PHP is one of the most widely used scripting programming languages. Market share speaks volumes about its dominant position. The fact that PHP 7 has been launched makes this programming language even more attractive to current developers. Despite some changes, many developers are skeptical about PHP's future. One reason is PHP's security.
Linux administrators must know the top ten PHP security points
PHP is one of the most widely used scripting programming languages. Market share speaks volumes about its dominant position. The fact that PHP 7 has been launched makes this programming language even more attractive to current developers. Despite some changes, many developers are skeptical about PHP's future. One reason is PHP's security.
The security of PHP is the main issue that developers worry about. Although PHP provides solid security from the inside out, it is up to developers to implement these security mechanisms correctly. We will introduce several PHP security points for Linux administrators in this article. These points will help you secure your web application and ensure proper functioning in the long run.
Before we begin, it is necessary to understand the system we are dealing with. For demonstration purposes, we use Fedora. However, these points should apply to Ubuntu versions or any other Linux distribution. Check the manual for your operating system distribution for more information.
Let’s take a closer look at several key files of our system environment. Your file should resemble or correspond to the following:
Default web server: Apache
DocumentRoot: /var/www/html
PHP configuration file: /etc/php .ini
Extended configuration directory:/etc/php.d/
Security file:/etc/php.d/security.ini
These tips will protect your Website, avoid different types of common attacks, such as SQL injection, XSS, cross-site request forgery attacks, eval() and file upload attacks. A list of common attacks can be found here (https://www.sitepoint.com/top-10-php-security-vulnerabilities/).
1. Delete unnecessary modules.
PHP comes with built-in php module. They are useful for many tasks, but not every project requires them. Just enter the following command to view the available PHP modules:
# php - m
Once you have viewed the list, you can now delete unnecessary modules. Reducing the number of modules helps improve the performance and security of the web applications you work on.
2. Limit PHP information leakage.
It is common for platforms to leak key information. For example, PHP leaks information such as the version and the fact that it was installed on the server. This can be achieved through the expose_php command. To prevent leaks, you need to set this command to off in /etc/php.d/security.ini.
expose_php=Off
If you need to know the version and its status, just run a simple Curl command against the website address to get the information.
Curl - I http://www.kubiji.cn/index.php
The previous command will return the following information:
HTTP/1.1 200 OK
X-Powered-By: PHP/7.0.10
Content-type: text/html; charset=UTF-8
3. Disable remote code execution.
Remote code execution is one of the common security vulnerabilities in PHP security systems. By default, remote code execution is enabled on your system. The "allow_url_fopen" command allows functions such as require, include, or URL-aware fopen wrappers to directly access PHP files. Remote access is achieved through the use of HTTP or FTP protocols, which results in the system being unable to defend against code injection security vulnerabilities.
In order to ensure that your system is safe, secure and away from remote code execution, you can set this command to "Off", as shown below:
Allow_url_fopen=Off
allow_url_include =Off
4. Log PHP errors.
Another simple way to strengthen the security of your web application is not to display errors to visitors. This will ensure that hackers cannot compromise the security of the website at all. It needs to be edited in the /etc/php.d/security.ini file.
display_errors=Off
Now you may be thinking: After completing this step, "How can developers debug without the help of error messages?" Developers can use the log_errors command for debugging . They just need to set the log_errors command to "On" in the security.ini file.
log_errors=On
error_log=/var/log/httpd/php_scripts_error.log
5. Reasonably control resources.
To ensure the security of your application, it is important to control resources. To ensure proper execution and security, you need to restrict PHP script execution. Additionally, there should be a limit on the time spent parsing request data. If execution time is controlled, other resources such as memory used by the script should also be configured accordingly. All these metrics can be managed by editing the security.ini file.
# set in seconds
max_execution_time = 25
max_input_time = 25
memory_limit = 30M
6. Disable dangerous PHP functions
PHP comes with useful functions for development, but it may also be used by hackers to break into the Web A large number of functions for the application. Disabling these functions improves overall security and ensures you are not exposed to dangerous PHP functions.
To do this, you first need to edit the php.ini file. Once inside the file, find the disable_functions command and disable the dangerous functions inside. To do this, you just copy/paste the following code.
disable_functions =exec,passthru,
shell_exec,system,proc_open,popen,curl_exec,
curl_multi_exec,parse_ini_file,show_source
You can here ( https://www.eukhost.com/blog/webhosting/dangerous-php-functions-must-be-disabled/) Learn more about disabling dangerous PHP functions.
7. Upload files.
If your application does not require uploading any files, disabling the ability to upload files can help improve security. If you want to prohibit users from uploading files, you only need to edit the security.ini file in the /etc/php.d/ directory and set the file_uploads command to OFF.
file_uploads=Off
8. Keep the version up to date.
Developers work 24/7 to patch the technology you use. The same goes for PHP. Since it has an open source community, patches and fixes are released regularly. The updated version also provides security patches for day-one vulnerabilities and other security vulnerabilities. If you care about application security, always make sure your PHP solution is up to date. In addition, applying the latest patches to other related technologies can ensure maximum security.
9. Control file system access.
By default, PHP can use functions such as fopen() to access files. Access is provided by the open_basedir command. First, always set the open_basedir command to the /var/www/html directory. Setting it to any other directory can cause security issues.
open_basedir="/var/www/html/"
10. Control POST size.
Our last PHP security point is the control POST size function. The HTTP POST function uses the client's browser to send data to the web server. For example, a user might upload a certificate, which is then sent to the web browser for processing. Everything was running smoothly until one day a hacker tried to send a huge file that exhausted the server's resources. This will most likely cause the server to crash or respond slowly. To protect the server from this vulnerability, the POST size needs to be set. The POST size can be set in the /etc/php.d/security.ini file.
post_max_size=1k
Conclusion
Security is one of the most concerning issues for web developers and Linux administrators. If you take the above points, you will be able to strengthen the security of your development environment and PHP web applications. If you think we have missed something important, please leave a message to add it.