The security of PHP
is a major concern for developers. While PHP
provides reliable security from the inside out, it is up to the developer to properly implement these security mechanisms. In this article, we will introduce a few PHP
security points for Linux administrators. These points will help you secure your web application and ensure it works in the long run.
Before we start, it is necessary to understand the system we are dealing with. For the purposes of the demo, we use Fedora. However, these points should apply to the Ubuntu version or any other Linux distribution. See the manual for your OS
distribution for more information.
Look carefully at a few key files in our system environment. Your file should be similar or correspond to the following:
These tips will protect your site from different types of common attacks such as SQL injection, XSS, cross-site request forgery attacks, eval() and file uploads.
1. Remove unnecessary modules.
PHP comes with a built-in PHP module. They are useful for many tasks, but not every project requires them. Just enter the following command to see the available PHP modules:
# php – m
Once you have looked at the list, you can now remove unnecessary modules. Reducing the number of modules helps improve the performance and security of the web applications you are working with.
2. Limit PHP information disclosure.
Private leaking key information is commonplace. For example, PHP leaks some information, such as the version and the fact that it is installed on the server. This can be done with the expose_php command. To prevent leaks, you need to set this command to off in /etc/php.d/security.ini.
expose_php=Off
If you need to know the version and its status, just run a simple Curl command against the website address to get this information.
Curl – I http://www.livecoding.tv/index.php
The previous command will return the following information:
HTTP/1.1 200 OK
X- Powered-By: PHP/7.0.10
Content-type: text/html; charset=UTF-8
3. Disable remote code execution.
Remote code execution is one of the common security holes in the PHP security system. By default, remote code execution is enabled on your system. The "allow_url_fopen" command allows functions such as require, include or identifiable URLs to access PHP files directly. Remote access is achieved through the use of HTTP or FTP protocols, which can result in the system being unable to defend against code injection security vulnerabilities.
To ensure that your system is secure and remote from remote code execution, you can set this command to “Off” as follows:
Allow_url_fopen=Off
allow_url_include=Off
4. Log PHP errors.
Another easy way to enhance the security of your web application is to not display errors to visitors. This will ensure that hackers simply cannot compromise the security of the site. Need to edit in the /etc/php.d/security.ini file.
display_errors=Off
You may now think: After completing this step, "developers can debug with the help of no error message?" Developers can use the log_errors command to use For debugging. They only need to set the log_errors command to “On” in the security.ini file.
log_errors=On
error_log=/var/log/httpd/php_scripts_error.log
5. Reasonable control of resources.
Controlling resources is important to ensure application security. To ensure proper execution and security, you have to limit the execution of PHP scripts. In addition, you should limit the time spent parsing the request data. If the execution time is controlled, other resources such as memory used by the script should also be configured accordingly. All of these metrics can be managed by editing the security.ini file.
# set in seconds
max_execution_time = 25
max_input_time = 25
memory_limit = 30M
6. Disable dangerous PHP functions
PHP comes with Useful functions for development, but there are also a large number of functions that hackers can use to break into web applications. Disabling these functions can improve overall security and ensure that you are not affected by dangerous PHP functions.
To do this, you must first edit the php.ini file. Once inside the file, find the disable_functions command and disable the dangerous function inside. To do this, just copy/paste the following code.
disable_functions =exec,passthru,
shell_exec,system,proc_open,popen,curl_exec,
curl_multi_exec,parse_ini_file,show_source
7. Upload files.
If your app doesn't need to upload any files, disabling the ability to upload files can help improve security. To prevent users from uploading files, just edit the security.ini file in the /etc/php.d/directory and set the file_uploads command to OFF.
file_uploads=Off
8. Keep the version up to date.
The developer works 24/7 and patches the technology you use. The same is true for PHP. Since it has an open source community, patches and fixes are released regularly. The updated version also provides security patches for first-day vulnerabilities and other security vulnerabilities. If you focus on the security of your application, always make sure your PHP solution is up to date. In addition, the latest patches for other related technologies ensure maximum security.
9. Control file system access.
By default, PHP can access files using functions such as fopen(). The open_basedir command provides access. First, always set the open_basedir command to the /var/www/html directory. Setting it to any other directory can cause security problems.
open_basedir=“/var/www/html/”
10. Control POST size.
Our last PHP security point is to control the POST size function. The HTTP POST function uses the client's browser to send data to the web server. For example, a user might upload a certificate and send it to a web browser for processing. Everything runs smoothly until one day the hacker attempts to send huge files to exhaust server resources. This is likely to cause the server to crash or respond slowly. In order to protect the server from this vulnerability, you need to set the POST size. The POST size can be set in the /etc/php.d/security.ini file.
post_max_size=1k
Conclusion
Security is one of the most concerned issues for web developers and Linux administrators. If you take the above points, you are bound to strengthen the security of the development environment and PHP web applications. If you think we have missed important content, please leave a message to add
First install CentOS6 to install rp-pppoe this software, the previous version of centos is installed
With the increasing use of Linux, there are a large number of network servers using the Linux operat
When we write the shell, there will be such a scene: For example: I want to back up the passwd fil
Devil-Linux is a special Linux distribution for firewalls and routers. The goal of Devil-Linux is to
Linux domain name resolution function gethostbyname and getaddrinfo
20 years of glory, forensic growth of SUSE and Linux
Pre-installed Linux system models, problem solving for installing XP system
Linux shell time calculation and time difference calculation method
8 tips to make you a super Linux end user
Linux will unify the rivers and lakes
Linux partition knowledge and partition of large disk
Analysis of PCB software tools under Linux
More effective management Five cool Linux command line tricks
Linux network programming - complete read and write functions
How to install bt5 - bt5 combat installation tutorial under windows8 system
New gameplay in the address bar! See how xp changes the address bar font
Thoroughly give your system a slim body (a)
How to complete a comprehensive defragmentation in XP
What should I do if I use the Win8 app store to download the app?
Win10 system interface returns to traditional style method
How to restore after Windows8 system update driver
How does Win10 prohibit the annoying prompt box that pops up when opening a new app
Tips for using Thunder/Express downloads under Windows 7 sleep state