_cmd=null or extra_cmd = Php_escape_shell_cmd (Extra_cmd), and then compiling PHP so we patched up the vulnerability.


2, modify the php.ini configuration file

The PHP release version of the Php.ini-dist as the blueprint for the revision.

1) Error Handling and logging

Some settings can be made in the error handling and logging sections. First find:

Display_errors = On

PHP defaults to open error message display, we change it to:

Display_errors = Off

When the error display is turned off, the PHP function does not display the wrong information to the user, which in some way prevents the attacker from knowing the physical location of the script from the error message, as well as some other useful information, at least causing a certain obstacle to the attacker's black box detection. These error messages may be useful to us and can be written to the specified file, then modify the following:

Log_errors = Off

To

Log_errors = On

and the specified file, locate the following line:

; error_log = filename

Remove the previous note, change the filename to the specified file, such as/usr/local/apache/logs/php_error.log

Error_log =/usr/local/apache/logs/php_error.log

So all the mistakes will be written in the Php_error.log file.

2) Safe Mode

PHP's Safe_mode function restricts or disables many functions, and can solve PHP's security problems to a large extent. Find in the Safe Mode section:

Safe_mode = Off

To

Safe_mode = On

This turns on the Safe_mode feature. Like some functions that can perform system commands shell_exec () and ' are forbidden, some other executive functions such as exec (), System (), PassThru (), Popen () will be restricted to perform only safe_mode_exec_ DIR Specifies the program in the directory. If you are really going to execute some commands or procedures, find the following:

Safe_mode_exec_dir =

Specifies the path of the program to be executed, such as:

Safe_mode_exec_dir =/usr/local/php/exec

Then copy the program you want to use into the/usr/local/php/exec directory, so that the restricted function like the above can execute the program in that directory.

For more information about restricted functions in safe mode, see the instructions for the main PHP site:

http://www.php.net/manual/en/features.safe-mode.php

3) Disable_functions

If you are not very clear about the harmfulness of some functions, and do not use them, simply disable these functions. Find the following line:

Disable_functions =

After "=" plus the function to be banned, multiple functions are separated by ",".


3. Modify Httpd.conf

If you only allow your PHP script program to operate in a Web directory, you can also modify the httpd.conf file to restrict the PHP operation path. For example, your web directory is/usr/local/apache/htdocs, so add a few lines to the httpd.conf:

<Directory/usr/local/apache/htdocs>

Php_admin_value Open_basedir/usr/local/apache/htdocs

</Directory>

This way, if the script is to read a file other than/usr/local/apache/htdocs, it will not be allowed, and if the error appears to be turned on, this error will be prompted:

Warning:open_basedir restriction in effect. The File is in wrong directory in

/usr/local/apache/htdocs/open.php on line 4 and so on.


4, the PHP code to compile

Zend has a great contribution to PHP, PHP4 's engine is Zend, and it has developed a number of PHP-enhancing components such as Zendoptimizer and Zendencode. The optimizer Zendoptimizer is available for free only at http://www.zend.com registration, and the following are for 4.0.5 and 4.0.6 Zendoptimizer, respectively, for the respective systems:

Zendoptimizer-1.1.0-php_4.0.5-freebsd4.0-i386.tar.gz

Zendoptimizer-1.1.0-php_4.0.5-linux_glibc21-i386.tar.gz

Zendoptimizer-1.1.0-php_4.0.5-solaris-sparc.tar.gz

Zendoptimizer-1.1.0-php_4.0.5-windows-i386.zip

The optimizer's installation is very convenient, the package contains a detailed description. Take the UNIX version as an example, see the operating system, the package of zendoptimizer.so files extracted to a directory, assuming that the/usr/local/lib, in the php.ini add two sentences:

Zend_optimizer.optimization_level=15

Zend_extension= "/usr/local/lib/zendoptimizer.so" is OK. With Phpinfo () see the following text on the left side of the Zend icon:

With Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies

Then the optimizer has been hooked up successfully.

However, the compiler zendencode is not free, this provides a http://www.PHPease.com Ma Yong design of the compiler shell, if for commercial purposes, please contact http://www.zend.com to obtain a license agreement.

After the PHP script compiles, the script execution speed increases many, the script file can see only a heap of garbled, this will prevent the attacker to further analyze the clothing

, and the passwords previously stored in plaintext in PHP scripts are also kept secret, such as the password for MySQL. However, the server to change the script is more cumbersome, or local change to upload it.

5, File and directory permission settings

In addition to uploading directories in the Web directory, the permissions of other directories and files must not allow nobody users to write permission. Otherwise, the attacker can modify the master file, so the permissions for the Web directory must be set.

Also, the owner of the PHP script must not be root, because the safe_mode of the read file is limited to the owner of the read file to be read as the owner of the currently executing script, or if the error display is turned on, the following error is displayed:

Warning:safe MODE restriction in effect. The script whose UID is

Allowed to access/etc/passwd owned by UID 0 in/usr/local/apache/htdocs/open.php

On line 3

This way we can prevent many system files from being read, such as:/etc/passwd.

Upload directory and upload script owners also want to set the same, otherwise there will be errors, in Safe_mode these should be noted.


6, the MySQL Start permission setting

MySQL should note that do not use root to start, it is best to build a separate mysqladm user. You can add a phrase in a system startup script such as/etc/rc.local:

Su mysqladm-c "/usr/local/mysql/share/mysql/mysql.server start"

This will also automatically start the MySQL process with the mysqladmin user after the system restarts.

7, the log file and upload directory audit and

Looking at the log and people's inertia has a lot to do with the large log file to find the attack traces in a haystack, and may not have.

The files in the Web-uploaded directory should also be checked frequently, and there may be problems with the program, and the user will pass on some illegal files, such as executing scripts.

8, the operating system itself patch

, patching a known vulnerability to the system is the basic responsibility of the system administrator, and this is the last line of defense.

After the above configuration, although not impregnable, but also to a considerable extent to the attacker's test caused a lot of trouble, even if the PHP script program has a more serious vulnerabilities, the attackers can not cause the actual damage.

If you have a more eccentric, more abnormal configuration method, want to share share;