Posted on Sunday March 13, 2016 by Eric Potvin
PHP's default configuration contains a set of rules and functionalities that can be used to help secure your web applications.
All the settings are located in the
/etc/php5/apache2/php.ini. First, let's open this file.
sudo vi /etc/php5/apache2/php.ini
Safe Mode should be
On. It checks if functions in one file on the server that affect other files all have the same ownership.
Safe mode will also restrict executables that may be run by scripts in the same way it restricts file and directory access. Safe mode can also be configured so that only executables in a certain directory can be run. This can help limit exposure of shell commands to certain scripts.
safe_mode = On safe_mode_gid = On sql.safe_mode=On
If you want to limit directories of included or executed files, you can update the following directives:
safe_mode_include_dir = /path/to/dir safe_mode_exec_dir = /path/to/exec/dir
Global variables are very unsave and needs to be set to
register_globals = Off
Hide PHP Information
to restrict PHP information leakage disable expose_php.
expose_php = Off track_errors = Off html_errors = Off
Hide all php errors, hackers will use information that your web server exposes in order to gain information. Error messages are the first information they can get to start their attacks.
display_errors = Off
There are some PHP functionality that are unsafe to use. Use un-wisely, they can harm your system and make your server vulnerable to attacks. By disabling these functions, you prevent users and attackers from utilizing these functions.
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo
Disable Remote File Includes
By allowing remote file inclusion, hackers can include file remotely that can harm your system. It is recommended to disable this.
allow_url_fopen = Off allow_url_include = Off
Restrict File Uploads
If you are not using the file uploads functionality, you should disable it. Uploading files is one technique hackers do to upload virues or trojans.
file_uploads = Off
If this function is essential for you, you should limit the maximum size and upload folder.
upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M
You can set maximum execution time of each php script, set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume.
max_execution_time = 10 max_input_time = 30 memory_limit = 40M
Control POST Size
The HTTP POST request method is used when the client needs to send data to the Apache web server via a form for example. A basic attacks will attempt to send oversized POST requests to eat your system resources.
You can limit the maximum size POST request that PHP will process.
session.cookie_httponly = 1
You can prevent users from accidentally publishing session information to an external users.
session.referer_check = mydomain.com
magic_quotes_gpc should always be
Off. You should always clean the data in your PHP code.
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.
sudo apt-get install php5-suhosin
To edit the suhosin, you need to opent the
suhosin.ini located in
sudo vi /etc/php5/conf.d/suhosin.ini
Disable session encryption
suhosin.session.encrypt = Off
Log all errors
Set the maximal depth of paths, eg:
Disable /e modifier
Disallow newlines in Subject:, To: headers and double newlines in additional headers
Silently fail all failed sql queries:
suhosin.cookie.max_vars = 2048 suhosin.get.max_array_index_length = 256 suhosin.post.max_array_index_length = 256 suhosin.post.max_totalname_length = 8192 suhosin.post.max_vars = 2048 suhosin.request.max_totalname_length = 8192 suhosin.request.max_varname_length = 256
sudo service apache2 restart