Website security reinforcement solution in Linux

This article summarizes in detail the security configurations of the PHP website on the Linux server, including PHP security, mysql database security, web server security, Trojan scan and prevention, which are very powerful and secure.

Php Security Configuration:

1. Make sure that the user running php is a general user, such as www.

2. php. ini parameter settings

Open_basedir can restrict the activity scope of files accessed by users to a specified region. It is usually the path of the home directory, and the symbol "." can be used to represent the current directory. Note that the restriction specified by open_basedir is actually a prefix rather than a directory name.

For example, if "open_basedir =/home/wwwroot", the directories "/home/wwwroot" and "/home/wwwroot1" are accessible. Therefore, if you want to restrict access to a specified directory only, end the path with a slash.

Note:

According to the information obtained from the Internet, open_basedir will have a great impact on the performance of php I/O operations. Research data shows that the script I/O execution speed with php_basedir configured is 10 times or more slower than that without php_basedir.

Open_basedir can also set multiple directories. In Windows, use semicolons to separate directories and use colons to separate directories in any other system. When it acts on the Apache module, the open_basedir path in the parent directory is automatically inherited.

Mysql Security Configuration:

1. MySQL version Selection

In the official production environment, MySQL databases of the 4.1 Series are prohibited. At least 5.1.39 or later is required.

2. Network and port configuration

The-skip-networking parameter is used to disable network listening when the database is only available to the local machine.

3. Make sure that the user running MySQL is a general user, such as mysql. Note that the permission to store the data directory is mysql.

4. Enable mysql binary log. when data is deleted by mistake, the binary log can be restored to a certain time point.

5. authentication and authorization

(1) prohibit the root account from accessing the database from the network. The root account can only log on from the local host.

(2) Delete anonymous accounts and empty password accounts

Web Server Security Configuration:

 

Make sure that the user running Nginx or Apache is a general user, such as www. Note that the permission to store the data directory is www.

Prevents SQL Injection code

If ($ query_string ~ * ". * [\; '\ <\>]. *") {Return 404 ;}

Disable PHP parsing for directories such as data upload.

Location ~ * ^/(Attachments | data)/. * \. (php | php5) $ {deny all ;}

For Apache: Disable PHP parsing for image directories/upload Directories

<Files ~ ". Php">

Order allow, deny

Deny from all

</Files>

Trojan scan and prevention:

Php Trojan quick search command

Grep-r -- include = *. php' [^ a-z] eval ($ _ Post'/home/wwwroot/

Grep-r -- include = *. php 'file _ put_contents (. * $ _ POST \ [. * \]); '/home/wwwroot/

Use find mtime to find out which PHP files have been modified in the last two days or when Trojan horses are found.

Find-mtime-2-type f-name \ *. php

Precaution:

1. Take proper security measures, such as disabling related PHP functions.

2. Change directory and file attributes

3. To prevent cross-site infection, virtual host directory isolation is required.

(1) Simple implementation of nginx

Use nginx to run multiple virtual hosts. the open_basedir configuration of php. ini is used:

Open_basedir =./: tmp:/home/wwwroot/

Note:/home/wwwroot/is the web path for storing all virtual hosts.

Hackers can use the webshell of any site to access any location in the/home/wwwroot/directory, which causes great harm to each virtual host.

For example, the/data/www/wwwroot directory contains two virtual hosts.

Modify php. ini

Open_basedir =./:/tmp:/home/wwwroot/www.a.cn:/home/wwwroot/B .cn

In this way, the user uploads webshell files and cannot access them across directories.

(2) Implement Apache to control cross-Directory Access

Add in the VM host configuration file

Php_admin_value open_basedir "/tmp:/home/wwwroot/www.a.cn