Long Fei: Talking about how to prevent the forum from being hacked

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Anhui Internet Alliance sponsored thousands of webmaster Lectures (http://www.53w.net) has been to the 36th period, the guests of the Mao Wei Taihu Pearl Network technical Director, very war network founder, chief network Management, two Springs Network co-founder, Tai Lake Pearl Network (thmz.com) It is an integrated regional portal for providing comprehensive Internet (Internet) services in Wuxi and surrounding areas. Wuxi is the external publicity window, but also the outside world to understand the best platform for Wuxi.

As a portal site, Taihu Lake Pearl Network based in Wuxi, the integration of Wuxi local newspapers, television, radio news resources, the most authoritative fastest all-round transfer of Wuxi city information rapidly changing. At the same time provide network information, business promotion, film and television entertainment, network communications, website construction, webcast and other cross-industry, Cross-media, a number of integrated business.

Lectures before the four group has been full (a total of 2000 people) has been full, new to Webmaster can add 500 lectures on the newly opened five groups: 39463377 free to participate but please respect the learning environment we will never speak of webmaster let more want to learn webmaster come in.

The following is a transcript of this lecture:

Topic: Universal Server Security protection for Php+mysql community

Everyone stationmaster good afternoon, introduce oneself first, I am from Wuxi Taihu Lake Pearl Net Mao Wei, our topic this afternoon is Php+mysql class community universal security safeguard measure, although this topic, have a premise, is the face object is those who use own independent server stationmaster, If you do not use stand-alone server now webmaster also want to know, relevant knowledge, I believe you will soon have a stand-alone server on the use of the time, security and danger is relative, this world without absolute security and absolute danger. If there are not very clear students can refer to Einstein's special theory of relativity.

First of all, the following said that the protection measures, not to say that we can ensure that the server is not black, because we use most of the open source community programs, open source is tantamount to the inevitable loopholes. The starting point of these precautions is to avoid the scope of the attack as much as possible when the program creates a loophole. For example, the server fell, the entire server to the hacker control. The protection we are talking about today is divided into server environment security, PHP security settings, MySQL security settings in several aspects. First of all, to talk about the security of the server environment, the general now run Php+mysql type of Community server is a small flow of Windows more, large traffic Linux more.

Whether Windows or Linux or other systems, the first step of security protection, turn off the unused ports, the second limit the access source IP address of the important ports, such as we run the Web, you can open 80 ports, restrict FTP, remote management port source IP address, all other ports are closed

Like SSH 22, remote terminal 3389,mysql 3306 Such important ports we can through the software firewall or hardware firewall, limit the source of IP address, some TX may say I am ADSL dynamic, I have no way to fixed IP address, good here to give you 2 programs. 1. Open limits, ADSL dial-up IP address in each region always has a certain range, such as a.b.x.x, then we will limit the IP to a.b.*.*. 2. Relay method, some webmaster may more than 1 servers, through another relay has a fixed IP address machine, to relay the management of your server. Use ports to forward this method, restricted port access, then if you want to improve the security level, it is to modify the port number to increase security, here is also a wake-up call, in fact, unless you have to prevent the port scan of this firewall, otherwise the port is not large, hack scan the lower mouth is very convenient, When it comes to preventing port scans, this turns out to be a matter of tracking the number of ports a user accesses over a certain period of time, such as accessing more than 3 ports in 5 seconds, and then blocking the user's IP by identifying the port scan behavior. A software firewall under Windows is recommended here

This type of firewall Windows host I recommend Visneticfirewall (also known as 8sign), Visneticfirewall is a powerful Windows software firewall can restrict access to the rules including HTTP promised access to file types, such as restricting the MDB download, etc. can also do port scanning automatic blocking.

Linux with its own iptables, the function is very powerful, only unexpectedly, did not do, the network this layer of security done well, your system has strengthened a lot. Even if hack has your server administrator, he also can not start. He could do nothing but webshell. Here's a talk about webserver security configuration

Windows host with IIS webmaster can also set a separate run account for each IIS site and strictly set the site directory only the administrator and the site run account permissions so even if a site has loopholes, hack Webshell came in, the crisis to other sites and The system was unable to access other directories except for the contents of the directory under which he was able to control the site. Of course, this method also has a prerequisite, is to the system directory permissions to comb the side, check the directory with everyone permissions, General C disk Directory of Windows below this kind of directory is quite many, to remember everyone's directory even if do the above independent IIS account method hack still can access , about this kind of online article also quite many, searches a careful look. Linux is not so convenient, because the Apache Nginx is a unified user identity to run the can not each site set up a running user independently. The most deadly is Linux below the system's directory generally other users are readable. So the safer approach is to separate the users of Apache or Nginx PHP from the owners of the Web directory. So the safer approach is to separate the users of Apache or Nginx PHP from the owners of the Web directory.

Here the Nginx and directory ownership users use WWW is convenient for some static file access, save the right card is very dead, must be completely strict to set directory permissions. Of course, strict requirements of the webmaster can completely nginx and web directory users also separate. A very good thing about the combination of Apache and PHP is that you can set some PHP settings for each vhost. So we use Apache TX to use this feature for each vhost setting open_basedir this PHP setup Open_basedir is the directory that the Vhost PHP runtime can access, This way, you can implement a similar effect of IIS as a standalone account running under Apache

Keep PHP's Access box in place to prevent 1 of vulnerabilities from compromising systems and other sites

Here's an example.

Documentroot/website/www/bbs.site.com

ServerName bbs.site.com

Php_admin_value open_basedir/website/www/bbs.site.com/:/website/tmp/

Php_admin_value open_basedir/website/www/bbs.site.com/:/website/tmp/

This means that PHP runs under bbs.site.com

You can only access files under/website/www/bbs.site.com/and/website/tmp/, and you want to access files from other directories.

This setting if there are multiple directories, such as PHP upload temp directory, Session temp directory, you can use: Colon split (Windows below;

This approach is available on both Windows and Linux Apache

But you have to run PHP in LoadModule mode.

This approach, like Nginx, uses fastcgi PHP as a way to

If you really want to use the way you can use Nginx Proxy, PHP runs with Apache so you can use this Open_basedir function under Nginx.

If you really want to use nginx+fastcgi PHP, you can set up a total open_basedir in php.ini.

For example, your site is placed under the/website/www/of the Open_basedir set to/website/www/

In this way, although a site has fallen will follow the fall of other sites, but at least to ensure that the system files will not fall

More suitable for lazy

Just speaking of Apache inside Vhost also has a useful setting Php_flag engine off

Let's take a look at an example

Php_flag engine off

That means

/website/www/bbs.thmz.com/attachments the file below this directory, do not perform PHP, even if it is a PHP will be the source code burst out is not to execute PHP

Some will never have PHP implementation needs of the directory, especially the user uploaded files Ah, avatar ah these directories can be set with this

Set the time to pay attention to do not make a mistake, this opened, if there is a direct burst of PHP, the source code, IIS users do not worry, in fact, IIS inside also has this function. In IIS Site Administration, locate the right key property for the directory that you do not want to perform.

Just set the execution permissions to nothing.

Anyway, just look at the files in the catalog before closing.

Don't turn it off. Source code

This function also runs in the fastcgi Way of PHP, this environment is now remembered so much, first came here to

By the way, if there are more than one server webmaster, the promotion of the foreground and database separate. is to run the program 1 servers, database 1 servers. This is actually a bit of a security relationship. Some programs may inject a vulnerability.

If you separate the database, the hack is actually on the database server when injected.

In case your MySQL-connected user is a root, then he uses MySQL's load file. This function can only read the system files on the database server.

This optimistic will at least your Web program this server security, the following simple talk about PHP and MySQL

PHP security Settings just the Open_basedir.

The other is nothing more than some php.ini inside the set up, first of all must be Display_errors=off

Turn off error logging

Then log_errors = On

Then set the next error_log=

Log error messages to server text

Here, take care not to put it in the Web directory or Open_basedir directory.

Otherwise hack use Webshell to read you this setting = White did

MAGIC_QUOTES_GPC = On

Register_globals = Off

These 2 parameters can be restricted to illegal parameters or variable submission, to prevent some programs write is not very rigorous time, bring security risks

Disable_functions = Phpinfo,get_cfg_var,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open, Proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket _server,show_source,popen,escapeshellcmd,escapeshellarg

Disable_functions is a function that PHP forbids to use.

PHP is very powerful, so there are many dangerous php functions that give hack the ability to directly compromise the security of the system. So we need to disable this part of the dangerous function on the premise that the Web program does not need these functions.

The above disable_functions is I installs DZ the program lists a reference, if and your server some programs use the function conflict, that oneself measure can remove, the program needs function in Disable_functions inside remove on line, PHP end As simple as this, the most important thing here is Open_basedir and Disable_functions, the 2 of them, the security promotion is quite significant.

Below say MySQL, say MySQL before adding

Do not use the system administrator user, or root to run MySQL

Windows Services default execution user permissions are high. Oh, SYSTEM

Linux is the root user

Run PHP MySQL as an administrator, but the MySQL permissions set improperly fall, then his webshell can be your system root identity

So MySQL first thing to put the run user check under

Be sure to run as a normal user, and then clean up the MySQL users, in the default installation of MySQL, there are some users do not need the password of the root user, this type of user should be deleted, if you need to remotely use tools to manage MySQL leave a root@%, This machine uses phpMyAdmin to leave a root@localhost of course other users you build do not delete. MySQL user rights can be set very fine root@localhost is the root user can only log on this machine root please note, do not give any Web applications, their own management use on the line, look tight. Then for each Web application note that each

Create a separate MySQL account

And the datebase of each Web program is built separately

For example, UC database with XX_UC, MySQL users with Xx_uc

DZ database with Xx_bbs, MySQL users with Xx_bbs

Uch database with Xx_uch, MySQL users with Xx_uch

And then this several MySQL XX_UC bbs uch users remember not to give global permissions to globals privileges

Not one.

Just like Root.

There should be a place to set user permissions, manage privileges

XX_UC BBS uch Each user chooses the database for

XX_UC Choose Xx_uc BBS on the election BBS Uch choose Uch

Remember, only select Insert Update delete Create DROP index ALTER permission

In fact, the general program only need select Insert Update Delete, the forum program may be used in some background operation to create DROP index alter, like strict webmaster can be needed when open create drop index Alter so even if there is an injection loophole, then he can only take to change the contents of the current database. There is also a proposal not to use DZ default cdb_ uc_ uch_ prefix, using these defaults are public prefixes, hack come in and guess what the name of your user table is, and then update the password, you get your administrator, MySQL's basic is so, the key to each individual user Permissions to minimize the setting, if you do some of the calling program, it can only give a SELECT permissions of the MySQL user on the line. Minor changes in the final procedure. For example, use DZ Webmaster to change admincp.php file name.

Only need to follow a few templates on the line does not affect background use. But it's a lot safer. Want to change this file, that the last DZ was black, backstage style that loophole can not be used, direct immunization, people took the administrator can not go backstage, how safe. Finally summed up a word, safe to do well, even if the program has loopholes, hack also have no way to use, even if hack exploited the loophole, then he can not upload webshell, even if hack upload Webshell, then he also can not get system permissions, even if the hack got the system permissions, He's not going to be there either. Server.

Well, that's it for today, thank you.

Interactive links

Q: Is there any need to pay attention to the environment with software?

A: I do not know if this software building is not referring to the kind of integration test installed directly by apache+mysql+php This software, in fact, the security configuration of this software and the installation of a separate and no difference, are the same method.

Q: The site, divided into many systems, there is a PHP development and ASP development, but also share some information (such as integration of a login, and so on) will not be in the security of a big problem? Thank you.

A: This hybrid system is usually run using IIS, and I don't know if you are asking whether this ASP and PHP hybrid run under IIS. PHP has just been said, ASP's words are mainly combined with some of the characteristics of ASP to pay attention to prevention, such as the lecture said the independent user settings for the IIS site this is actually an ASP PHP general-purpose, and the ASP site more need to do independent user rights settings, because he did not PHP Open_ Basedir this setting.

Ask; visneticfirewall i just searched the discovery is the registration version, whether can give a safe and reliable free software URL, now we use is antiarp, the feeling function is not strong enough.

A: This software is really need to buy, here is not convenient to open, but you can go to some 0day site search.

Q: "Another relay has a fixed IP address machine, to relay the management of your server." Use port forwarding this method! "In this case, will not one fall, the other is also occupied!

A: Well, there's a slip of the tongue. The port forwarding method should be based on the first step of opening the IP address in a small range.

Special note: 2009.11.7 first Jiangsu Webmaster Annual Meeting 500 of the scale of the current fiery registration, participate in mutual promotion http://2009.jiangsu.com invite webmaster colleagues to participate.

The final summary: This issue of Dragon Fly is a well-known community security experts, especially in the local community Alliance reputation, often enthusiastic for everyone to answer technical problems, by everyone's welcome. This time the Lucky Dragon Warrior to give you the webmaster to explain the related issues of community security, because the participation in the technology is uneven or many stationmaster is not very clear, so need a lot of learning digestion. The profit of the website is always the topic that everybody cares about most, so the next lecture we specially invited in the industry well-known net earn expert to come and you webmaster said personal website How to create the biggest benefit, the absolute classics should not miss the interested stationmaster may participate in the interaction, but if is sends the ad to be free, thanked your support next period to see. Lectures of the main group, live Group is full, new to the webmaster can add 500 Lectures fifth Group: 39463377, we will provide a permanent free public service, but the long-term do not speak of the members are T.

Special Acknowledgements: This lecture received the Chinese stationmaster Station, the ADMIN5 stationmaster net, the laggard, the grassroots net, the Chinese stationmaster, the Chinese construction station, stationmaster China, the Web Development Network, the love gathers, I net, "Stationmaster" magazine, stationmaster Z Weekly, digs the software, Portals, such as a number of well-known webmaster related media support and domestic well-known IDC service Provider Yan Yan Network technical support. This lecture will be published in the above-mentioned webmaster media in the same period, this express special thanks.