LNMP PHP Security Configuration (Disable unsafe PHP functions and PHP upload separation, etc.)

This article describes the methods of PHP security configuration under the LNMP architecture, including disabling unsafe PHP functions, turning off PHP error logs, PHP upload separation, shutting down PHP information, disabling the dynamic loading of the link library, disable the opening of remote URLs, and other security measures. Several aspects of PHP security Configuration: 1. Use Open_basedir to restrict virtual host cross-directory Access [host=www.xingzuo51.com]open_basedir=/data/site/www.xingzuo51.com/:/tmp/[host=test.xingzuo51.com]open_basedir= /data/site/test.xingzuo51.com/:/tmp/ Note: PHP programs under www.xingzuo51.com are limited to the two directories in the Open_basedir configuration and cannot be accessed to other directories. If the above configuration is not done, then the test.xingzuo51.com and www.xingzuo51.com programs can access each other. If one of the sites has been hacked into the Webshell, the site can be taken down the same server other sites, and finally hang Trojan. Note: Finally, the directory must be added/. such as Write/tmp, the site at the same time/tmp123 and so on with/tmp start directory, then hackers can also access to these directories, in addition, php5.3 above support this wording, 5.2 does not support. 2. Disable unsafe php function disable_functions = show_source,system,shell_exec,passthru,exec,popen,proc_open,proc_get_status, Phpinfo PHP is not allowed to execute the above PHP functions, the above PHP program can execute Linux commands, such as Ping, Netstat, MySQL and so on. If your system has the right to raise bugs, the consequences you know. 3, focus on software security information and actively concerned about the Linux kernel, PHP security and so on timely error 4, PHP users only read this method is my most respected method, but must be implemented with the PHP engineer to consult. Why? For example, the site www.xingzuo51.com root user and group are nobody, while the users and groups running PHP are phpuser. The directory permission is 755, and the file permission is 644. So, PHP is read-only and cannot write any files to the site directory. That is, users can not upload files, even if there is a loophole, hackers can not pass the backdoor, more unlikely to hang the trojan. Before doing this, tell the programmer to change the file cache to a NoSQL memory cache (for example, memcached, Redis, etc.) and upload the file to another server (static server) via the interface. Note: The program generates a local cache is a bad habit, with slow file caching, wasted disk space, and most importantly, the server cannot scale horizontally 5. Close PHP error log Display_errors = on change to display_errors = Off In the event of an error, the detailed error message is immediately displayed to the user, including the path, some even the database account password. The injected penetration password is basically guessed by this error. The production environment strongly shuts it down 6, PHP upload separation to upload files to a remote server, such as NFS. Of course, you can also call the PHP interface you have written. Even if there is an upload vulnerability, the file is also uploaded to the static server. Trojans and other files cannot be executed at all. Example: PHP site www.xingzuo51.com, directory/data/site/www.xingzuo51.com static file site static.xingzuo51.com, directory/data/site/ The static.xingzuo51.com file was uploaded directly to/data/site/ Static.xingzuo51.com, uploaded files cannot be accessed through www.xingzuo51.com and can only be accessed using static.xingzuo51.com, but static.xingzuo51.com does not support PHP. 7. Close PHP Information expose_php = on change to expose_php = Off Do not easily disclose their PHP version information, to prevent hackers against this version of PHP to launch attacks. 8. Disable dynamic loading of link libraries DISABLE_DL = on; change to ENABLE_DL = OFF; 9. Disable Open remote URL Allow_url_fopen = on change to Allow_url_fopen = Off In fact, this is not true security, and will not lead to web intrusion and other issues, but this very impact on performance, I think it belongs to the narrow security problem. The following method will not get the remote URL content $data = file_get_contents ("http://www.baidu.com/"); Get local file Contents: $data = file_get_contents ("1.txt"); If the site is not accessible, the database is running well, but the Web server loads surprisingly high, please check directly under this method. PHP Gets the content of the remote Web, it is recommended to use curl.

