PHP is one of the most widely used scripting programming languages. Market share speaks volumes about its dominant position. The fact that PHP 7 has been launched makes this programming language even more attractive to current developers. Despite some changes, many developers are skeptical about PHP's future. One reason is PHP's security.
The security of PHP is a major concern for developers. Although PHP provides solid security from the inside out, it is up to developers to implement these security mechanisms correctly. We will introduce several PHP security points for Linux administrators in this article. These points will help you secure your web application and ensure proper functioning in the long run.
Before we begin, it is necessary to understand the system we are dealing with. For demonstration purposes, we use Fedora. However, these points should apply to Ubuntu versions or any other Linux distribution. Check the manual for your operating system distribution for more information.
Let’s take a closer look at several key files of our system environment. Your document should resemble or correspond to the following:
Default Web Server: Apache
DocumentRoot: /var/www/html
PHP configuration file:/etc/php.ini
Extended configuration directory:/etc/php.d/
Security file:/etc/php.d/security.ini
These tips will protect your website from different types of common attacks such as SQL injection, XSS, cross-site request forgery, eval(), and file upload attacks. A list of common attacks can be found here (https://www.sitepoint.com/top-10-php-security-vulnerabilities/).
1. Delete unnecessary modules.
PHP comes with built-in PHP modules. They are useful for many tasks, but not every project requires them. Just enter the following command to view the available PHP modules:
# php - m
Once you have reviewed the list, you can now remove unnecessary modules. Reducing the number of modules helps improve the performance and security of the web applications you work on.
2. Limit PHP information leakage.
It is common for platforms to leak critical information. For example, PHP leaks information such as the version and the fact that it was installed on the server. This can be achieved through the expose_php command. To prevent leaks, you need to set this command to off in /etc/php.d/security.ini.
expose_php=Off
If you need to know the version and its status, just run a simple Curl command against the website address to get that information.
Curl - I http://www.livecoding.tv/index.php
The previous command would have returned the following information:
HTTP/1.1 200 OK X-Powered-By: PHP/7.0.10 Content-type: text/html; charset=UTF-8
3. Disable remote code execution.
Remote code execution is one of the common security vulnerabilities in PHP security systems. By default, remote code execution is enabled on your system. The "allow_url_fopen" command allows functions such as require, include, or URL-aware fopen wrappers to directly access PHP files. Remote access is achieved through the use of HTTP or FTP protocols, which results in the system being unable to defend against code injection security vulnerabilities.
In order to ensure that your system is safe, secure and away from remote code execution, you can set this command to "Off" as follows:
Allow_url_fopen=Off allow_url_include=Off
4. Log PHP errors.
Another simple way to strengthen the security of your web application is not to display errors to visitors. This will ensure that hackers cannot compromise the security of the website at all. It needs to be edited in the /etc/php.d/security.ini file.
display_errors=Off
Now you may be thinking: After completing this step, "How can a developer debug without the help of error messages?" Developers can use the log_errors command for debugging. They just need to set the log_errors command to "On" in the security.ini file.
log_errors=On error_log=/var/log/httpd/php_scripts_error.log
5. Reasonably control resources.
To ensure the security of your application, it is important to control resources. To ensure proper execution and security, you need to restrict PHP script execution. Additionally, there should be a limit on the time spent parsing request data. If execution time is controlled, other resources such as memory used by the script should also be configured accordingly. All these metrics can be managed by editing the security.ini file.
# set in seconds max_execution_time = 25 max_input_time = 25 memory_limit = 30M
6. Disable dangerous PHP functions
PHP comes with useful functions for development, but there are also a large number of functions that can be used by hackers to break into web applications. Disabling these functions improves overall security and ensures you are not exposed to dangerous PHP functions.
To do this, you first need to edit the php.ini file. Once inside the file, find the disable_functions command and disable the dangerous functions inside. To do this, you just copy/paste the following code.
disable_functions =exec,passthru, shell_exec,system,proc_open,popen,curl_exec, curl_multi_exec,parse_ini_file,show_source
You can learn more about disabling dangerous PHP functions here (http://www.php.cn/).
7. Upload files.
如果你的应用程序不需要上传任何文件,禁用上传文件的功能有助于提高安全。想禁止用户上传文件,只需要编辑/etc/php.d/目录下的security.ini文件,将file_uploads命令设成OFF。
file_uploads=Off
8. 保持版本最新。
开发人员在24/7不间断地工作,给你使用的技术打上补丁。PHP也是一样。由于它有一个开源社区,补丁和修正版定期发布。更新版还为首日漏洞及其他安全漏洞提供了安全补丁。如果你注重应用程序的安全性,就要始终确保你的PHP解决方案是最新版本。另外,给其他相关技术打上最新的补丁可以确保最大限度的安全。
9.控制文件系统访问。
默认情况下,PHP可使用fopen()等函数来访问文件。open_basedir命令提供了访问。首先,始终要将open_basedir命令设成/var/www/html目录。将它设成其他任何目录会导致安全问题。
open_basedir="/var/www/html/"
10. 控制POST大小。
我们的最后一个PHP安全要点是控制POST大小函数。HTTP POST函数使用客户端的浏览器,将数据发送到Web服务器。比如说,用户可能上传证书,然后发送到Web浏览器以便处理。一切都运行顺畅,直到有一天黑客企图发送庞大的文件来耗尽服务器资源。这很可能会导致服务器崩溃或响应缓慢。为了保护服务器远离这个漏洞,就需要设置POST大小。POST大小可以在/etc/php.d/security.ini文件里面加以设置。
post_max_size=1k
结束语
安全是广大Web开发人员和Linux管理员最关注的问题之一。如果采取了上述要点,你势必可以加强开发环境和PHP Web应用程序方面的安全。要是你认为我们遗漏了重要的内容,欢迎留言补充。
以上就是详细介绍Linux管理员不可不知十大PHP安全要点的详情的内容,更多相关内容请关注PHP中文网(www.php.cn)!