Linux administrators must not know the top ten PHP security points

  
 

The security of PHP
is a major concern for developers. While PHP
provides reliable security from the inside out, it is up to the developer to properly implement these security mechanisms. In this article, we will introduce a few PHP
security points for Linux administrators. These points will help you secure your web application and ensure it works in the long run.

Before we start, it is necessary to understand the system we are dealing with. For the purposes of the demo, we use Fedora. However, these points should apply to the Ubuntu version or any other Linux distribution. See the manual for your OS
distribution for more information.

Look carefully at a few key files in our system environment. Your file should be similar or correspond to the following:

  • Default Web Server: Apache
  • DocumentRoot:/var/www/html
  • PHP Configuration File: /Etc/php.ini
  • Extended configuration directory: /etc/php.d/
  • Security file: /etc/php.d/security.ini

    These tips will protect your site from different types of common attacks such as SQL injection, XSS, cross-site request forgery attacks, eval() and file uploads.

    1. Remove unnecessary modules.

    PHP comes with a built-in PHP module. They are useful for many tasks, but not every project requires them. Just enter the following command to see the available PHP modules:
    # php – m

    Once you have looked at the list, you can now remove unnecessary modules. Reducing the number of modules helps improve the performance and security of the web applications you are working with.

    2. Limit PHP information disclosure.

    Private leaking key information is commonplace. For example, PHP leaks some information, such as the version and the fact that it is installed on the server. This can be done with the expose_php command. To prevent leaks, you need to set this command to off in /etc/php.d/security.ini.
    expose_php=Off

    If you need to know the version and its status, just run a simple Curl command against the website address to get this information.
    Curl – I http://www.livecoding.tv/index.php

    The previous command will return the following information:
    HTTP/1.1 200 OK
    X- Powered-By: PHP/7.0.10
    Content-type: text/html; charset=UTF-8

    3. Disable remote code execution.

    Remote code execution is one of the common security holes in the PHP security system. By default, remote code execution is enabled on your system. The "allow_url_fopen" command allows functions such as require, include or identifiable URLs to access PHP files directly. Remote access is achieved through the use of HTTP or FTP protocols, which can result in the system being unable to defend against code injection security vulnerabilities.

    To ensure that your system is secure and remote from remote code execution, you can set this command to “Off” as follows:
    Allow_url_fopen=Off
    allow_url_include=Off

    4. Log PHP errors.

    Another easy way to enhance the security of your web application is to not display errors to visitors. This will ensure that hackers simply cannot compromise the security of the site. Need to edit in the /etc/php.d/security.ini file.
    display_errors=Off

    You may now think: After completing this step, "developers can debug with the help of no error message?" Developers can use the log_errors command to use For debugging. They only need to set the log_errors command to “On” in the security.ini file.
    log_errors=On
    error_log=/var/log/httpd/php_scripts_error.log

    5. Reasonable control of resources.

    Controlling resources is important to ensure application security. To ensure proper execution and security, you have to limit the execution of PHP scripts. In addition, you should limit the time spent parsing the request data. If the execution time is controlled, other resources such as memory used by the script should also be configured accordingly. All of these metrics can be managed by editing the security.ini file.
    # set in seconds
    max_execution_time = 25
    max_input_time = 25
    memory_limit = 30M

    6. Disable dangerous PHP functions

    PHP comes with Useful functions for development, but there are also a large number of functions that hackers can use to break into web applications. Disabling these functions can improve overall security and ensure that you are not affected by dangerous PHP functions.

    To do this, you must first edit the php.ini file. Once inside the file, find the disable_functions command and disable the dangerous function inside. To do this, just copy/paste the following code.
    disable_functions =exec,passthru,
    shell_exec,system,proc_open,popen,curl_exec,
    curl_multi_exec,parse_ini_file,show_source

    7. Upload files.

    If your app doesn't need to upload any files, disabling the ability to upload files can help improve security. To prevent users from uploading files, just edit the security.ini file in the /etc/php.d/directory and set the file_uploads command to OFF.
    file_uploads=Off

    8. Keep the version up to date.

    The developer works 24/7 and patches the technology you use. The same is true for PHP. Since it has an open source community, patches and fixes are released regularly. The updated version also provides security patches for first-day vulnerabilities and other security vulnerabilities. If you focus on the security of your application, always make sure your PHP solution is up to date. In addition, the latest patches for other related technologies ensure maximum security.

    9. Control file system access.

    By default, PHP can access files using functions such as fopen(). The open_basedir command provides access. First, always set the open_basedir command to the /var/www/html directory. Setting it to any other directory can cause security problems.
    open_basedir=“/var/www/html/”

    10. Control POST size.

    Our last PHP security point is to control the POST size function. The HTTP POST function uses the client's browser to send data to the web server. For example, a user might upload a certificate and send it to a web browser for processing. Everything runs smoothly until one day the hacker attempts to send huge files to exhaust server resources. This is likely to cause the server to crash or respond slowly. In order to protect the server from this vulnerability, you need to set the POST size. The POST size can be set in the /etc/php.d/security.ini file.
    post_max_size=1k

    Conclusion

    Security is one of the most concerned issues for web developers and Linux administrators. If you take the above points, you are bound to strengthen the security of the development environment and PHP web applications. If you think we have missed important content, please leave a message to add

  • Copyright © Windows knowledge All Rights Reserved