Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about the key points of Linux security that must be known to PHP administrators, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

PHP is one of the most widely used scripting languages. Market share shows its dominant position. The fact that PHP 7 has been launched makes this programming language more attractive to current developers. Despite some changes, many developers are skeptical about the future of PHP. One reason is the security of PHP.

The security of PHP is a major concern for developers. Although PHP provides reliable security from the inside out, these security mechanisms need to be properly implemented by developers. In this article, we will introduce several PHP security points to Linux administrators. These key points will help you secure your Web application and make sure it works properly in the long run.

Before we begin, it is necessary to know the system we are dealing with. For demonstration purposes, we use Fedora. However, these points should apply to the Ubuntu version or any other Linux distribution. Check the user manual of your operating system distribution for more information.

Take a closer look at several key files in our system environment. Your files should be similar to or correspond to the following:

Default Web server: Apache

DocumentRoot:/var/www/html

PHP configuration file: / etc/php.ini

Extended configuration directory: / etc/php.d/

Security file: / etc/php.d/security.ini

These tips will protect your site from different types of common attacks, such as SQL injection, XSS, cross-site request forgery, eval (), and file upload. You can view a list of common attacks here (https://www.sitepoint.com/top-10-php-security-vulnerabilities/)).

1. Delete unnecessary modules

PHP comes with a built-in PHP module. They are useful for many tasks, but not every project needs them. You can view the available PHP modules simply by entering the following command:

# php-m

Once you have checked the list, you can now delete unnecessary modules. Reducing the number of modules can help improve the performance and security of the Web applications you are dealing with.

two。 Limit PHP information disclosure

It is common for platforms to disclose key information. For example, PHP will disclose some information, such as the version and the fact that it is installed on the server. This can be done through the expose_php command. To prevent leakage, you need to set the command to off in / etc/php.d/security.ini.

Expose_php=Off

If you need to know the version and its status, you can get this information by running a simple Curl command against the site address.

Curl-I http://www.livecoding.tv/index.php

The previous command returns the following information:

HTTP/1.1 200 OK

X-Powered-By: PHP/7.0.10

Content-type: text/html; charset=UTF-8

3. Disable remote code execution

Remote code execution is one of the common security vulnerabilities in PHP security systems. By default, remote code execution is enabled on your system. The "allow_url_fopen" command allows functions such as request (require), including (include) or URL-aware fopen wrappers to access PHP files directly. Remote access is achieved by using HTTP or FTP protocols, resulting in the system's inability to defend against code injection security vulnerabilities.

To ensure that your system is safe and reliable and away from remote code execution, you can set the command to "Off" as follows:

Allow_url_fopen=Off

Allow_url_include=Off

4. Log PHP errors

Another simple way to enhance the security of Web applications is not to show errors to visitors. This will ensure that hackers cannot compromise the security of the website at all. It needs to be edited in the / etc/php.d/security.ini file.

Display_errors=Off

Now you might think: after completing this step, "how can developers debug without error messages?" Developers can use the log_errors command for debugging. They just need to set the log_errors command to "On" in the security.ini file.

Log_errors=On

Error_log=/var/log/httpd/php_scripts_error.log

5. Reasonable control of resources

In order to ensure the security of the application, it is important to control resources. To ensure proper execution and security, you need to restrict the execution of PHP scripts. In addition, you should limit the time spent parsing request data. If the execution time is controlled, other resources such as the memory used by the script should also be configured accordingly. All of these metrics can be managed by editing the security.ini file.

# set in seconds

Max_execution_time = 25

Max_input_time = 25

Memory_limit = 30m

6. Disable the dangerous PHP function

PHP comes with utility functions for development, but there are also a large number of functions that can be used by hackers to break into Web applications. Disabling these functions improves overall security and ensures that you are not affected by dangerous PHP functions.

To do this, you first need to edit the php.ini file. Once you enter the file, find the disable_functions command and disable the dangerous functions in it. To do this, you just copy / paste the following code.

Disable_functions = exec,passthru

Shell_exec,system,proc_open,popen,curl_exec

Curl_multi_exec,parse_ini_file,show_source

You can learn more about disabling dangerous PHP functions here (https://www.eukhost.com/blog/webhosting/dangerous-php-functions-must-be-disabled/)).

7. Upload files

If your application does not need to upload any files, disabling the ability to upload files can help improve security. To prevent users from uploading files, simply edit the security.ini file in the / etc/php.d/ directory and set the file_uploads command to OFF.

File_uploads=Off

8. Keep the version up to date

Developers are working around the clock at 24max 7 to patch the technology you use. It's the same with PHP. Because it has an open source community, patches and fixes are released regularly. The update also provides security patches for first-day vulnerabilities and other security vulnerabilities. If you focus on the security of your application, always make sure that your PHP solution is up to date. In addition, the latest patches to other related technologies can ensure maximum security.

9. Control file system access

By default, PHP can use functions such as fopen () to access files. The open_basedir command provides access. First, always set the open_basedir command to the / var/www/html directory. Setting it to any other directory can cause security problems.

Open_basedir= "/ var/www/html/"

10. Control POST size

Our last PHP security point is to control the POST size function. The HTTP POST function uses the client's browser to send data to the Web server. For example, a user might upload a certificate and send it to a Web browser for processing. Everything went smoothly until one day the hacker tried to send huge files to deplete the server resources. This is likely to cause the server to crash or slow to respond. To protect the server from this vulnerability, you need to set the POST size. The POST size can be set in the / etc/php.d/security.ini file.

Post_max_size=1k

Concluding remarks

Security is one of the most concerned issues for Web developers and Linux administrators. If you take the above points, you will certainly be able to enhance the security of your development environment and PHP Web applications. If you think we are missing something important, you are welcome to leave a message to add.

After reading the above, do you have any further understanding of Linux security points that must be known to PHP administrators? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.