Security Configuration One
(1) Open PHP Safe mode
PHP's security model is a very important embedded security mechanism to control some functions in PHP, such as System (),
At the same time, a lot of file operation functions have permission control, also does not allow the files for some key files, such as/etc/passwd,
But the default php.ini is not open in Safe mode, we turn it on:
Safe_mode = On
(2) User group security
When Safe_mode is turned on, Safe_mode_gid is turned off, and the PHP script is able to access the file, and the same
Users of the group are also able to access the files.
The recommended setting is:
Safe_mode_gid = Off
If we do not set up, we may not be able to operate the files in our server web directory, for example, we need to
When you are working on a file.
(3) Execute Program home directory in Safe mode
If Safe mode is turned on, but you want to execute some programs, you can specify the home directory where you want to execute the program:
Safe_mode_exec_dir = D:/usr/bin
In general, do not need to execute what program, so it is recommended not to execute the System program directory, can point to a directory,
Then copy the program that needs to be executed, such as:
Safe_mode_exec_dir = D:/tmp/cmd
However, I recommend that you do not execute any programs, then you can point to our web directory:
Safe_mode_exec_dir = d:/usr/www
(4) Include files in Safe mode
If you want to include some common files in Safe mode, then modify the options:
Safe_mode_include_dir = d:/usr/www/include/
In fact, the general PHP script contains files are in the program itself has been written, this can be set according to the specific needs.
(5) control the directory that PHP scripts can access
Use the OPEN_BASEDIR option to control the PHP script to access only the specified directory, which avoids the PHP script access
The files that should not be accessed to some extent limit the harm of phpshell, we can generally be set to only access the site directory:
Open_basedir = d:/usr/www
(6) Close danger function
If Safe mode is turned on, then the function prohibition is not necessary, but we consider it to be safe. Like what
We don't want to execute PHP functions that include the system (), or the ability to execute commands, or the ability to view PHP information
Phpinfo () and so on, then we can disable them:
Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo
If you want to disable the operation of any files and directories, you can close many file operations
Disable_functions = Chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, Rmdir,rename, File,file_get_contents,fputs,fwrite,chgrp,chmod,chown
These are just a few of the most commonly used file handling functions, and you can also combine the above command functions with this function,
will be able to resist most of the Phpshell.
(7) Close the PHP version information in the HTTP header leak
In order to prevent hackers from getting the PHP version of the server information, you can close the information ramp in the HTTP header:
expose_php = Off
For example, when the hacker in Telnet www.12345.com 80, then will not see the PHP information.
(8) Close registered global variables
Variables submitted in PHP, including those that use post or get commits, are automatically registered as global variables and can be accessed directly,
This is very insecure for the server, so we can't register it as a global variable, and turn off the Register global variables option:
Register_globals = Off
Of course, if this is set, then the corresponding variable should be taken in a reasonable way, such as get the variable var of get commit,
Then you need to use $_get[' var ' to get it, this PHP programmer should pay attention to.
(9) Open MAGIC_QUOTES_GPC to prevent SQL injection
SQL injection is a very dangerous problem, small site background was invaded, heavy the entire server fell,
So be sure to be careful. There is a setting in php.ini:
MAGIC_QUOTES_GPC = Off
This is off by default, and if it is turned on, it will automatically convert the query that the user commits to SQL.
For example, "switch to \" And so on, which is important to prevent SQL injection. So we recommend setting it to:
MAGIC_QUOTES_GPC = On
(10) Error Message control
In general, PHP is not connected to the database or in other cases there will be a prompt error, the general error message will contain PHP script when
Before the path information or query SQL statements and other information, such information provided to the hacker is not secure, so the general server recommends that you suppress the error prompt:
Display_errors = Off
If you are trying to display an error message, be sure to set the level of display errors, such as displaying only the information above the warning:
error_reporting = e_warning & E_error
Of course, I recommend turning off the error prompt.
(11) Error log
It is recommended to log the error message after closing the display_errors to find out why the server is running:
Log_errors = On
Also set the directory where the error log is stored, suggesting that the root Apache log exists together:
Error_log = D:/usr/local/apache2/logs/php_error.log
Note: The to file must allow Apache users and groups to have write permissions.
MySQL's Down right run
Create a new user such as Mysqlstart
NET user Mysqlstart ****microsoft/add
net localgroup users Mysqlstart/del
Does not belong to any group
If MySQL is installed in D:\mysql, then give Mysqlstart Full control of the permissions
Then set in the system service, MySQL service properties, in the login properties, select this user Mysqlstart and then enter the password, OK.
Restart the MySQL service, and then MySQL runs under low authority.
If the Apache is built under the WinDOS platform, we also need to note that Apache default operation is the system permission,
It's horrible, and it makes you feel uncomfortable. Let's give Apache permission to drop it.
NET user Apache ****microsoft/add
net localgroup users Apache/del
Ok. We have created a user apche that does not belong to any group.
We open the Computer Manager, select the service, point to the properties of the Apache service, we select Log on, choose this account, we fill in the accounts and passwords established above,
Restart the Apache service, Ok,apache running under low authority.
In fact, we can also set individual folder permissions, so that Apache users can only do what we want it to do, to each directory to create a separate read and write users.
This is also a popular configuration method for many current web hosting providers, but this method is used to prevent a bit of overkill here.
Security Configuration II
The basic configuration procedures for iis+mysql+php and the basic permissions settings for Windows are described earlier. In this section we need to discuss the security configuration of PHP as well as the security configuration of the Web directory, as well as the abnormal security configuration of IIS. Let me just say a few words here.
Our ultimate goal is that the Web site only run PHP, does not support ASP does not support ASP, so that a specific directory or sub-site can not execute PHP script, sample directory, we set it to not run PHP, so even if your site is "hacker" login backstage, can upload files. But in the end he couldn't carry out the Webshell.
Even if he gets the Webshell, he can't read the directory or the file, and he can't execute the command. In other words, the powerful Webshell in the hands of hackers do not have any use of value, so that hackers eventually directly mad and die. Actually do this is not very difficult, follow my footsteps to it. After completing this article you will be able to complete such a perverted server configuration independently.
One, php.ini file metamorphosis configuration
Why do we put php.ini on the front, because our web site is PHP, so many of the default options are unsafe. There are a lot of opportunities for hackers to take advantage of, so the first step we have to set the php.ini, so that can prevent the general script hacker attack.
Let's begin by understanding some of the basic concepts of php.ini. whitespace characters and lines beginning with semicolons are simply ignored. The format of the instruction is as follows: directive = value instruction name (directive) is case sensitive! So "Foo=bar" is different from "Foo=bar". Value can be:
1. Strings defined in quotation marks (e.g. "foo")
2. A number (integer or floating point, such as: 0,1,34,-1,33.55)
3. A PHP constant (for example: E_ALL,M_PI)
4. One INI constant (on,off,none)
5. An expression (for example: E_all & ~e_notice)
Another is to set the Boolean value, 1 is on is on, 0 is off is off. PHP.ini a lot of parts, such as: module section, PHP Global configuration, database configuration, and so on. 1 shows an example of a basic php.ini. After understanding the basic concepts, we can start the Metamorphosis tour.
PHP does not enable the Save_mode security mode setting method