It is obvious that PHP+Mysql+Apache is a very popular web technology. This combination is powerful, scalable, and is still free. However, PHP's default settings are not that suitable for websites that are already online. Below, we can enhance PHP security policy by modifying the default configuration file!
0x01: Disable remote url file processing function
Like fopen's file processing function, which accepts the file's rul parameters (for example: fopen('http://www.yoursite.com','r')).), this function can easily access remote resources. However, this is a very important security threat. Disabling this function to limit file function is a good choice. Make the following modifications in the php.ini file:
The code copy is as follows:
allow_url_fopen = Off
0x02: Disable registration of global variables
In versions before 4.2.0, php used global variables as input. This function is called register_globals. In web applications, it caused many security problems because it allows attackers to easily operate global variables in some cases. Fortunately, the function in 4.2.0 is disabled by default. It is very dangerous. This function must be disabled under any circumstances. If some scripts require this feature, then there is a potential security threat to this script. Modify pnp.ini to disable this function:
The code copy is as follows:
register_globals = Off
0x03: Restricted php's read and write operations
In many web development processes, php scripts need to read and write operations to the local file system, such as /var/www/htdocs/files. In order to enhance security, you can modify the read and write permissions of local files:
The code copy is as follows:
open_basedir = /var/www/htdocs/files
0x04: Posing Limit
Limiting PHP execution time, memory usage, post and upload data is the best strategy, and the following configuration can be made:
The code copy is as follows:
max_execution_time = 30 ; Max script execution time
max_input_time = 60 ; Max time spent parsing input
memory_limit = 16M ; Max memory used by one script
upload_max_filesize = 2M ; Max upload file size
post_max_size = 8M ; Max post size
0x05: Disable error messages and enable logging
In the default settings, php will output an error message to the browser. This default setting is the most reasonable configuration during the application development process. However, it can also leak some security information to the user, such as the installation path and username. In websites that have been developed, it is best to disable the error message and output the error message to the log file.
The code copy is as follows:
display_errors = Off
log_errors = On
0x06: Hide PHP file
If the PHP file is not hidden, we can obtain the version of the server PHP through various methods, for example: http://www.example.com/script.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Obviously, we don't want users to directly get the PHP version of your website server. Fortunately, there is a switch in php.ini that can disable this function:
The code copy is as follows:
expose_php = Off
0x07: Safe Mode Configuration
By default, php can be configured in safe mode. In this mode, Apache prohibits accessing files, environment variables and binary programs. In safe mode, the biggest problem is that only the owner of the file can access this PHP file. If many developers jointly develop this program, such a setting is unrealistic. When you need to access a PHP file, you need to modify the owner of the file. Another problem is that other programs cannot access these PHP files. The following configuration can modify the permissions of the file to a user group rather than a single user.
The code copy is as follows:
safe_mode = Off
safe_mode_gid = On
By enabling safe_mode_gid, you can access PHP files by using this group of Apache. Safe mode is also very effective in preventing binary execution, however, developers want to be able to run some binary files in certain specific situations. In these special cases, you can put the binary file into a directory, for example (/var/www/binaries), and you can make the following settings:
The code copy is as follows:
safe_mode_exec_dir = /var/www/binaries
Finally, through the following settings, you can access the server's environment variables, providing a "_" prefix that can only access environment variables with specified prefixes:
The code copy is as follows:
safe_mode_allowed_env_vars = PHP_
0x08: Restrict public access to files with specific suffix names
Due to security reasons, many files with specific suffix names cannot be accessed by public users. For example, files with .inc suffix contain some sensitive information, such as mysql connection information. If there is no appropriate configuration, then every user can access this configuration file. In order to enhance the security of the website, you need to configure the following in the ..htaccess file:
The code copy is as follows:
<filesmatch>
Order allows,deny
Deny from all
</filesmatch>
0x09: Summary
The default configuration of PHP is for developers. If the website is for a large number of users, it is recommended to reconfigure PHP.