About Me

My photo
Kolkata - Durgapur - Santiniketan - Sainthia, West Bengal, India
A competent professional of about 3 Years of Experience in the Web Application and Development Scenario. Currently associated with also a web development company; Kolkata as a Project Leader. A result-oriented Team Player with proven expertise in Analysis / Development / Research / Project & Process Management/ Client Servicing. Exceptional analysis and problem solving skills to cut across the organisational levels and accomplish project business goals of the Organisation. Myself, very hardworking, committed, focused, think logically, talented, sincere on my work, doesn't stop until achieves success.

Thursday, October 11, 2012

PHP Security Tips

Default Settings
  • DocumentRoot: /var/www/html
  • Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
  • Default PHP configuration file: /etc/php.ini
  • Default PHP extensions config directory: /etc/php.d/
  • Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
  • Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
  • Default php server TCP/UDP ports: none

Find Built-in PHP Modules

To see the set of compiled-in PHP modules type the following command:
# php -m

I recommends that you use PHP with a reduced modules for performance and security and disabled the unnecessaryssary modules like as follows;
# rm /etc/php.d/sqlite3.ini
# mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable


Restrict PHP Information Leakage

To restrict PHP information leakage disable expose_php. Edit /etc/php.d/secutity.ini and set the following directive: expose_php=Off

When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.3). The PHP logo guids are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. When expose_php enabled you can see php version using the following command:
$ curl -I http://www.google.com/index.php



Minimize Loadable PHP Modules (Dynamic Extensions)

PHP supports "Dynamic Extensions". By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your webapps requires. For example, to disable gd extension, type the following commands:

# cd /etc/php.d/
# mv gd.{ini,disable}
# /sbin/service httpd restart

To enable php module called gd, enter:

# mv gd.{disable,ini}
# /sbin/service httpd restart



Log All PHP Errors

Do not expose PHP error messages to all site visitors. Edit /etc/php.d/security.ini and set the following directive:

display_errors=Off
log_errors=On
error_log=/var/log/httpd/php_scripts_error.log

Turn Off Remote Code Execution

If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site.

The allow_url_fopen option allows PHP's file functions - such as file_get_contents() and the include and require statements - can retrieve data from remote locations using ftp or http protocols. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. Edit /etc/php.d/security.ini and set the following directive:allow_url_fopen=Off

I also recommend to disable allow_url_include for security reasons:allow_url_include=Off


Enable SQL Safe Mode

sql.safe_mode=On
magic_quotes_gpc=Off


Control POST Size

post_max_size=1K

  Order allow,deny
 ## Add rest of the config goes here... ##


Resource Control (DoS Control)

# set in seconds
max_execution_time = 30
max_input_time = 30
memory_limit = 40M

Disabling Dangerous PHP Functions
PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.inidisable_functions

=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source


PHP Fastcgi / CGI - cgi.force_redirect Directive

PHP work with FastCGI. Fascgi reduces the memory footprint of your web server, but still gives you the speed and power of the entire PHP language. You can configureApache2+PHP+FastCGI or cgi as described here. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://www.cyberciti.biz/cgi-bin/php/hackerdir/backdoor.php. Turn on cgi.force_redirect for security reasons. Edit /etc/php.d/security.ini and set the following directive: cgi.force_redirect=On


PHP User and Group ID

Limit PHP Access To File System

Session Path

Restrict File and Directory Access

Write Protect Apache, PHP, and, MySQL Configuration Files

Use Linux Security Extensions (such as SELinux)

Install Mod_security

Run Apache / PHP In a Chroot Jail If Possible

Use Firewall To Restrict Outgoing Connections

Watch Your Logs & Auditing

Run Service Per System or VM Instance

Keep PHP, Software, And OS Up to Date
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts