PHP Security Best Practices For web master

by Ismail.EL
0 comment

1- My sample setup for PHP Security Tips:

DocumentRoot: /var/www/
Default Web server: Apache
Default PHP configuration file: /etc/php.ini
Default PHP extensions config directory: /etc/php.d/
Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
Operating systems: Ubuntu (the instructions should work with any other Linux distributions such as RHEL / CentOS / Fedora or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).

2- Reduce built-in PHP modules

To enhance performance and security, it is highly recommended to reduce modules used with PHP. you can see modules installed with php in your server with command following:

Sample outputs:

[PHP Modules]
apc
bcmath
bz2
calendar
Core
ctype
curl
date

To remove a module, execute this command. Example: remove sqlite3 module

or

3. Minimize PHP loadable modules:

The default php would generate a line in the HTTP header (eg: X-Powered-By: PHP / 5.2.10) on each answer. However, this creates a valuable information for addressing your information system. And HTTP header sample response as follows:

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.10
Content-type: text/html; charset=UTF-8
Vary: Accept-Encoding, Cookie…..

It is highly recommended to disable PHP information leakage. we have to edit /etc/php.d/secutity.ini To disable it, then set the following line in this file:

you can test that is OK with command followin:

4. Log PHP Errors:

To enhance our system and web applications security, PHP error message should not be exposed to all site visitors.

we must hide the log of our application or our website, then go to edit /etc/php.d/security.ini file and set the following directive:

display_errors=Offlog_errors=On

Make sure you log all php errors to a log file:

if not we must add the following line in the file /etc/php.d/security.ini:

5- Minimize PHP loadable modules:

By default, all extensions of modules found in the directory /etc/php.d/ charged. To disable or enable a particular module, simply comment the module name in the configuration file in the directory /etc/php.d/. However, to maximize performance and PHP security, it is strongly recommended to enable the extensions when your application requires.

Let take an example: to disable GD extensions, type the following commands:

To enable the GD PHP module, then type the following commands:

6- Disallow Uploading Files:

Edit /etc/php.d/security.ini and set the following directive to disable file uploads for security reasons:

file_uploads=Off

If users of your application need to upload files, turn this feature on by setting upload_max_filesize and limits the maximum size of files that PHP will accept through uploads:

file_uploads=On

# user can only upload upto 1MB via

php upload_max_filesize=1M

7- Disable Remote Code Execution:

Many Injection Vulnerability codes reported in PHP based web applications are caused by the combination of the activation of the input filtering allow_url_fopen and bad. Edit /etc/php.d/security.ini and set the following directive:allow_url_fopen=Off

you must also to disable allow_url_include for security reasons:

allow_url_include=Off

8- Disable dangerous PHP functions:

you can set list of PHP built in functions to be disabled by edit /etc/php.d/security.ini:

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

9- Restrict PHP access to file system:

The open_basedir directive which specified the directories that PHP is allowed to access using functions like fopen(). If any script tries to access the files outside the path defined by open_basdir, PHP will refuse to open. It is important to note that you cannot use a symbolic link as a workaround.

; Limits the PHP process from accessing files outside

; of specifically designated directories such as /var/www/html/ open_basedir=”/var/www/html/

For a Multiple dirs example set:

open_basedir=”/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/

10- Enable SQL Safe Mode:

Edit /etc/php.d/security.ini and set the following directive:

sql.safe_mode=On

11- Control POST Size:

The HTTP POST request method is used when the client (browser or user) needs to send data to the Apache web server as part of the request, such as when uploading a file or submitting a completed form. Attackers may attempt to send oversized POST requests to eat your system resources. You can limit the maximum size POST request that PHP will process. Edit /etc/php.d/security.ini and set the following directive:

; Set a realistic value herepost_max_size=1K

* The 1K sets max size of post data allowed by php apps.

12- Resource Control (DoS Control):

You can set maximum execution time of each php script, in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume. Edit /etc/php.d/security.ini and set the following directives:

# set in seconds
max_execution_time = 30
max_input_time = 30
memory_limit = 40M

13- Install Suhosin Advanced Protection System for PHP:

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination.

14- PHP Fastcgi / CGI – cgi.force_redirect Directive:

cgi.force_redirect is necessary to provide security running PHP as a CGI under most web servers. Left undefined, PHP turns this on by default. You can turn it off at your own risk.

dit /etc/php.d/security.ini and set the following directive:

; Enable cgi.force_redirect for security reasons in a typical *Apache+PHP-CGI/FastCGI* setup
cgi.force_redirect=On

15- Restrict PHP Access To File System:

The open_basedir directive which specified the directories that PHP is allowed to access using functions like fopen(). If any script tries to access the files outside the path defined by open_basdir, PHP will refuse to open. It is important to note that you cannot use a symbolic link as a workaround.; Limits the PHP process from accessing files outside
; of specifically designated directories such as /var/www/html/
open_basedir=”/var/www/html/”

For a Multiple dirs example:

open_basedir=”/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/”

16- Restrict File and Directory Access:

Proper security settings:

Make sure your Apache run as a non-root user such as www-data or www. For files and directories under /var/www/ should be owned by non-root user as well. To change owner, execute the following command.

17- Write protection on Apache, PHP & MySQL configuration files:

Use the charrt command to write protect configuration files:

The chattr command can write protect your php file or files in /var/www/html directory too:

18. Conclusion

In this post, i have explained How To Install and Secure phpMyAdmin on Ubuntu.
If you have any questions or feedback, feel free to leave a comment.
As always, if you found this post useful, then click like and share it 🙂

19780cookie-checkPHP Security Best Practices For web master

Related Posts

Leave a Comment