The configuration in PHP is very important, including the configuration of PHP.ini, as well as the configuration of the system permissions, I summarized some of the configuration
One, the module of PHP
./configure--with-libdir=lib64--prefix=/usr/--exec-prefix=/usr--bindir=/usr/bin--sbindir=/usr/sbin --sysconfdir=/etc--datadir=/usr/share--includedir=/usr/include--libexecdir=/usr/libexec--localstatedir=/va R--sharedstatedir=/usr/com--mandir=/usr/share/man--infodir=/usr/share/info--cache-file=. /config.cache--with-config-file-path=/etc--WITH-CONFIG-FILE-SCAN-DIR=/ETC/PHP.D--with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config--with-iconv-dir--with-freetype-dir=/usr/local/lib--with-jpeg-d Ir=/usr/local/lib--with-png-dir=/usr/local/lib--with-zlib--with-libxml-dir=/usr--enable-xml--disable-rpath --enable-bcmath--enable-shmop--enable-sysvsem--enable-inline-optimization--with-curl--enable-mbregex-- ENABLE-FPM--enable-mbstring--with-mcrypt=/usr/local/lib--with-gd--enable-gd-native-ttf--with-openssl--wi Th-mhash--enable-pcntl--enable-sockeTS--with-xmlrpc--enable-zip--enable-soap--enable-opcache--with-pdo-mysql--enable-embed=shared--enable -debug--enable-dtrace
Above are some of the more commonly used configuration options
[Email protected]]# php-m[php Modules]bcmathcorectypecurldatedomeregfetch_ Urlfileinfofiltergdhashiconvjsonlibxmlmbstringmcryptmemcachedmhashmongomysqlmysqlimysqlndopensslpcntlpcrepdopdo _mysqlpdo_ Sqlitepharposixreflectionsessionshmopsimplexmlsoapsocketssplsqlite3standardsysvsemtokenizertracevldxhprofxmlxmlreaderxmlr Pcxmlwriterzend opcachezipzlib[zend modules]zend Opcache
We can view it through PHP-M,
1, some do not need the module, when we compile the time do not enable the
2, some of the default enabled modules, when we compile to disable
Second, prevent PHP version leaks
Can be expose_php
turned off by
[Email protected] ~]# curl-i 192.168.1.30http/1.1 OKServer:nginxDate:Wed, Jul 19:16:10 gmtcontent-type : text/html; Charset=utf-8connection:keep-alivevary:accept-encodingx-powered-by:php/5.5.23[[email protected] ~]# vim/etc/ php.iniexpose_php = Off
服务器的版本信息也更改,在编译nginx之前可以将nginx修改为apapche
Iii. Log of PHP and Nginx
Display_errors = Offdisplay_startup_errors = Onlog_errors = onerror_reporting = 0error_log =/var/log/php_errors.log
Also record Apache or nginx access logs, which are configured in the Web server
Iv. restricting file uploads
Web program is the most insecure in this place, users can upload files, than tablets, scripts, and then through other means, to do some destructive work on the site, so when uploading, to strictly check the format of the file
File_uploads = Onupload_tmp_dir =/data/www/tmpupload_max_filesize = 2mmax_file_uploads = 20
V. Turning off access to remote resources
If this feature is enabled, file_get_contents (), include, and require are disabled for remote data such as FTP or Web content
Allow_url_fopen=off
Vi. Limitations of Post
Post_max_size=2m
Seven, DOS control
Maximum execution time, maximum time to process request data, maximum available memory, preventing hash construction
Max_execution_time = 30
Max_input_time = 30
Memory_limit = 40M
Max_input_vars = 1000
Viii. permissions and configuration of security mode
Disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file, Show_sourceopen_basedir=/var/www/html/safe_mode_exec_dir =/usr/local/bin/Confirm that Apache is running as a non-root user such as Apache or www. The owner of the/var/www/html directory should also be a non-root user: # chown-r files under Apache:apache/var/www/html/documentroot should be banned from running or created. Set the file permissions for this directory to 0444 (read-only): # chmod-r 0444/var/www/html/Set all folder permissions under this directory to 0445# find/var/www/html/-type d-print0 | Xargs-0-I {} chmod 0445 {} config file plus write protection # chattr +i/etc/php.ini# chattr +i/etc/php.d/*# chattr +i/etc/my.ini# chattr +i/e tc/httpd/conf/httpd.conf# chattr +i/etc/
Ix. restricting outgoing connections using firewalls
Attackers will use tools such as wget to download files from your Web server. Use Iptables to block outgoing connections from Apache users. The Ipt_owner module assigns different roles to the generator of the local packet. It is only valid for output chain. The following instruction allows Vivek users to access externally via port 80
/sbin/iptables-a output-o eth0-m owner--uid-owner vivek-p TCP--dport 80-m State--state new,established-j ACCEPT/ Sbin/iptables--new-chain apache_user/sbin/iptables--append output-m State--state established,related-j ACCEPT/sbin/ Iptables--append output-m owner--uid-owner apache-j apache_user# allow Apache user to Connec to our SMTP server/sbin/ Iptables--append apache_user-p tcp--syn-d 192.168.1.100--dport 25-j return# allow Apache user-to-Connec to API serve R for spam validation/sbin/iptables--append apache_user-p tcp--syn-d 66.135.58.62--dport 80-j return/sbin/iptables --append apache_user-p TCP--syn-d 66.135.58.61--dport 80-j return/sbin/iptables--append apache_user-p TCP--syn-d 72.233.69.89--dport 80-j return/sbin/iptables--append apache_user-p tcp--syn-d 72.233.69.88--dport 80-j return# ########################## ADD More rules here ############################ No editing below# Drop everything for Apache O Utgoing CONNECTION/SBIN/IPTables--append apache_user-j REJECT
A few other security configurations
1, installation Mod_security
Modsecurity is an open source intrusion detection and prevention Web application engine. Install mod_security to protect Apache and PHP applications from XSS and other attacks
2. Install anti-DDoS module mod_evasive
can limit the frequency of access within a certain amount of time
Original address: http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
Security Configuration in PHP