>>
Site Map
>>
Forums
>>
Admin_HostingDomain
Forum module - topics in forum:
Admin_HostingDomain - Các hướng dẫn cài đặt quản lý và mua bán hosting domain, Cấu hình server web
Danh sách cần có - cài đặt an toàn web server php
Checklist for Securing PHP Configuration
The Apache/PHP/MySQL stack is immensely popular for web application development. Its components are powerful, versatile and Free. Unfortunately however, PHP comes with a default configuration that is not suitable for production mode, and may cause developers to use insecure techniques during the development phase. Inside is a check list of settings that are intended to harden the default PHP installation.
Disabling Remote URLs for File Handling Functions
File handling functions like fopen, file_get_contents, and include accept URLs as file parameters (for example: fopen('http://www.example.com/', 'r')). Even though this enables developers to access remote resources like HTTP URLs, it poses as a huge security risk if the filename is taken from user input without proper sanitization, and opens the door for remote code execution on the server. To disable this and limit file functions to local system, use the following setting in php.ini:
| Code: : |
| allow_url_fopen = Off |
Network resources will still be accessible through fsockopen or CURL functions.
Most of the following settings are also located in the PHP configuration file php.ini. Its actual path depends on your OS. You may use the search feature to locate it if you don't know where it is already.
Register Globals
Prior to version 4.2.0, PHP used to provide input values as global variables. This feature was named register_globals, and it was responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables in many situations. Fortunately it's disabled by default from PHP 4.2.0 and on, because it's dangerous on so many scales. Do not enable it no matter what. If some script requires it then the script is most likely insecure. If a developer requests it to be enabled, then they are very likely to be incompetent. Don't listen to them and keep it off!
| Code: : |
| register_globals = Off |
Restricting What PHP Can Read and Write
More often than not, PHP scripts only need I/O access to a certain subdirectory in the filesystem, /var/www/htdocs/files for instance. In this case, you can limit what fopen and other file access functions can read and write to by using the following directive:
| Code: : |
| open_basedir = /var/www/htdocs/files |
Safe Mode
PHP has a safe mode. In this mode, access to files not owned by Apache is disabled, and access to environment variables and execution of binary programs are also disabled.
In its default state, PHP's safe mode is too restrictive for any advanced development to be possible. However, there are several settings to relax it. The biggest problem with safe mode is that only files owned by Apache are accessible to PHP scripts. This is often impractical when many developers are working on the same project, or when you want PHP to read a file without changing its ownership. Another affected situation is when you want PHP to read files generated by other programs. To work around this, there is a setting that checks for file group instead of owner:
| Code: : |
safe_mode = Off
safe_mode_gid = On |
With safe_mode_gid enabled instead of safe_mode, PHP will be able to open files that belong to Apache's group regardless of the owner. So if there are several developers working on the same server, add them to Apache's group, make it their default group, and everything should be set.
Safe mode is also useful in stopping PHP from executing binaries, but sometimes you may need to let it run specific programs. In this case place these binaries (or symbolic links to them) in a directory (/var/www/binaries for instance) and use the following option:
| Code: : |
| safe_mode_exec_dir = /var/www/binaries |
Finally, to allow access to certain environment variables, use the following setting, providing a comma-separated list of prefixes. Only environment variables which names begin with one of the prefixes will be accessible:
safe_mode_allowed_env_vars = PHP_
Posing Limits
It's always a good idea to put limits on PHP's execution time, memory usage, POST and upload data. To do this, use the following self-explanatory options:
| Code: : |
max_execution_time = 30 ; Max script execution time
max_input_time = 60 ; Max time spent parsing input
memory_limit = 16M ; Max memory used by one script
upload_max_filesize = 2M ; Max upload file size
post_max_size = 8M ; Max post size |
Needless to say, you may tweak the values to suit your needs.
Limit Access to Certain File Name Patterns
Many file extensions should not be accessible by end users. Take for example .inc. Some developers prefer to assign this extension to included scripts. The problem here is that this extension isn't parsed by the PHP engine, and as a result, anyone can view the source code by requesting the file itself:
*http://www.example.com/includes/settings.inc
Such files may contain sensitive data like MySQL passwords. So you need to ensure that end users can not access those files. Other candidate extensions are .sql, .mysql, and .pgsql.
Another pattern to look out for is backup files. Some editors create backup versions of edited files in the same directory where the original file is located. For example, if you edit index.php, a backup called index.php~ will be created. Given that this file doesn't end with .php, it will not be processed by the PHP engine, and its code will also be available to users by requesting:
http://www.example.com/index.php~
To circumvent the dangers mentioned above, you can use the following Apache directive:
| Code: : |
<FilesMatch "\.(inc|.*sql|.*~)$">
Order allow,deny
Deny from all
</FilesMatch> |
Place it in a .htaccess file or in Apache's configuration. Adding more file extensions should be trivial to those familiar with regular expressions.
Error Messages And Logging
By default, PHP prints error messages to the browser's output. While this is desirable during the development process, it may reveal security information to users, like installation paths or usernames. It's highly recommended to disable this on a production server, and send error messages to a log file instead:
| Code: : |
display_errors = Off
log_errors = On |
Hiding Presence Of PHP
PHP reveals its presence on the server in a variety of ways: It may send an HTTP header (X-Powered-By: PHP), or append its name and version to Apache's signature. In addition, there are easter egg URLs that return the PHP logo, one of them is:
http://www.example.com/script.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
(You may see it in action at Wikipedia for example)
Obviously there is no reason to let end users know about the server's PHP version. Luckily, there is a switch in php.ini that will disable all of the above:
Summary
This is a quick summary of the settings mentioned above. It can be used as a reference when configuring a newly-installed Apache server:
| Code: : |
; php.ini
allow_url_fopen = Off ; Disable URLs for file handling functions
register_globals = Off ; Make sure this hellish fiend is dead
open_basedir = /var/www/htdocs/files ; Restrict file handling functions to a subdirectory
safe_mode = Off ; Disable this, the next is often more practical
safe_mode_gid = On ; Enable safe mode with group check
safe_mode_exec_dir = /var/www/binaries ; Restrict execution functions to this directory
safe_mode_allowed_env_vars = PHP_ ; Restrict access to environment variables
max_execution_time = 30 ; Max script execution time
max_input_time = 60 ; Max time spent parsing inputs
memory_limit = 16M ; Max memory size used by one script
upload_max_filesize = 2M ; Max upload file size
post_max_size = 8M ; Max post size
display_errors = Off ; Do not show errors on screen
log_errors = On ; Log errors to log file
expose_php = Off ; Hide presence of PHP |
# Apache configuration or .htaccess
| Quote: : |
<FilesMatch "\.(inc|.*sql|.*~)$">
Order allow,deny
Deny from all
</FilesMatch> |
Conclusion
The default configuration that ships with PHP is intended for development purposes. Therefore, it's always advisable to re-configure PHP with security in mind before going into production phase. Some security settings are also recommended during the development phase to prevent programmers from producing vulnerable code, and make them stick to secure techniques.
writen by: Ayman Hourieh's Blog
CHMOD your files top
Chmod your .htpasswd files 640, .htaccess files 644. Chmod php files 600, chmod files that you really dont want people to see as 400 (wp-config.php, config.php) and NEVER chmod 777, if something requires write access use 766 first then 775
Prevent access to .htaccess and .htpasswd files top
You will almost never have to do this unless you are working with your config file for the whole server. Anyway its easy to test if you need this.
| Code: : |
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files> |
Show Source Code instead of executing
If you’d rather have .pl, .py, or .cgi files displayed in the browser as source rather than be executed as scripts
| Code: : |
| RemoveHandler cgi-script .pl .py .cgi |
Securing directories: Remove the ability to execute scripts
This is cool, you are basically categorizing all files that end in certain extensions so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks. And the opposite is also true, +ExecCGI also turns on +FollowSymLinks
| Code: : |
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI |
