PHP Secure and Hardening

Oke All.
Now we will learn about Hardening and Secure PHP.

this is ery important if ou use php on your server ;).

So lets do to Harden and Secure PHP.

edit On configuration of php => php.ini

~ vi /etc/php5/apache2/php.ini

Edit like this :

disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
magic_quotes_gpc = On

On this setting your server is minimal Secure :).

so we now will explain on expert hardening / Secure PHP.

1. Allow_url_fopen (defaul seting is Enable)

allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site.

So we Must Disable it for Defend from RFI/Remote File upload.

edit in code :

Allow_url_fopen = off

or you can too edit in http.conf :

# Disable allow_url_fopen for security reasons
php_admin_flag allow_url_fopen Off

2.Allow_url_include (default is disable)

allow_url_include bars remote file access via the include and require statements, but leaves it available for other file functions like fopen() and file_get_contents. Recomended is you must disable this function :)

this is Defend from LFI/Local File Inclusion

edit the code :

allow_url_include = Off

or in http.conf in apache2 :

php_admin_flag allow_url_include Off

3.Disable_function

this Function is for Disable function modul in PHP.

"curl_exec,curl_multi_exec,dl,exec,fsockopen,parse_ini_file,passthru,popen,proc_open,proc_close,shell_exec,show_source,symlink,system"

this is list you must disable it in your server :

- curl_exec - perform cURL session
- curl_multi_exec - run a sub-connection with the cURL handle
- dl - me0loads a PHP extension at run
- exec - execute an external command
- fsockopen - Open Internet or Unix domain socket connection
- parse_ini_file - parse the configuration file
- passthru - execute an external program and display output
- popen - process opens the file pointer
- proc_open - execute a command and open file pointers for input / output
- proc_close - shut down a process opened by proc_open and return the exit code in the function.
- shell_exec - execute command via shell and return the output as a string
- show_source - shows the source code file
- symlink - make a symbolic link
- system - execute an external program and display output

NOTE:
Disable some functions can affect your web application, it is advisable to re-check your code and look for alternative solutions, rather than risking the security server for web applications bad.

4.display_errors and log error

determine whether an error message should be sent to the browser. These messages often contain sensitive information about the web application environment and should always be turned off.and the solution is we must enable log error :)

edit this :

display_errors = Off
log_errors = On

or seting http.conf :

php_flag display_errors Off
php_flag log_errors On

5.Expose_php

reports in every request that PHP is being used to process the request, and what version of PHP is installed. so hacker can get information if you enale this function and we want to disable it :)

edit code :

expose_php = 'off'

6.Open_basedir

this is Limited access the php file from out directory. Set open_basedir is just for system file . ex : your file site and shared library.

edit :

open_basedir = "/var/www/html/:/usr/local/php/"

or in http.conf :

php_admin_value open_basedir /var/www/html/:/usr/local/php/

Yeah this is part one See you next time on part 2 :P

Posted by Unknown on Friday 8 March 2013 - Rating: 4.5

Title : PHP Secure and Hardening
Description : Oke All. Now we will learn about Hardening and Secure PHP. this is ery important if ou use php on your server ;). So lets do to H...

Tweet