Of Stack

linux server under PHPCMS v9 security configuration details

  • 2020-05-13 04:04:53
  • OfStack

1. Directory permission setting is very important: it can effectively prevent hackers from uploading Trojan files.

If you go through chmod 644 * -R, the php file will not have access.
If you go through chmod 755 * -R, the php file has higher permissions.
So you need to set the directory permissions and file permissions separately:
linux server permissions: frequently used commands:

find/path-type f-exec chmod 644 {} \; // set file permissions to 644
find/path-type d-exec chmod 755 {} \; // set directory permissions to 755
Once the setup is complete, change the owner of the directory and files to root via the command chown root:root * -R.
It's much safer.
FTP user, make sure you are using the linux host. windows needs to be logged into the server to set up.
Go to the phpcms installation root and select all the files:
Set the numeric value to: 755, and select: select the recursive subdirectory to apply only to the directory
Again select all files, numeric value: 644, select recursive processing subdirectory, only apply to files
If you get it wrong, just reset it.

2. The Linux find command looks for suspicious Trojan files

Find: files that have been modified within 30 days
find ./ -mtime -30 -type f -exec ls -l {} \;
Find all the txt files in the directory
find ./ -name "*.txt" -print
Find all the txt files in the directory and delete them
find ./ -name "*.txt" -exec rm -rf {} \;
Find all the php files in the directory and modify them within 30 days
find ./ -name "*.php" -mtime -30 -typef -exec ls -l {} \;
Find all php files in the directory, and meet within 30 days, 1 day before
find ./ -name "*.php" -mtime -30 -mtime +1 -type f -execls -l {} \;

3. Qualification through apache configuration:

1. php is not allowed under apache

Limit permissions by placing the.htaccess file under the directory.
This method will download the php file as an attachment. At the same time, the file can be accessed through a browser. 



php_flag engine off

Usage scenario: place in the following directory 



\uploadfile\ 

\statics\ 

\html\ 

\phpsso_server\uploadfile\ 

\phpsso_server\statics\

2. It is forbidden to access all files through the browser

Limit permissions by placing the.htaccess file under the directory.
RewriteEngine on
RewriteRule ^(.*) /index.html
Usage scenarios:
\caches\
\phpsso_server\caches\

3. php cross-directory browsing permission configuration is prohibited:

Virtual host configuration sample: 



<VirtualHost *:80> 

ServerAdmin root@phpip.com 

DocumentRoot /data/wwwroot/www 

ServerName www.phpip.com 

<Directory /data/wwwroot/www> 

Options FollowSymLinks 

AllowOverride Options FileInfo 

Order allow,deny 

Allow from all 

php_admin_value open_basedir /data/wwwroot/www/:/var/tmp/ 

DirectoryIndex index.htm index.html index.php 

</Directory> 

ErrorLog "| /usr/sbin/rotatelogs /data/logs/%m_%d_www.phpip.com-error_log 86400 480" 

CustomLog "| /usr/sbin/rotatelogs /data/logs/%m_%d_www.phpip.com-access_log 86400 480" common 

</VirtualHost>

4. Store apache log by day:

Refer to the configuration file above: 



ErrorLog "| /usr/sbin/rotatelogs /data/logs/%m_%d_www.phpip.com-error_log 86400 480" 

CustomLog "| /usr/sbin/rotatelogs /data/logs/%m_%d_www.phpip.com-access_log 86400 480" common

Related articles: