PHP
PHP's default configuration contains a set of rules and functionalities that can be used to help secure your web applications.
php.ini
All the settings are located in the /etc/php5/apache2/php.ini
. First, let's open this file.
sudo vi /etc/php5/apache2/php.ini
Safe Mode
Safe Mode should be On
. It checks if functions in one file on the server that affect other files all have the same ownership.
Safe mode will also restrict executables that may be run by scripts in the same way it restricts file and directory access. Safe mode can also be configured so that only executables in a certain directory can be run. This can help limit exposure of shell commands to certain scripts.
safe_mode = On safe_mode_gid = On sql.safe_mode=On
If you want to limit directories of included or executed files, you can update the following directives:
safe_mode_include_dir = /path/to/dir safe_mode_exec_dir = /path/to/exec/dir
Disable Globals
Global variables are very unsave and needs to be set to Off
.
register_globals = Off
Hide PHP Information
to restrict PHP information leakage disable expose_php.
expose_php = Off track_errors = Off html_errors = Off
Hide errors
Hide all php errors, hackers will use information that your web server exposes in order to gain information. Error messages are the first information they can get to start their attacks.
display_errors = Off
Disabling Functionality
There are some PHP functionality that are unsafe to use. Use un-wisely, they can harm your system and make your server vulnerable to attacks. By disabling these functions, you prevent users and attackers from utilizing these functions.
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo
Disable Remote File Includes
By allowing remote file inclusion, hackers can include file remotely that can harm your system. It is recommended to disable this.
allow_url_fopen = Off allow_url_include = Off
Restrict File Uploads
If you are not using the file uploads functionality, you should disable it. Uploading files is one technique hackers do to upload virus or trojans.
file_uploads = Off
If this function is essential for you, you should limit the maximum size and upload folder.
upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M
Resource Control
You can set maximum execution time of each php script, set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume.
max_execution_time = 10 max_input_time = 30 memory_limit = 40M
Control POST Size
The HTTP POST request method is used when the client needs to send data to the Apache web server via a form for example. A basic attacks will attempt to send oversize POST requests to eat your system resources.
You can limit the maximum size POST request that PHP will process.
post_max_size=1K
Protect Sessions
Make sure the web server can read and write to the location you specify. You also need to make sure PHP writes cookies that can't be read from JavaScript. This will prevent Cross Site Scripting in your web applications.
session.cookie_httponly = 1
You can prevent users from accidentally publishing session information to an external users.
session.referer_check = mydomain.com
magic_quotes_gpc
magic_quotes_gpc
should always be Off
. You should always clean the data in your PHP code.
magic_quotes_gpc=Off
suhosin
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.
Install suhosin
sudo apt-get install php5-suhosin
Configure suhosin
To edit the suhosin, you need to opent the suhosin.ini
located in /etc/php5/conf.d
.
sudo vi /etc/php5/conf.d/suhosin.ini
Enable suhosin
extension=suhosin.so
Disable session encryption
suhosin.session.encrypt = Off
Log all errors
suhosin.log.syslog=511
Max traversal
Set the maximal depth of paths, eg: ../../
.
suhosin.executor.include.max_traversal=4
Disable eval
suhosin.executor.disable_eval=On
Disable /e modifier
suhosin.executor.disable_emodifier=On
Disallow newlines in Subject:, To: headers and double newlines in additional headers
suhosin.mail.protect=2
Recommend Settings
Silently fail all failed sql queries:
suhosin.sql.bailout_on_error=On
Filtering Options
suhosin.cookie.max_vars = 2048 suhosin.get.max_array_index_length = 256 suhosin.post.max_array_index_length = 256 suhosin.post.max_totalname_length = 8192 suhosin.post.max_vars = 2048 suhosin.request.max_totalname_length = 8192 suhosin.request.max_varname_length = 256
Restart Apache
sudo service apache2 restart