Mao Wei: general security protection measures for servers in the PHP + MYSQL Community

Good afternoon. First, let me introduce myself. I am Mao Wei from Wuxi Taihu Pearl net. Our topic this afternoon is: General server security protection measures in the PHP + MYSQL Community.
Although there is a premise for this topic, it is to face the website owners who use their own independent servers. If they do not use an independent server, they also hope to learn more about it first, I believe that you will soon have an independent server, and it will be useful in the future.
Security and danger are relative. There is no absolute security or absolute danger in the world. Similarly, security and ease-of-use are relative. to pursue security, you must sacrifice ease-of-use. To be easy-of-use, you must sacrifice security (this only refers to server configuration and maintenance ). If you have any questions, you can make a joke by referring to Einstein's special theory of relativity. In the afternoon, it is easy for everyone to get sleepy and stay awake.
First of all, I would like to declare that the following protection measures do not mean that the server will not be hacked after being followed, because most of the community programs we use are open-source, open source is an inevitable vulnerability, so the starting point of these protection measures is to avoid the impact of attacks when the program generates a vulnerability, such as the fall of the server, the whole server is controlled by hackers. The protection measures we are talking about today are divided into several aspects: server environment security, php security settings, and mysql security settings.
First, let's talk about security measures in the server environment. Generally, servers running the PHP + MYSQL Community are nothing more than small traffic, windows is more, and large-traffic linux is more. Whether it is windows, linux, or other systems, the first step of security protection is to disable unused ports, and the second step is to restrict the access source IP addresses of important ports. For example, if we run web, we can open all port 80, restrict the source IP addresses of ftp and Remote Management ports, and close all other ports. For important ports such as ssh 22, remote terminal 3389, and mysql 3306, We can restrict source IP addresses through the software firewall or hardware firewall. Some tx may say that I am dynamic in adsl. I cannot fix the IP address. Well, here are two solutions for you:
1. Open the limit. The adsl dial-up IP address of each region always has a certain range, such as. b. x. x, then we will limit the ip address to. b. *. *
2. Transfer Method: Some webmasters may have more than one server. You can use another host with a fixed IP address to transfer and manage your server. This method restricts port access. If you want to increase the security level, modify the port number to increase security. In fact, unless you have a firewall that prevents port scanning, it is not very helpful to change the port. It is very convenient to use hack to scan the port.
Speaking of port scanning prevention, this is actually implemented by tracking the number of server ports accessed by users within a certain period of time. For example, you can access more than three ports within five seconds, it is regarded as a port scan, and then the user's ip address is blocked. We recommend a software firewall under windows. VisNeticFirewall (also called 8 sign) is recommended for windows Hosts. VisNeticFirewall is a powerful software firewall under windows that can restrict inbound and outbound rules, including the types of files promised to be accessed by http, such as restrictions on mdb download, or port scanning and automatic blocking.
Linux uses the built-in iptables, which is very powerful and can't be done without unexpected features. The security of the network layer has been well done, and your system has been reinforced a lot. Even if the hack has your server administrator, he cannot start with anything except 80 webshells.
The following describes the Security Configuration of webserver:
The webmaster of iis on a windows host can also set a separate running account for each iis Site, and strictly set the site directory to only the administrator and the running account of the site, so that even if a site has a vulnerability, the hack webshell comes in, and it crisis to other sites and systems, because in addition to being able to control the contents under the site's directory, he cannot access other directories at all. Of course, this method has a premise, you have to sort out the directory permissions of the system and check the directories with the everyone permission. In general, there are quite a lot of directories under the windows directory of drive C. Remember that the everyone directory can still be accessed even if the independent iis account method above is used. There are quite a few articles on this kind of online, search for details.
Linux is not so convenient, because apache nginx runs as a unified user and cannot set a running user for each site independently, what's worse is that the directories in the linux system are generally readable by other users. Therefore, it is safer to separate apache or nginx php users from the web directory owner users.
Let's talk about nginx + fastcgi php, which is a common combination at present. You can set the nginx running user to the user of www astcgi php to php, and then set the user of the web directory to www, strictly follow the dz document to set the directory 777 664 permission. Here, the nginx and directory ownership users use www to facilitate access to some static files, saving the permission from getting stuck and having to strictly set the directory permissions. Of course, strict webmasters are required to completely separate nginx and web directory users.
The combination of apache and php has a very good advantage, that is, you can set some php settings for each vhost, so we can use this feature with apache tx, set the open_basedir php setting for each vhost. open_basedir is the directory that can be accessed when the php of this vhost is running, so that the similar effect of running an independent account like iis can be achieved under apache, set the php access scope to prevent one vulnerability from endangering the system and other sites.
Here is an example, which is part of the Post:
DocumentRoot/website/www/bbs.site.com
ServerName bbs.site.com
Php_admin_value open_basedir/website/www/bbs.site.com/:/website/tmp/
Php_admin_value open_basedir/website/www/bbs.site.com/:/website/tmp/
This means that php running under bbs.site.com can only access files under/website/www/bbs.site.com/AND/website/tmp/. If you want to access files in other directories, there is no such thing. If there are multiple directories, such as php Upload temporary directories and session temporary directories, you can use the colon to separate them (a; number is used in windows ). This method can be used in both windows and linux apache, but it must be run in LoadModule mode. This method cannot be used in fastcgi php mode like nginx, if you really want to use nginx proxy, php will use apache to run the open_basedir function under nginx. If you want to use nginx + fastcgi php, you can go to php. set a general open_basedir in ini. For example, if your site is under/website/www/, set open_basedir to/website/www/. Even if a site is down, it will also fall into other sites, but at least it can ensure that the system files will not fall, it is more suitable for those who prefer to be lazy.
In apache, there is also a useful setting of php_flag engine off. Let's look at an example:
Php_flag engine off
This means that the files under the/website/www/bbs.thmz.com/attachments directory are not executed in php. Even if it is a php file, the source code will pop up and php will not be executed. Some directories that will never be required for php Execution, especially the files uploaded by users. You can use this settings for portraits. Do not make a mistake when setting these directories, if php is available, the source code is exposed.
Do not worry about iis users. In fact, this function is also available in iis. in iis Site Management, right-click the directory that does not need to be executed-> properties, such:
 
 
 
Set this execution permission to "NONE". Remember to check the files in the directory before turning it off, this function is also used to run php In fastcgi mode. This environment now comes up with so many things. Let's go here first.
By the way, if there are multiple server masters, we advocate separating the front-end and database. It is to run one program server and one database server. This is actually related to security. Some programs may inject many vulnerabilities. if you separate the database, the hack is actually on the database server during injection, in case that the user you connect to mysql is a root permission, he uses the mysql load file function to only read the system files on the database server, this optimism will at least protect your web application server.
Let's briefly talk about php and mysql:
Php's security settings have just been discussed in open_basedir. The other settings are nothing more than those in php. ini.
First, it must be display_errors = Off to close the error log, and then log_errors = On to set error_log = to record the error information to the server text. Do not place the settings in the web directory or open_basedir directory. Otherwise, the setting of hack is equivalent to that of whitelist when you use webshell.
Magic_quotes_gpc = On
Register_globals = Off
These two parameters can restrict the submission of invalid parameters or variables to prevent security risks when some programs are not strictly written.
Disable_functions = phpinfo, example, passthru, exec, system, chroot, scandir, chgrp, chown, shell_exec, proc_open, proc_get_status, ini_alter, summary, dl, pfsockopen, openlog, syslog, readlink, symlink, popepassthru, stream_socket_server, show_source, popen, escapeshellcmd, escapeshellarg
Disable_functions is a function prohibited by php.
Php is very powerful, so there are a lot of dangerous php functions that give hack a direct threat to system security. Therefore, we need to disable this dangerous function without the need of these functions in the web program. The above disable_functions is a reference list of the programs I installed dz. if it conflicts with the functions used by some programs on your server, you can remove it by yourself. Remove the functions required by the program from disable_functions.
Php is just as simple as it is. The most important thing here is open_basedir and disable_functions. The security improvement is quite significant in these two steps. Mysql:
To add mysql, do not use the SYSTEM administrator or root to run mysql. By default, the windows Service has a high permission to run the user. SYSTEM linux is the root user, run php mysql as an administrator. Once the mysql permission is improperly set, its webshell is the root identity of your system. Therefore, the first thing about mysql is to check the running user, be sure to run as a normal user and then clean up mysql users. Some root users who do not need a password for local login in the default installed mysql should be deleted, if you need to remotely use a tool to manage mysql with a root @ %, leave a root @ localhost for phpmyadmin in this machine. Of course, do not delete other users you have created, mysql user permissions can be fine-tuned. root @ localhost is the root user and can only be logged on to the local machine. Please note that this root user should not be used for any web applications, you can use it for your own management.
Then, a corresponding mysql account is created for each web application (note each), and the datebase of each web application is also created separately, for example:
Xx_uc for uc database and xx_uc for mysql users
Dz database uses xx_bbs, mysql users use xx_bbs
The uch database uses xx_uch, And the mysql user uses xx_uch.
Then, the xx_uc bbs uch users of these mysql do not grant global privileges to global privileges.
It's almost the same as root. There should be a place to set user permissions, manage privileges. Xx_uc bbs uch each user selects the appropriate database. xx_uc selects xx_uc, bbs selects bbs, and uch selects uch. Remember to only select & nbsp; insert & nbsp; update & nbsp; delete create drop index alter permission, in fact, General programs only need & nbsp; select & nbsp; insert & nbsp; update & nbsp; delete. The Forum program may need to use create drop index alter in some background operations. If you prefer strict webmasters, you can enable create drop index alter when necessary, even if there is an injection vulnerability, then he can only modify the content of the current database.
We also propose that you do not use the default cdb _, uc _, and uch _ prefixes of dz. The default prefixes are public prefixes, when hack comes in, you can guess what the name of your user table is, and then update the password to get your administrator.
This is basically the case for mysql. The key is the minimal setting for independent user permissions of each program. If you want to call some programs by yourself, you can just give a mysql user with select permission, at last, we can make minor changes to the program. For example, the webmaster of dz can use admincp. to change the name of the PHP file, you only need to modify several templates without affecting the background usage. However, the security is quite high. If you change the file, the last time dz was hacked, the background style vulnerability, it cannot be used at all, and it is immune directly. People who take the administrator cannot enter the background, which is more secure.
In conclusion, the security is well done. Even if the program has a vulnerability, hack cannot be used. Even if the hack exploits the vulnerability, it cannot upload webshell. Even if the hack uploads webshell, then he does not have the system permission. Even if hack has the system permission, he will not be able to access the server. Now, we are here today. Thank you!
 
Speaker profile: Mao Wei, Technical Director of Taihu mingzhu network, founder of battle network, co-founder of head network management and erquan network.