Security Configuration in PHP

The configuration in PHP is very important, including the configuration of PHP.ini, as well as the configuration of the system permissions, I summarized some of the configuration

One, the module of PHP

./configure--with-libdir=lib64--prefix=/usr/--exec-prefix=/usr--bindir=/usr/bin--sbindir=/usr/sbin --sysconfdir=/etc--datadir=/usr/share--includedir=/usr/include--libexecdir=/usr/libexec--localstatedir=/va R--sharedstatedir=/usr/com--mandir=/usr/share/man--infodir=/usr/share/info--cache-file=.   /config.cache--with-config-file-path=/etc--WITH-CONFIG-FILE-SCAN-DIR=/ETC/PHP.D--with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config--with-iconv-dir--with-freetype-dir=/usr/local/lib--with-jpeg-d   Ir=/usr/local/lib--with-png-dir=/usr/local/lib--with-zlib--with-libxml-dir=/usr--enable-xml--disable-rpath --enable-bcmath--enable-shmop--enable-sysvsem--enable-inline-optimization--with-curl--enable-mbregex-- ENABLE-FPM--enable-mbstring--with-mcrypt=/usr/local/lib--with-gd--enable-gd-native-ttf--with-openssl--wi Th-mhash--enable-pcntl--enable-sockeTS--with-xmlrpc--enable-zip--enable-soap--enable-opcache--with-pdo-mysql--enable-embed=shared--enable  -debug--enable-dtrace

Above are some of the more commonly used configuration options

[Email protected]]# php-m[php Modules]bcmathcorectypecurldatedomeregfetch_ Urlfileinfofiltergdhashiconvjsonlibxmlmbstringmcryptmemcachedmhashmongomysqlmysqlimysqlndopensslpcntlpcrepdopdo _mysqlpdo_ Sqlitepharposixreflectionsessionshmopsimplexmlsoapsocketssplsqlite3standardsysvsemtokenizertracevldxhprofxmlxmlreaderxmlr Pcxmlwriterzend opcachezipzlib[zend modules]zend Opcache

We can view it through PHP-M,

1, some do not need the module, when we compile the time do not enable the

2, some of the default enabled modules, when we compile to disable

Second, prevent PHP version leaks

Can be expose_php turned off by

[Email protected] ~]# curl-i  192.168.1.30http/1.1 OKServer:nginxDate:Wed, Jul 19:16:10 gmtcontent-type : text/html; Charset=utf-8connection:keep-alivevary:accept-encodingx-powered-by:php/5.5.23[[email protected] ~]# vim/etc/ php.iniexpose_php = Off

服务器的版本信息也更改，在编译nginx之前可以将nginx修改为apapche

Iii. Log of PHP and Nginx

Display_errors = Offdisplay_startup_errors = Onlog_errors = onerror_reporting = 0error_log =/var/log/php_errors.log

Also record Apache or nginx access logs, which are configured in the Web server

Iv. restricting file uploads

Web program is the most insecure in this place, users can upload files, than tablets, scripts, and then through other means, to do some destructive work on the site, so when uploading, to strictly check the format of the file

File_uploads = Onupload_tmp_dir =/data/www/tmpupload_max_filesize = 2mmax_file_uploads = 20

V. Turning off access to remote resources

If this feature is enabled, file_get_contents (), include, and require are disabled for remote data such as FTP or Web content

Allow_url_fopen=off

Vi. Limitations of Post

Post_max_size=2m

Seven, DOS control

Maximum execution time, maximum time to process request data, maximum available memory, preventing hash construction

Max_execution_time = 30
Max_input_time = 30
Memory_limit = 40M
Max_input_vars = 1000

Viii. permissions and configuration of security mode

Disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file, Show_sourceopen_basedir=/var/www/html/safe_mode_exec_dir =/usr/local/bin/Confirm that Apache is running as a non-root user such as Apache or www. The owner of the/var/www/html directory should also be a non-root user: # chown-r files under Apache:apache/var/www/html/documentroot should be banned from running or created. Set the file permissions for this directory to 0444 (read-only): # chmod-r 0444/var/www/html/Set all folder permissions under this directory to 0445# find/var/www/html/-type d-print0 | Xargs-0-I {} chmod 0445 {} config file plus write protection # chattr +i/etc/php.ini# chattr +i/etc/php.d/*# chattr +i/etc/my.ini# chattr +i/e tc/httpd/conf/httpd.conf# chattr +i/etc/

Ix. restricting outgoing connections using firewalls

Attackers will use tools such as wget to download files from your Web server. Use Iptables to block outgoing connections from Apache users. The Ipt_owner module assigns different roles to the generator of the local packet. It is only valid for output chain. The following instruction allows Vivek users to access externally via port 80

/sbin/iptables-a output-o eth0-m owner--uid-owner vivek-p TCP--dport 80-m State--state new,established-j ACCEPT/ Sbin/iptables--new-chain apache_user/sbin/iptables--append output-m State--state established,related-j ACCEPT/sbin/ Iptables--append output-m owner--uid-owner apache-j apache_user# allow Apache user to Connec to our SMTP server/sbin/ Iptables--append apache_user-p tcp--syn-d 192.168.1.100--dport 25-j return# allow Apache user-to-Connec to API serve R for spam validation/sbin/iptables--append apache_user-p tcp--syn-d 66.135.58.62--dport 80-j return/sbin/iptables   --append apache_user-p TCP--syn-d 66.135.58.61--dport 80-j return/sbin/iptables--append apache_user-p TCP--syn-d 72.233.69.89--dport 80-j return/sbin/iptables--append apache_user-p tcp--syn-d 72.233.69.88--dport 80-j return# ########################## ADD More rules here ############################ No editing below# Drop everything for Apache O Utgoing CONNECTION/SBIN/IPTables--append apache_user-j REJECT 

A few other security configurations

1, installation Mod_security

Modsecurity is an open source intrusion detection and prevention Web application engine. Install mod_security to protect Apache and PHP applications from XSS and other attacks

2. Install anti-DDoS module mod_evasive

can limit the frequency of access within a certain amount of time

Original address: http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

Security Configuration in PHP