We installed PHP manually. The default configuration file of PHP is in /usr/local/apache2/conf/php.ini. Our most important thing is to configure the content in php.ini so that we can execute PHP more safely. The security settings in the entire PHP are mainly to prevent attacks from phpshell and SQL Injection. Let’s discuss it slowly. We first use any editing tool to open /etc/local/apache2/conf/php.ini. If you install it in other ways, the configuration file may not be in this directory.
(1) Open PHP’s safe mode
php’s safe mode is a very important built-in security mechanism that can control some functions in PHP, such as system (),
At the same time, many file operation functions are controlled by permissions, and certain key files are not allowed, such as /etc/passwd,
But the default php.ini is If the safe mode is not turned on, we turn it on:
safe_mode = on
(2) User Group Security
When safe_mode is turned on, safe_mode_gid is turned off, then the php script can The file can be accessed, and users in the same
group can also access the file.
It is recommended to set it to:
safe_mode_gid = off
If you do not set it, we may not be able to operate the files in our server website directory. For example, we need to
operate the files. when.
(3) Home directory for executing programs in safe mode
If safe mode is turned on, but you want to execute certain programs, you can specify the program to be executed. Main directory:
safe_mode_exec_dir = D:/usr/bin
Generally, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory,
and then copy the program that needs to be executed. For example:
safe_mode_exec_dir = D:/tmp/cmd
However, I recommend not to execute any program, then you can point to our web directory:
safe_mode_exec_dir = D:/usr/www
(4) Include files in safe mode
If you want to include some public files in safe mode, then modify the options:
safe_mode_include_dir = D:/usr/www/include/
In fact, generally the files included in PHP scripts have been written by the program itself. This can be done according to the specific requirements. Requires setup.
(5) Control the directories that PHP scripts can access
Use the open_basedir option to control that PHP scripts can only access specified directories, which can prevent PHP scripts from accessing
Files that should not be accessed limit the harm of phpshell to a certain extent. We can generally set it to only access the website directory:
open_basedir = D:/usr/www
(6) Close dangerous functions
If safe mode is turned on, function prohibition is not necessary, but we still consider it for safety. For example,
we feel that we do not want to execute PHP functions including system() that can execute commands, or
phpinfo() and other functions that can view PHP information, then we can Disable them:
disable_functions = system,passthru,exec,shell_exec,popen,phpinfo
If you want to prohibit any file and directory operations, you can turn off many file operations
disable_functions = chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen ,unlink,delete,copy,mkdir, rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown
The above only lists some of the commonly used file processing functions, you can also use the above Combining the execution command function with this function,
can resist most phpshells.
(7) Close the leakage of PHP version information in the http header
In order to prevent hackers from obtaining the PHP version information in the server, we can close the leakage of the information in the http header In the header:
expose_php = Off
For example, when a hacker telnet www.chinaz.com 80, he will not be able to see the PHP information.
(8) Close registration of global variables
Variables submitted in PHP, including variables submitted using POST or GET, will be automatically registered as global variables and can Direct access,
This is very unsafe for the server, so we cannot let it be registered as a global variable, so we turn off the registration global variable option:
register_globals = Off
Of course, if it is set like this, Then when obtaining the corresponding variables, you must use a reasonable method, such as obtaining the variable var submitted by GET,
then you must use $_GET['var'] to obtain it, PHP programmers should pay attention to this.
(9) Open magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem. In small cases, the backend of the website may be invaded, or in more serious cases, the entire server may fall.
So be careful. There is a setting in php.ini:
magic_quotes_gpc = Off
This is turned off by default. If it is turned on, it will automatically convert user-submitted SQL queries,
for example, convert ' to \' etc. This plays a significant role in preventing sql injection. Therefore, we recommend setting it to:
magic_quotes_gpc = On
(10) Error message control
Generally, PHP will prompt an error when it is not connected to the database or under other circumstances. General error message It will contain the current path information of the php script or the SQL statement of the query. This kind of information is not safe after being provided to hackers, so it is generally recommended that the server disable error prompts:
display_errors = Off
If you want to display error messages, be sure to set the level of error display, such as only displaying information above warnings:
error_reporting = E_WARNING & E_ERROR
Of course, I still recommend turning off error prompts.
(11) Error log
It is recommended to record the error information after turning off display_errors to facilitate finding the reason for the server operation:
log_errors = On
Also set the directory where the error log is stored. It is recommended that the root apache log be stored together:
error_log = D:/usr/local/apache2/logs/php_error.log
Note: The apache user and group must have write permissions for the file.
MYSQL privilege reduction operation
Create a new user such as mysqlstart
net user mysqlstart ****microsoft /add
net localgroup users mysqlstart / del
Does not belong to any group
If MYSQL is installed in d:\mysql, then give mysqlstart full control permission
Then set the MYSQL service in the system service Properties, in the login properties, select this user mysqlstart and enter the password, OK.
Restart the MYSQL service, and then MYSQL will run with low permissions.
If apache is built on a windos platform, we need to pay attention to one thing. Apache runs with system permissions by default.
This is scary and makes people feel very uncomfortable. Then we will give apache Reduce the permissions.
net user apache ****microsoft /add
net localgroup users apache /del
ok. We created a user apche that does not belong to any group.
We open the computer manager, select services, click on the properties of the apache service, we select log on, select this account, we fill in the account and password created above,
Restart the apache service , ok, apache is running with low permissions.
In fact, we can also set the permissions of each folder so that the apache user can only perform what we want it to do, and create a separate read-write user for each directory.
This is also a popular configuration method used by many virtual host providers. However, this method is overkill when used to prevent this.