Shulou(Shulou.com)06/01 Report--

The purpose of this article is to share with you how to strengthen the security configuration of PHP servers under Linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

PHP is widely used in all kinds of Web development. All kinds of problems occur when the server-side script is misconfigured. Today, most Web servers run under the Linux environment (such as Ubuntu,Debian, etc.).

This paper summarizes in detail the security configuration of PHP website on Linux server, including PHP security, mysql database security, web server security, Trojan killing and prevention, etc., which is very good, powerful and secure. (if you need in-depth security deployment, it is recommended to find domestic companies specializing in security, such as Sinesafe, Green Alliance, Qiming Star, etc., which are all good professional website security companies.)

PHP security configuration

1. Make sure that the user running php is a general user, such as www

2. Php.ini parameter setting

Disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,phpinfo # disabled function

Expose_php = off # avoid exposing PHP information

Display_errors = off # turn off the error message prompt

Register_globals = off # turn off global variables

Enable_dl = off # calls to dl are not allowed

Allow_url_include = off # avoid remote calls to files

Session.cookie_httponly = 1 # httponly on

Upload_tmp_dir = / tmp# explicitly defines the upload directory

Open_basedir =. /: / tmp:/home/wwwroot/# restricts user access to directories

Detailed explanation of open_basedir parameters

Open_basedir can limit users' access to files to a specified area, usually the path to their home directory, or use symbols. " To represent the current directory. Note that the restrictions specified with open_basedir are actually prefixes, not directory names.

For example: if "open_basedir = / home/wwwroot", then the directories "/ home/wwwroot" and "/ home/wwwroot1" are accessible. So if you want to restrict access to only the specified directory, end the pathname with a slash.

Note:

From the data obtained on the Internet, open_basedir will have a great impact on the performance of php operating io. The research data show that the execution speed of the script io configured with php_basedir will be 10 times or more slower than that without configuration. Please measure it yourself.

Open_basedir can also set up multiple directories at the same time, separating directories with semicolons in Windows and colons on any other system. When it acts on the Apache module, the open_basedir path in the parent directory is automatically inherited.

MySQL Security Settings

1. Selection of MySQL version

In a formal production environment, the use of series 4.1 MySQL databases is prohibited. At least version 5.1.39 or above is required.

two。 Configuration of network and port

Use the-skip-networking parameter to disable eavesdropping on the network when the database is only needed for local use.

3. Make sure that the user running MySQL is a general user, such as mysql, and note that the permission to store the data directory is mysql.

Vi/etc/my.cnf user = mysql

4. Open the mysql binary log. In the case of mistakenly deleting data, you can recover to a certain point in time through the binary log.

Vi/etc/my.cnf log_bin = mysql-bin expire_logs_days = 7

5. Authentication and authorization

(1) the root account is prohibited from accessing the database from the network, and the root account only allows login from the local host.

Mysql > grantallprivilegeson*.* toroot @ localhost identified by'password'withgrantoption; mysql > flush priveleges

(2) Delete anonymous account and empty password account

Mysql > USE mysql; mysql > deletefromuserwhereUser=; mysql > deletefromuserwherePassword=; mysql > deletefromdb whereUser=

Web server security

Make sure that the user running Nginx or Apache is a general user, such as www, and note that the permission to store the data directory is www.

Prevent sql injection

If ($query_string ~ * ". * [\;'\]. *") {return404;}

Turn off PHP parsing of directories such as storing data upload

Location ~ * ^ / (attachments | data) /. *\. (php | php5) ${deny all;}

For Apache: close the PHP resolution of image directory / upload and other directories

Order allow,deny Deny from all

Detection and prevention of Trojans

Php Trojan horse quick find command

Grep-r-- include=*.php'[^ amurz] eval ($_ POST'/home/wwwroot/ grep-r-- include=*.php 'file_put_contents (. * $_ POST\ [. *\]);' / home/wwwroot/

Use find mtime to find out which PHP files have been modified in the last two days or when Trojans are found.

Find-mtime-2-typef-name\ * .php

Guard against:

1. Take previous security measures, such as disabling related PHP functions, etc.

two。 Change directory and file properties

Find-typef-name\ * .php-execchomd 644 {}\; find-typed-execchmod755 {}\; chown-R www.www / home/wwwroot/www.waitalone.cn

3. To prevent cross-site infection, virtual host directory isolation is needed.

(1) simple implementation method of nginx

Use nginx to run multiple virtual hosts, accustomed to php.ini 's open_basedir configuration:

Open_basedir =. /: tmp:/home/wwwroot/

Note: / home/wwwroot/ is the web path where all virtual hosts are placed

Hackers can use the webshell of any site to enter any place under the / home/wwwroot/ directory, which will do great harm to each virtual host.

For example, there are 2 virtual hosts in the / data/www/wwwroot directory

Modify php.ini

Open_basedir =. /: / tmp:/home/wwwroot/www.sinesafe.com:/home/wwwroot/back.sinesafe.com

In this way, users uploading webshell cannot be accessed across directories.

(2) the implementation of Apache to control cross-directory access

Add to the virtual machine host profile

Php_admin_value open_basedir "/ tmp:/home/wwwroot/www.sinesafe.com" Thank you for reading! This is the end of this article on "how to strengthen and protect the server security configuration of the PHP website under Linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.