Linux PHP Website server security configuration Reinforcement protection method [Recommended]
- 2020-11-25 07:47:19
- OfStack
PHP is widely used in various Web developments. Problems can arise when server-side scripts are configured incorrectly. Today, most Web servers run in Linux environments (Ubuntu, Debian, etc.).
This paper summarizes the PHP website in detail on the Linux server security configuration, including PHP security, mysql database security, web server security, Trojan killing and prevention, etc., very good very powerful very safe. (If in-depth security deployment is needed, it is recommended to find professional domestic companies to do security, such as Sinesafe, Green Alliance, Qiming Star, etc., which are relatively good professional companies to do website security)
PHP security configuration
1. Ensure that the user running php is 1 generic user, such as www
2. php.ini parameter setting
disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,phpinfo # Disabled functions
expose_php = off # Avoid exposing PHP information
display_errors = off # Turn off the error message prompt
register_globals = off # Close global variables
enable_dl = off # is not allowed to call dl
allow_url_include = off # Avoid remote call files
session.cookie_httponly = 1 #http only on
upload_tmp_dir = /tmp# explicitly defines the upload directory
open_basedir =. / : / tmp: / home/wwwroot / # restrict user access to the directory
Details of open_basedir parameter
open_basedir restricts the user's activity to a specified area, usually the path to their home directory, or the symbol "." to represent the current directory. Note that the restriction specified with open_basedir is actually a prefix, not a directory name.
For example, if "open_basedir = /home/wwwroot", then the directories "/home/wwwroot" and "/home/wwwroot1" are accessible. So if you want to restrict access to only the specified directory, end the pathname with a slash.
Note:
open_basedir has a great impact on the performance of php operation io. Research shows that script io with php_basedir will execute 10 times or more slowly than script ES136en without configuration. Please measure for yourself
open_basedir can also set up multiple directories at the same time, separated by a semicolon in Windows and separated by a colon in any other system. When it ACTS on the Apache module, the open_basedir path in the parent directory is automatically inherited.
MySQL security Settings
1. Selection of MySQL version
The 4.1 series MySQL database is not allowed in a formal production environment. At least version 5.1.39 or above is required.
2. Network and port configuration
The es159EN-ES160en parameter does not allow listening to the network when the database is only for local use.
3. Ensure that MySQL is run by a general user, such as mysql, and note that the data directory permission is mysql
vi/etc/my.cnf
user = mysql
4. Turn on the mysql2 base log. In case of data deletion by mistake, the data can be recovered to a point in time through the base 2 log
vi/etc/my.cnf
log_bin = mysql-bin
expire_logs_days = 7
5. Certification and authorization
(1) root account is forbidden to access the database from the network, and root account is only allowed to log in from local host.
mysql>grantallprivilegeson*.* toroot @localhost identified by'password'withgrantoption;
mysql>flush priveleges;
(2) Delete the anonymous account and the dummy account
mysql>USE mysql;
mysql>deletefromuserwhereUser=;
mysql>deletefromuserwherePassword=;
mysql>deletefromdb whereUser=;
web server security
Ensure that Nginx or Apache is run by a generic user such as www, and note that the data directory permissions are www
Prevent sql injection
if( $query_string ~* ".*[\;'\<\>].*"){
return404;
}
Close PHP parsing for directories such as data uploads
location ~* ^/(attachments|data)/.*\.(php|php5)${
deny all;
}
Apache: Close PHP parsing for image directories/uploads etc
order allow,deny
Deny from all
Trojan hunting and prevention
php Trojan quick find command
grep-r --include=*.php '[^a-z]eval($_POST'/home/wwwroot/
grep-r --include=*.php 'file_put_contents(.*$_POST\[.*\]);'/home/wwwroot/
Use find mtime to find out which PHP files have been modified in the last two days or during the discovery of the Trojan
find-mtime -2 -typef -name \*.php
Guard:
1. Make previous security measures, such as disabling the related PHP functions
2. Change directory and file properties
find-typef -name \*.php -execchomd 644 {} \;
find-typed -execchmod755 {} \;
chown-R www.www /home/wwwroot/www.waitalone.cn
3. To prevent cross-site infection, the need to do virtual host directory isolation
(1) Simple implementation method of nginx
Using nginx to run multiple virtual hosts, open_basedir configuration of php. ini
vi/etc/my.cnf
log_bin = mysql-bin
expire_logs_days = 7
0
Note: /home/wwwroot/ is the PATH to web for all virtual hosts
Hackers can use any 1 site webshell to enter /home/wwwroot/ directory anywhere, so the harm to each virtual host is very big
For example: /data/www/wwwroot directory has 2 virtual hosts
Modify php ini
vi/etc/my.cnf
log_bin = mysql-bin
expire_logs_days = 7
1
This makes user uploads of webshell inaccessible across directories.
(2) Implementation method of Apache to control cross-directory access
Add to the virtual machine host configuration file
vi/etc/my.cnf
log_bin = mysql-bin
expire_logs_days = 7
2
conclusion