Security hardening setup experience in LNMP PHP environment

The past lamp website is developing towards lnmp. I have used lnmp for many years in the working environment. I am very happy to share with you the php security configuration of the lnmp website for many years. As for the safety of lamp, I will share it with you. In fact, the content is 80% identical. Focus on php security configuration, see content.

1. Use open_basedir to limit virtual host cross-directory access [HOST=www.45it.com] open_basedir=/data/site/www.45it.com/:/Tmp/

[HOST=test.45it.com] open_basedir=/data/site/test.45it.com/:/tmp/

The above configuration means www.45it.com The php program is limited to two directories in the open_basedir configuration, and you cannot access other directories. If you do not configure the above, test.45it.com and www.45it.com programs can access each other. If one of the sites has a vulnerability, the hacker has implanted the webshell, then he can take the same server through this site. Other sites, the last hanged Trojan.

[warning] Note: The directory must be followed by /. For example, if you write /tmp, your site has /tmp123 and other directories starting with /tmp, then hackers You can also access these directories. In addition, php5.3 supports this writing, and 5.2 does not. [/warning]

2. Disable unsafe PHP functions disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, proc_get_status, phpinfo

Disable php from executing the above php function, above Php programs can execute linux commands, such as ping, netstat, mysql, etc. If your system has a power-up bug, you can understand the consequences.

3. Pay attention to software security information Actively pay attention to Linux kernel, php security Wait for the information and take the error in time

4. php user read-only This method is my most respected method, but must be discussed with the php engineer before execution. Why? For example, the root user and group of the site www.45it.com are nobody, and the user and group running php are phpuser. The directory permissions are 755 and the file permissions are 644. Thus, php is read-only and cannot write any files to the site directory. That is to say, users can't upload files. Even if there are loopholes, hackers can't pass backdoors, and it's even more impossible to hang Trojans. Before doing this, tell programmers to change the file cache to nosql memory cache (such as memcached, redis, etc.), and the uploaded files will pass. The interface is passed to another server (static server).

[warning] Note: The program generates a local cache is a very bad habit. Using file caching is slow and wastes disk space. The most important point is that the server cannot scale out in general. [/warning]

5. Close the php error log display_errors = On to display_errors = Off

Once the program has an error, the detailed error message will be displayed to the user immediately, including the path, some even the database account password. Injecting the infiltration password is basically guessed by this error. It is strongly shut down in the production environment.

6. php upload separation Upload files to a remote server, such as nfs. Of course, you can also call your written php interface. Even if there is an upload vulnerability, the file is passed to the static server. Files such as Trojans cannot be executed at all.

For example: php site www.45it.com, directory /data/site/www.45it.com static file site static.45it.com, directory /data/site /static.45it.com

The file was directly transferred to /data/site/static.45it.com. The uploaded file cannot be accessed via www.45it.com and can only be accessed using static.45it.com , but static.45it.com does not support php.

7. Close php information expose_php = On to expose_php = Off

Do not easily reveal your php version information to prevent hackers from targeting this version. Php launch attack.

8. Disable dynamic loading of link libraries disable_dl = On; change to enable_dl = Off;

9. Disable open remote url allow_url_fopen = On to allow_url_fopen = Off

In fact, this is not really safe, and will not cause problems such as web intrusion, but this affects performance very much. I think it is a narrow security issue.

The following methods will not be able to get remote Url content

$data = file_get_contents("http://www.baidu.com/");

The following methods are available Local file content

$data = file_get_contents("1.txt");

If your site has low traffic and the database is working fine, but the web server load is surprisingly high, Please check directly if there is this method. I have encountered too many problems, the current production environment has been disabled across the board, if php engineers need to get the content of the remote web, it is recommended that they use curl.

How to use php curl Please check my previous article "PHP use Curl replaces file_get_contents, and the performance of curl and file_get_contents under php.

10.End php security on lnmp site is here for the time being, there will be problems and will continue to be added.