Of Stack

Linux PHP Website server security configuration Reinforcement protection method [Recommended]

  • 2020-11-25 07:47:19
  • OfStack

PHP is widely used in various Web developments. Problems can arise when server-side scripts are configured incorrectly. Today, most Web servers run in Linux environments (Ubuntu, Debian, etc.).

This paper summarizes the PHP website in detail on the Linux server security configuration, including PHP security, mysql database security, web server security, Trojan killing and prevention, etc., very good very powerful very safe. (If in-depth security deployment is needed, it is recommended to find professional domestic companies to do security, such as Sinesafe, Green Alliance, Qiming Star, etc., which are relatively good professional companies to do website security)

PHP security configuration

1. Ensure that the user running php is 1 generic user, such as www

2. php.ini parameter setting

disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,phpinfo # Disabled functions

expose_php = off # Avoid exposing PHP information

display_errors = off # Turn off the error message prompt

register_globals = off # Close global variables

enable_dl = off # is not allowed to call dl

allow_url_include = off # Avoid remote call files

session.cookie_httponly = 1 #http only on

upload_tmp_dir = /tmp# explicitly defines the upload directory

open_basedir =. / : / tmp: / home/wwwroot / # restrict user access to the directory

Details of open_basedir parameter

open_basedir restricts the user's activity to a specified area, usually the path to their home directory, or the symbol "." to represent the current directory. Note that the restriction specified with open_basedir is actually a prefix, not a directory name.

For example, if "open_basedir = /home/wwwroot", then the directories "/home/wwwroot" and "/home/wwwroot1" are accessible. So if you want to restrict access to only the specified directory, end the pathname with a slash.

Note:

open_basedir has a great impact on the performance of php operation io. Research shows that script io with php_basedir will execute 10 times or more slowly than script ES136en without configuration. Please measure for yourself

open_basedir can also set up multiple directories at the same time, separated by a semicolon in Windows and separated by a colon in any other system. When it ACTS on the Apache module, the open_basedir path in the parent directory is automatically inherited.

MySQL security Settings

1. Selection of MySQL version

The 4.1 series MySQL database is not allowed in a formal production environment. At least version 5.1.39 or above is required.

2. Network and port configuration

The es159EN-ES160en parameter does not allow listening to the network when the database is only for local use.

3. Ensure that MySQL is run by a general user, such as mysql, and note that the data directory permission is mysql 


vi/etc/my.cnf 
user = mysql

4. Turn on the mysql2 base log. In case of data deletion by mistake, the data can be recovered to a point in time through the base 2 log 


vi/etc/my.cnf 
log_bin = mysql-bin 
expire_logs_days = 7

5. Certification and authorization

(1) root account is forbidden to access the database from the network, and root account is only allowed to log in from local host. 


mysql>grantallprivilegeson*.* toroot @localhost identified by'password'withgrantoption; 
mysql>flush priveleges;

(2) Delete the anonymous account and the dummy account 


mysql>USE mysql; 
mysql>deletefromuserwhereUser=; 
mysql>deletefromuserwherePassword=; 
mysql>deletefromdb whereUser=;

web server security

Ensure that Nginx or Apache is run by a generic user such as www, and note that the data directory permissions are www

Prevent sql injection 


if( $query_string ~* ".*[\;'\<\>].*"){ 
return404; 
}

Close PHP parsing for directories such as data uploads 


location ~* ^/(attachments|data)/.*\.(php|php5)${ 
deny all; 
}

Apache: Close PHP parsing for image directories/uploads etc 


order allow,deny 
Deny from all

Trojan hunting and prevention

php Trojan quick find command 


grep-r --include=*.php '[^a-z]eval($_POST'/home/wwwroot/ 
grep-r --include=*.php 'file_put_contents(.*$_POST\[.*\]);'/home/wwwroot/

Use find mtime to find out which PHP files have been modified in the last two days or during the discovery of the Trojan 


find-mtime -2 -typef -name \*.php

Guard:

1. Make previous security measures, such as disabling the related PHP functions

2. Change directory and file properties 


find-typef -name \*.php -execchomd 644 {} \; 
find-typed -execchmod755 {} \; 
chown-R www.www /home/wwwroot/www.waitalone.cn

3. To prevent cross-site infection, the need to do virtual host directory isolation

(1) Simple implementation method of nginx

Using nginx to run multiple virtual hosts, open_basedir configuration of php. ini 


vi/etc/my.cnf 
log_bin = mysql-bin 
expire_logs_days = 7
0

Note: /home/wwwroot/ is the PATH to web for all virtual hosts

Hackers can use any 1 site webshell to enter /home/wwwroot/ directory anywhere, so the harm to each virtual host is very big

For example: /data/www/wwwroot directory has 2 virtual hosts

Modify php ini 


vi/etc/my.cnf 
log_bin = mysql-bin 
expire_logs_days = 7
1

This makes user uploads of webshell inaccessible across directories.

(2) Implementation method of Apache to control cross-directory access

Add to the virtual machine host configuration file 


vi/etc/my.cnf 
log_bin = mysql-bin 
expire_logs_days = 7
2

conclusion

Related articles: