PHP Security Configuration Sharing

The previous lamp website toward LNMP Development, the author working environment uses LNMP for many years, here is very happy and everybody to share for many years Lnmp website PHP Security Configuration, as for the lamp security follow-up with everybody to share, actually the content probably same, this side stresses the PHP security configuration, to see the content.

1. Use Open_basedir to restrict virtual host cross-directory Access?

[HOST=www.ttlsa.com]open_basedir=/data/site/www.ttlsa.com/:/tmp/[HOST=test.ttlsa.com]open_basedir=/data/site/test.ttlsa.com/:/tmp/

As configured above, the PHP program under Www.ttlsa.com is limited to two directories in the Open_basedir configuration and cannot be accessed to other directories. If the above configuration is not done, then the test.ttlsa.com and www.ttlsa.com programs can access each other. If one of the sites has been hacked into the Webshell, then he can get the same server through the site of the other sites, and finally hang Trojan. [WARNING] Note: The directory must finally be added/. For example, you write/tmp, your site exists/tmp123 and so on with/tmp start directory, then hackers can also access to these directories, in addition, php5.3 above support this wording, 5.2 does not support. [/warning]

2. Disable unsafe PHP functions?

disable_functions = show_source,system,shell_exec,passthru,exec,popen,proc_open,proc_get_status,phpinfo

PHP is not allowed to execute PHP functions above, the above PHP program can execute Linux commands, such as can be ping, netstat, MySQL and so on. If your system has the right to raise bugs, the consequences you know.

3. Follow software security information

Actively focus on the Linux kernel, PHP security and other information and take timely error

4. PHP User Read Only

This method is my most respected method, but must be discussed with the PHP engineer before executing. Why? For example, the site www.ttlsa.com root user and group are nobody, while the users and groups running PHP are phpuser. The directory permission is 755, and the file permission is 644. So, PHP is read-only and cannot write any files to the site directory.  That is, users can not upload files, even if there is a loophole, hackers can not pass the backdoor, more unlikely to hang the trojan. Before doing this, tell the programmer to change the file cache to a NoSQL memory cache (for example, memcached, Redis, etc.) and upload the file to another server (static server) via the interface. [WARNING] Note: The program generates a local cache is a very bad habit, the use of file caching slow, wasted disk space, the most important thing is that the server can not scale horizontally. [/warning]

5. Close the PHP error log?

display_errors = On改为display_errors = Off

In the event of an error, the detailed error message is immediately displayed to the user, including the path, some even the database account password. The injected penetration password is basically guessed by this error. The production environment strongly shuts it down

6. PHP Upload Separation

Upload the file to a remote server, such as NFS. Of course, you can also call the PHP interface you have written. Even if there is an upload vulnerability, the file is also uploaded to the static server. Trojans and other files cannot be executed at all. Example: PHP site www.ttlsa.com, directory/data/site/www.ttlsa.com static file site static.ttlsa.com, directory/data/site/ static.ttlsa.com file is directly uploaded to/data/site/static.ttlsa.com, the uploaded file cannot be accessed through www.ttlsa.com, only use static.ttlsa.com access, but static.ttlsa.com does not support PHP.

7. Turn off PHP information?

expose_php = On改为expose_php = Off

Do not easily disclose their PHP version information, to prevent hackers against this version of PHP to launch attacks.

8. Disable the dynamic loading of the link library?

disable_dl = On;改为enable_dl = Off;

9. Disable open remote URL?

allow_url_fopen = On改为allow_url_fopen = Off

In fact, this is not true security, and will not lead to web intrusion and other issues, but this very impact on performance, I think it belongs to the narrow security problem. The following method will not get the remote URL content

?

$data = file_get_contents("http://www.baidu.com/")；

The following methods can be used to obtain local file contents

?

$data = file_get_contents("1.txt");

If you have a small number of site visits, the database is also running well, but the Web server load surprisingly high, please check directly under this method. I have encountered too many of this problem, the production environment has been disabled all the time, if the PHP engineers need to get the content of the remote Web, it is recommended that they use curl. How PHP curl is used please check out my previous article, "PHP using curl instead of file_get_contents", and PHP under Curl vs. file_get_contents performance.

10. End

Today, the LNMP site of PHP security temporarily mentioned here, there are problems follow-up will continue to add. Reprint Please specify source: http://www.ttlsa.com/html/2279.html

PHP Security Configuration Sharing