PHP is an open source server side scripting language and it is a widely used. The Apache web server provides access to files and content via the HTTP OR HTTPS protocol. A miss-configured server side scripting language can create many problems. Below are some step recommended to secure PHP.

 Our Sample Setup for PHP Security

·         Default DocumentRoot: /var/www/html

·         Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)

·         Default PHP configuration file: /etc/php.ini

·         Default PHP extensions config directory: /etc/php.d/

·         Default php server TCP/UDP ports: none

·         Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)

Please logon to your server as a root and check OS and PHP version by using below commands:

# cat /etc/redhat-release

The output would like below:

Red Hat Enterprise Linux Server release 6.1 (Santiago)

To find the PHP version enter below commands:

#  php –v

The output would like below:

PHP 5.4 (cli) (built)

Below are the steps for secure our PHP in Linux OS

Know Your Enemy

PHP based apps can face the different types of attacks. Below are the some details:

·         XSS  Cross site scripting is a vulnerability in php web applications which attackers may exploit to steal users information. You can configure Apache and write more secure PHP scripts to avoid xss attacks.

·         SQL injection It is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code to avoid SQL injection attacks.

·         File uploads It allows your visitor to place files on your server. This can result into various security problems such as delete your files delete database get user details and much more.

·         Including local and remote files an attacker can open files from remote server and execute any PHP code. This allows them to upload file delete file and install backdoors. You can configure php to disable remote file execution.

·         eval() Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval().

·         Sea surf Attack this attack force an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

Find Built-in PHP Modules

To see the set of compiled-in PHP modules type the following command:

# php –m

Your sample outputs will be like below:

sqlite3

standard

suhosin

tokenizer

wddx

xml

xmlreader

xmlrpc

xmlwriter

xsl

zip

zlib

 

I recommend that you use PHP with reduced modules for performance and security. For example, you can disable sqlite3 module by deleting (removing) configuration file:

#  rm /etc/php.d/sqlite3.ini

Or

            # /etc/php.d/sqlite3.disable

 

Other compiled in modules can only be removed by reinstallating PHP with a reduced configuration. You can download php source code from php.net and compile it as follows with GD, fastcgi, and MySQL support.

Restrict PHP Information Leakage

To restrict PHP information leakage, disable expose_php. Edit /etc/php.d/secutity.ini and set the following directive:

expose_php=Off

 

When enabled, expose_php reports to the world that PHP is installed on the server which includes the PHP version within the HTTP. The PHP logo guids are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. When expose_php enabled you can see php version using the following command:

#  php –v

Minimize Loadable PHP Modules (Dynamic Extensions)

PHP supports Dynamic Extensions. By default RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your web apps require. Like if you want to disable gd extension, type the following commands:

#  cd /etc/php.d/

#  mv gd.{ini,disable}

#  /sbin/service httpd restart

 

If you want to enable php module called gd, enter:

#  cd /etc/php.d/

#  mv gd.{disable,ini}

#  /sbin/service httpd restart

 

Log All PHP Errors

Do not expose PHP error messages to all site visitors. Edit /etc/php.d/security.ini and set the following directive:

display_errors=Off

 

Make sure you log all php errors to a log file:

log_errors=On

error_log=/var/log/httpd/php_scripts_error.log

Disallow Uploading Files

Edit /etc/php.d/security.ini and set the following directive to disable file uploads for security reasons:

file_uploads=Off

 

If users of your application need to upload files turn this feature on by setting upload_max_filesize limits the maximum size of files that PHP will accept through uploads:

file_uploads=On

upload_max_filesize=1M

 

After make these changes user can upload just 1MB file.

 

Turn Off Remote Code Execution

If enabled, allow_url_fopen allows PHP's file functions such as file_get_contents(), the include and require statements can retrieve data from remote locations, like an FTP or web site. The allow_url_fopen option allows PHP's file functions such as file_get_contents(), the include and require statements can retrieve data from remote locations using ftp or http protocols. Programmers frequently forget this and don't do proper input filtering when passing user provided data to these functions opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. Edit /etc/php.d/security.ini and set the following directive:

allow_url_fopen=Off

 

I also recommend disabling allow_url_include for security reasons:

allow_url_include=Off

 

Enable SQL Safe Mode

Edit /etc/php.d/security.ini and set the following directive:

sql.safe_mode=On

 

If turned On mysql_connect() and mysql_pconnect() ignore any arguments passed to them. Please note that you may have to make some changes to your code. Third party and open source application such as WordPress and others may not work at all when sql.safe_mode enabled. I also recommend that you turn off magic_quotes_gpc for all php 5.3.x installations as the filtering by it is ineffective and not very robust. mysql_escape_string() and custom filtering functions serve a better purpose:

magic_quotes_gpc=Off

 

Control POST Size

The HTTP POST request method is used when the client needs to send data to the Apache web server as part of the request such as when uploading a file or submitting a completed form. Attackers may attempt to send oversized POST requests to eat your system resources. You can limit the maximum size POST request that PHP will process. Edit /etc/php.d/security.ini and set the following directive, set a realistic value here:

post_max_size=1MB

 

The 1MB sets max size of post data allowed by php apps. This setting also affects file upload. To upload large files this value must be larger than upload_max_filesize. I also suggest that you limit available methods using Apache web server. Edit httpd.conf and set the following directive for DocumentRoot /var/www/html

 

<Directory /var/www/html>

    <LimitExcept GET POST>

        Order allow,deny

    </LimitExcept>

</Directory>

 

Resource Control (DoS Control)

You can set maximum execution time of each php script in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data and maximum amount of memory a script may consume. Edit /etc/php.d/security.ini and set the following directives:

max_execution_time = 60

max_input_time = 30

memory_limit = 128M

Install Suhosin Advanced Protection System for PHP

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts that can be used separately or in combination. The first part is a small patch against the PHP core that implements a few low level protections against buffer over flows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

 

Install Suhosin as extension

 For installation of Suhosin you need to access your server as a root using any SSH client then enter the below commands:

# cd /opt

# wget http://download.suhosin.org/suhosin-0.9.27.tgz

 

Make sure you have php-devel installed:

# yum install php-devel

 

To compile Suhosin under PHP 5 and RHEL / CentOS Linux, type the following commands:

# cd suhosin-0.9.27

# phpize

#./configure

# make

# make install

 

Configure Suhosin

Type the following command to create Suhosin configuration file:

# echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini

 

Restart web server

Type the following command to restart httpd,

# service httpd restart

 

Disabling Dangerous PHP Functions

PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.ini using disable_functions directive:

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

 

PHP User and Group ID

Mod_fastcgi is a cgi-module for Apache web server. It can connect to an external FASTCGI server. You need to make sure php run as non-root user. If PHP executes as a root or UID under 100, it may access and/or manipulate system files. You must execute PHP CGIs as a non-privileged user using Apache's suEXEC or mod_suPHP. The suEXEC feature provides Apache users the ability to run CGI programs under user IDs different from the user ID of the calling web server. In this example, my php cgi is running as phpcgi user and apache is running as apache user. You can check by using below commands:

# ps aux | grep php-cgi

 

You will see output like below:

phpcgi      6012  0.0  0.4 225036 60140 ?        S    Nov22   0:12 /usr/bin/php-cgi

phpcgi      6054  0.0  0.5 229928 62820 ?        S    Nov22   0:11 /usr/bin/php-cgi

phpcgi      6055  0.1  0.4 224944 53260 ?        S    Nov22   0:18 /usr/bin/php-cgi

Limit PHP Access to File System

The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen() and others. If a file is outside of the paths defined by open_basdir PHP will refuse to open it. You cannot use a symbolic link as a work around. For example only allow access to /var/www/html directory and not to /var/www or /tmp or /etc directories:

            open_basedir="/var/www/html/"

Use Linux Security Extensions (such as SELinux)

Linux comes with various security patches which can be used to guard against miss-configured or compromised server programs. If pos

Was this answer helpful? 23 Users Found This Useful (29 Votes)

Most Popular Articles

What is dedicated server?

Unlike normal hosting plans, which put many customers' accounts on a single server, a Dedicated...
What is Dedicated Hosting Service?

A dedicated hosting service, dedicated server, or is a type of internet hosting in which the...
Can I purchase more bandwidth?

Yes, you can purchase more bandwidth, for more informaion please contact our support.
What is the purpose of Cloud Linux?

Cloud linux provide more advanced features in shared hosting environment that mentioned below:...
How to uninstall CloudLinux and CageFS

Please make sure to remove CageFS before attempting Cloudlinux uninstallation.Below command will...