8. Tips for defending against PHP * attacks
There are some problems with the older version of PHP itself, such as there were some serious bugs before php4.3.10 and php5.0.3, so it is recommended to use the new version. In addition, the currently thrilling SQL Injection also has many ways to use it on PHP, so we must ensure that
Security, PHP code writing is one aspect, and PHP configuration is even more critical.
We installed php manually, and the default configuration file of php is in /usr/local/apache2/conf/. The most important thing is to configure the contents so that it is safer for us to execute php. The security settings in the entire PHP are mainly to prevent attacks from phpshell and SQL Injection. Let's discuss them slowly. We first use any editing tools to open /etc/local/apache2/conf/. If you are installing it in another way, the configuration file may not be in this directory.
(1) Open php's safe mode
The security mode of php is a very important embedded security mechanism, which can control some functions in php, such as system().
At the same time, many file operation functions are controlled with permissions, and files of certain key files are not allowed, such as /etc/passwd.
But the default is that safe mode is not turned on, so let's turn it on:
safe_mode = on
(2) User group security
When safe_mode is opened, safe_mode_gid is closed, then the php script can access the file, and the same
The group's users can also access the files.
It is recommended to set it to:
safe_mode_gid = off
If we do not set it up, we may not be able to operate the files in our server website directory, for example, we need
When operating the file.
(3) Execute the program home directory in safe mode
If safe mode is turned on, but some programs are to be executed, you can specify the home directory where the program is to be executed:
safe_mode_exec_dir = D:/usr/bin
Generally speaking, no program needs to be executed, so it is recommended not to execute the system program directory, you can point to a directory.
Then copy the program that needs to be executed, such as:
safe_mode_exec_dir = D:/tmp/cmd
However, I would rather not execute any programs, then you can point to our web directory:
safe_mode_exec_dir = D:/usr/www
(4) Include files in safe mode
If you want to include certain public files in safe mode, then modify the options:
safe_mode_include_dir = D:/usr/www/include/
In fact, the files included in the php script are generally written by the program itself, and this can be set according to specific needs.
(5) Control the directory that can be accessed by php scripts
Use the open_basedir option to control that PHP scripts can only access the specified directory, which can avoid PHP script access
Files that should not be accessed limit the harm of phpshell to a certain extent. We can generally set them to only access website directories:
open_basedir = D:/usr/www
(6) Close the hazard function
If safe mode is turned on, then function prohibition is not required, but we still consider it for safety. for example,
We do not want to execute php functions that can execute commands including system(), etc., or view php information
Functions such as phpinfo(), then we can disable them:
disable_functions = system,passthru,exec,shell_exec,popen,phpinfo
If you want to ban any file and directory operations, you can close many file operations
disable_functions = chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown
The above list is not called the commonly used file processing functions. You can also combine the above command function and this function.
You can resist most phpshells.
(7) Close the leakage of PHP version information in the http header
In order to prevent hackers from obtaining information about the php version in the server, we can close the information slash in the http header:
expose_php = Off
For example, when a hacker is on telnet 80, he will not be able to see PHP information.
(8) Close the registration of global variables
Variables submitted in PHP, including variables submitted using POST or GET, will be automatically registered as global variables and can be directly accessed.
This is very unsafe to the server, so we cannot register it as a global variable, so we turn off the Register Global Variable option:
register_globals = Off
Of course, if this is set, then when obtaining the corresponding variable, you must use a reasonable method, such as obtaining the variable var submitted by GET.
Then you need to use $_GET['var'] to obtain it, and this php programmer should pay attention to.
(9) Open magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem. At the smallest point, the website background is hacked, and at the worst, the entire server is lost.
So be careful. There is a setting in:
magic_quotes_gpc = Off
This is turned off by default. If it is turned on, the user will automatically submit the query to SQL to convert it.
For example, converting ' to \', etc., this has a significant effect on preventing sql injection. So we recommend setting it to:
magic_quotes_gpc = On
(10) Error message control
Generally, there will be errors in PHP if it is not connected to the database or other situations. Generally, the error message will include PHP scripts.
The path information before or query SQL statements and other information is not safe after providing this information to the hacker, so the general server recommends prohibiting error prompts:
display_errors = Off
If you want to display error messages, be sure to set the level of display errors, such as only displaying the above information:
error_reporting = E_WARNING & E_ERROR
Of course, I still recommend turning off the error message.
(11) Error log
It is recommended to record error messages after closing display_errors to facilitate finding the reasons for the server's operation:
log_errors = On
At the same time, you must also set up the directory where the error log is stored. It is recommended that the root apache log exists together:
error_log = D:/usr/local/apache2/logs/php_error.log
Note: The apache user and group must be allowed to have write permissions.
MYSQL's downright operation
Create a new user, such as mysqlstart
net user mysqlstart ****microsoft /add
net localgroup users mysqlstart /del
Not part of any group
If MYSQL is installed in d:\mysql , then give mysqlstart permissions to fully control
Then set the service attributes of MYSQL in the system service. In the login attributes, select this user, mysqlstart, and enter the password to confirm.
Restart the MYSQL service, and then MYSQL will run under low privileges.
If it is apache built on the Windows platform, we need to pay attention to one thing. The default operation of apache is system permissions.
This is scary, which makes people feel very unhappy. Then let's reduce the permissions for apache.
net user apache ****microsoft /add
net localgroup users apache /del
OK. We have created a user apche that does not belong to any group.
We open the computer manager, select the service, click the attributes of the apache service, we select log on, select this account, and fill in the account and password established above.
Restart the apache service, ok, apache is running under low permissions.
In fact, we can also set permissions for each folder to allow the apache user to only do what we want it to do, and create a separate user for each directory that can read and write.
This is also a popular configuration method for many virtual hosting providers at present, but this method is used to prevent it from being overused here.
Process Account:
Read and execute
List folder content
Read
Note that for .NET Framework 1.0, all parent directories up to the root of the file system also require the above permissions. The parent directory includes:
C:\
C:\inetpub\
C:\inetpub\wwwroot\
Basically, I can't see it clearly, so I pack it for everyone to see
https:///downtools/win2003Permission security settings.rar