NetAdminTools.com
 
Categories:
GNU/Linux | Homebrew designs | Perl | Ruby | Administration | Backup/Recovery | Bugs/Fixes | Certification | Database | Email | File/Print | Hardware | Information Grab Bag | Interoperability | GNU/Linux ABCs | Monitoring | Name Resolution | Network Services | Networking | Remote Control | Security | Desktop | Web | BSD | Solaris | GIAGD | ERP | REALbasic

Last 30 Days | Last 60 Days | Last 90 Days | All Articles | RSS


Categories:
·GNU/Linux
·Homebrew designs
·Perl
·Ruby
·Administration
·Backup/Recovery
·Bugs/Fixes
·Certification
·Database
·Email
·File/Print
·Hardware
·Information Grab Bag
·Interoperability
·GNU/Linux ABCs
·Monitoring
·Name Resolution
·Network Services
·Networking
·Remote Control
·Security
·Desktop
·Web
·BSD
·Solaris
·GIAGD
·ERP
·REALbasic
·All Categories


Securing PHP
Topic:Security   Date: 2005-07-14
Printer Friendly: Print   Mobile View: mobile

spacerspacer
<<  <   >  >>

Subject

The first step to secure PHP is from the system perspective. Only provide what you have to. Of course, the code needs to be secure as well by using proper input validation, encryption, etc., but as systems administrators, we can head off some problems. First off, you can view a complete rundown of your current configuration by using a PHP script with these lines:

<?php
phpinfo(); 
?>

Please don't call this phpinfo.php, OK? Do a search on phpinfo.php sometime. There is a lot of discussion about whether or not this is a security risk. Well, I absolutely do consider it a security risk to leave a PHP file with the above lines in it, so simply don't do it, OK? Even if you don't call it phpinfo.php, take it down when you are done, or put it in a secure directory at least. Better still, disable the feature using disable_functions when you aren't using it. Just save the current PHP configuration to a file and store it someplace that isn't accessible to others and disable it. If you leave phpinfo enabled and use some file other than phpinfo.php, it can still be found. It is pretty trivial to figure out that if you search for a couple specific terms, that you will find the PHP test page that somebody created and forgot about. Consider using safe mode. Just set:

; Safe Mode
;
safe_mode = On

in php.ini and restart your webserver to use this. You can verify whether safe mode is enabled using the above phpinfo technique. Another item to consider is the disable_functions directive. For instance, you could set this:

disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"

Note that this list disables phpinfo as well as others. There is some overlap, here, with functions limited by safe mode. Be careful that you don't break any features you need, of course. These security settings may cause issues, so test extensively. If you don't need the functions, though, you should disable what you don't need for better security. While we are on the subject, you can hide Apache version info with the ServerTokens and ServerSignature directives in httpd.conf. To set your server so the response header is sent back with just the kind of server (Apache), set:

ServerTokens Prod

Another setting that reveals specific server information is the ServerSignature. You can turn this off:

ServerSignature Off

We wrote about the ServerTokens setting in more detail in this article. See the Directive Quick Reference at apache.org for more details on the ServerTokens and ServerSignature directives.


People:
Places:
Things:
Times:





Please read our Terms of Use and our Privacy Policy
Microsoft, Windows, Windows Server are either trademarks or registered trademarks of Microsoft Corporation. NetAdminTools.com is not affiliated with Microsoft Corporation. Linux is a registered trademark of Linus Torvalds, and refers to the Linux kernel. The operating system of most distributions that contain the Linux kernel is GNU/Linux. All logos and trademarks in this site are property of their respective owner. Copyright 1997-2013 NetAdminTools.com