{"id":67,"date":"2014-09-19T04:35:00","date_gmt":"2014-09-19T04:35:00","guid":{"rendered":"http:\/\/onlinelab.info\/2014\/09\/19\/25-php-security-best-practices-for-sys-admins\/"},"modified":"2014-09-19T04:35:00","modified_gmt":"2014-09-19T04:35:00","slug":"25-php-security-best-practices-for-sys-admins","status":"publish","type":"post","link":"https:\/\/www.asianux.org.vn\/index.php\/2014\/09\/19\/25-php-security-best-practices-for-sys-admins\/","title":{"rendered":"25 PHP Security Best Practices For Sys Admins"},"content":{"rendered":"<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\"><span style=\"color: #888888; float: left; font-size: 3.571em; line-height: 0.76em; margin: 0px; padding: 0.04em 0.12em 0px 0px;\">P<\/span>HP is an open-source server-side scripting language and it is a widely used. The Apache web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five&nbsp;<strong style=\"margin: 0px; padding: 0px;\">php security best practices for sysadmins<\/strong>&nbsp;for configuring PHP securely.<br style=\"margin: 0px; padding: 0px;\" \/><span style=\"margin: 0px; padding: 0px;\"><\/span><\/div>\n<div style=\"background-color: white; color: #111111; float: right; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 0px 5px; padding: 0px;\"><a href=\"http:\/\/www.cyberciti.biz\/tips\/category\/sys-admin\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"See all UNIX\/Linux SysAdmin related news\/tips\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" border=\"0\" src=\"http:\/\/files.cyberciti.biz\/cbzcache\/3rdparty\/sysadmin-logo.jpg\" style=\"border: 0px; margin: 0px; padding: 0px;\" alt=\"\" title=\"\"><\/a><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Our Sample Setup For PHP Security Tips<\/h2>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">DocumentRoot:&nbsp;<span style=\"color: #993300; margin: 0px; padding: 0px;\">\/var\/www\/html<\/span><\/li>\n<li style=\"margin: 0px; padding: 0px;\">Default Web server:&nbsp;<span style=\"color: #333300; margin: 0px; padding: 0px;\">Apache<\/span>&nbsp;( you can use&nbsp;<span style=\"color: #333300; margin: 0px; padding: 0px;\">Lighttpd<\/span>&nbsp;or&nbsp;<span style=\"color: #333300; margin: 0px; padding: 0px;\">Nginx<\/span>&nbsp;instead of Apache)<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Default PHP configuration file:&nbsp;<span style=\"color: green; margin: 0px; padding: 0px;\">\/etc\/php.ini<\/span><\/li>\n<li style=\"margin: 0px; padding: 0px;\">Default PHP extensions config directory:&nbsp;<span style=\"color: green; margin: 0px; padding: 0px;\">\/etc\/php.d\/<\/span><\/li>\n<li style=\"margin: 0px; padding: 0px;\">Our sample php security config file:&nbsp;<strong style=\"margin: 0px; padding: 0px;\"><span style=\"color: green; margin: 0px; padding: 0px;\">\/etc\/php.d\/security.ini<\/span><\/strong>&nbsp;(you need to create this file using a text editor)<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Operating systems:&nbsp;<span style=\"color: #003366; margin: 0px; padding: 0px;\">RHEL<\/span>&nbsp;\/&nbsp;<span style=\"color: #003366; margin: 0px; padding: 0px;\">CentOS<\/span>&nbsp;\/ Fedora Linux (the instructions should work with&nbsp;<em style=\"margin: 0px; padding: 0px;\">any other Linux distributions<\/em>&nbsp;such as&nbsp;<span style=\"color: #003366; margin: 0px; padding: 0px;\">Debian<\/span>&nbsp;\/&nbsp;<span style=\"color: #003366; margin: 0px; padding: 0px;\">Ubuntu<\/span>&nbsp;or other&nbsp;<em style=\"margin: 0px; padding: 0px;\">Unix<\/em>&nbsp;like operating systems such as&nbsp;<span style=\"color: #003366; margin: 0px; padding: 0px;\">OpenBSD<\/span>\/<span style=\"color: #003366; margin: 0px; padding: 0px;\">FreeBSD\/HP-UX<\/span>).<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Default php server TCP\/UDP ports: none<\/li>\n<\/ul>\n<div style=\"background-color: white; color: #111111; float: right; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 0px 5px; padding: 0px;\"><a href=\"http:\/\/www.cyberciti.biz\/tips\/category\/redhatfedora-linux\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"See all Redhat\/CentOS\/Fedora Core related tips\/articles\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" border=\"0\" src=\"http:\/\/files.cyberciti.biz\/cbzcache\/3rdparty\/rhlogo.gif\" style=\"border: 0px; margin: 0px; padding: 0px;\" alt=\"\" title=\"\"><\/a><\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">$ php -v<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)<br \/>Copyright (c) 1997-2010 The PHP Group<br \/>Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">For demonstration purpose I&#8217;m going to use the following operating system:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">$ cat \/etc\/redhat-release<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">Red Hat Enterprise Linux Server release 6.1 (Santiago)<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#1: Know Your Enemy<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">PHP based apps can face the different types of attacks. I have noticed the different types of attacks:<\/div>\n<ol style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">XSS<\/a>&nbsp;&#8211; Cross-site scripting is a vulnerability in php web applications, which attackers may exploit to steal users&#8217; information. You can configure Apache and write more secure PHP scripts (validating all user input) to avoid xss attacks.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/en.wikipedia.org\/wiki\/SQL_injection\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">SQL injection<\/a>&nbsp;&#8211; It is a vulnerability in the database layer of an php applicatio<br \/>\nn. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called&nbsp;<strong style=\"margin: 0px; padding: 0px;\">mysql_real_escape_string()<\/strong>&nbsp;before sending the SQL query.<br style=\"margin: 0px; padding: 0px;\" \/>Spoofing<\/li>\n<li style=\"margin: 0px; padding: 0px;\">File uploads &#8211; It allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete database, get user details and much more. You can disable file uploads using php or write secure code (like validating user input and only allow image file type such as png or gif).<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Including local and remote files &#8211; An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/php.net\/eval\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">eval()<\/a>&nbsp;&#8211; Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval().<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/yehg.net\/lab\/pr0js\/view.php\/A_Most-Neglected_Fact_About_CSRF.pdf\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Sea-surf Attack<\/a>&nbsp;(Cross-site request forgery &#8211; CSRF) &#8211; This attack forces an end user to execute unwanted actions on a web application in which he\/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.<\/li>\n<\/ol>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#2: Find Built-in PHP Modules<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">To see the set of compiled-in PHP modules type the following command:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># php -m<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">[PHP Modules]<br \/>apc<br \/>bcmath<br \/>bz2<br \/>calendar<br \/>Core<br \/>ctype<br \/>curl<br \/>date<br \/>dom<br \/>ereg<br \/>exif<br \/>fileinfo<br \/>filter<br \/>ftp<br \/>gd<br \/>gettext<br \/>gmp<br \/>hash<br \/>iconv<br \/>imap<br \/>json<br \/>libxml<br \/>mbstring<br \/>memcache<br \/>mysql<br \/>mysqli<br \/>openssl<br \/>pcntl<br \/>pcre<br \/>PDO<br \/>pdo_mysql<br \/>pdo_sqlite<br \/>Phar<br \/>readline<br \/>Reflection<br \/>session<br \/>shmop<br \/>SimpleXML<br \/>sockets<br \/>SPL<br \/>sqlite3<br \/>standard<br \/>suhosin<br \/>tokenizer<br \/>wddx<br \/>xml<br \/>xmlreader<br \/>xmlrpc<br \/>xmlwriter<br \/>xsl<br \/>zip<br \/>zlib<br \/>[Zend Modules]<br \/>Suhosin<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">I recommends that you use PHP with a reduced modules for performance and security. For example, you can disable sqlite3 module by&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-linux-unix-delete-remove-file\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">deleting (removing) configuration file&nbsp;<\/a>, OR&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/unix-mv-command-examples\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">renaming (moving) a file<\/a>&nbsp;called \/etc\/php.d\/sqlite3.ini as follows:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">#&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-linux-unix-delete-remove-file\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"Linux \/ UNIX: Delete a file command\" target=\"_blank\" rel=\"noopener\">rm<\/a>&nbsp;\/etc\/php.d\/sqlite3.ini<\/code><br style=\"margin: 0px; padding: 0px;\" \/>OR<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">#&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/unix-mv-command-examples\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"Linux \/ UNIX mv command\" target=\"_blank\" rel=\"noopener\">mv<\/a>&nbsp;\/etc\/php.d\/sqlite3.ini \/etc\/php.d\/sqlite3.disable<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Other compiled-in modules can only be removed by reinstallating PHP with a reduced configuration. You can download php source code from php.net and compile it as follows with GD, fastcgi, and MySQL support:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">.\/configure --with-libdir=lib64 --with-gd --with-mysql --prefix=\/usr --exec-prefix=\/usr <br \/>--bindir=\/usr\/bin --sbindir=\/usr\/sbin --sysconfdir=\/etc --datadir=\/usr\/share <br \/>--includedir=\/usr\/include --libexecdir=\/usr\/libexec --localstatedir=\/var <br \/>--sharedstatedir=\/usr\/com --mandir=\/usr\/share\/man --infodir=\/usr\/share\/info <br \/>--cache-file=..\/config.cache --with-config-file-path=\/etc <br \/>--with-config-file-scan-dir=\/etc\/php.d  --enable-fastcgi <br \/>--enable-force-cgi-redirect<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">See&nbsp;<a href=\"http:\/\/www.php.net\/manual\/en\/install.unix.php\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">how to compile and reinstall php on Unix like operating system<\/a>&nbsp;for more information.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#3: Restrict PHP Information Leakage<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">To restrict PHP information leakage disable expose_php. Edit \/etc\/php.d\/secutity.ini and set the following directive:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bott\nom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #000099; margin: 0px; padding: 0px;\">expose_php<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">Off<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP\/5.3.3). The PHP logo guids (see&nbsp;<a href=\"http:\/\/www.php.net\/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">example<\/a>) are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. When expose_php enabled you can see php version using the following command:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">$ curl -I http:\/\/www.cyberciti.biz\/index.php<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">HTTP\/1.1 200 OK<br \/><span style=\"color: red; margin: 0px; padding: 0px;\">X-Powered-By: PHP\/5.3.3<\/span><br \/>Content-type: text\/html; charset=UTF-8<br \/>Vary: Accept-Encoding, Cookie<br \/>X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wikiToken;string-contains=wikiLoggedOut;string-contains=wiki_session<br \/>Last-Modified: Thu, 03 Nov 2011 22:32:55 GMT<br \/>...<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">I also recommend that you setup the&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-centos-hide-httpd-version\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">ServerTokens and ServerSignature directives in httpd.conf to hide Apache version<\/a>&nbsp;and other information.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#4: Minimize Loadable PHP Modules (Dynamic Extensions)<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">PHP supports &#8220;Dynamic Extensions&#8221;. By default, RHEL loads all the extension modules found in \/etc\/php.d\/ directory. To enable or disable a particular module, just find the configuration file in \/etc\/php.d\/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your webapps requires. For example, to disable gd extension, type the following commands:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># cd \/etc\/php.d\/<br style=\"margin: 0px; padding: 0px;\" \/># mv gd.{ini,disable}<br style=\"margin: 0px; padding: 0px;\" \/>#&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/restart-httpd\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"Restart Apache httpd web server\" target=\"_blank\" rel=\"noopener\">\/sbin\/service httpd restart<\/a><\/code><br style=\"margin: 0px; padding: 0px;\" \/>To enable php module called gd, enter:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># mv gd.{disable,ini}<br style=\"margin: 0px; padding: 0px;\" \/>#&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/star-stop-restart-apache2-webserver\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"Restart Apache httpd web server\" target=\"_blank\" rel=\"noopener\">\/sbin\/service httpd restart<\/a><\/code><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#5: Log All PHP Errors<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Do not expose PHP error messages to all site visitors. Edit \/etc\/php.d\/security.ini and set the following directive:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #000099; margin: 0px; padding: 0px;\">display_errors<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">Off<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Make sure&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/php-howto-turn-on-error-log-file.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">you log all php errors to a log file<\/a>:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #000099; margin: 0px; padding: 0px;\">log_errors<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">On<\/span><br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">error_log<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">\/var\/log\/httpd\/php_scripts_error.log<\/span><\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#6: Disallow Uploading Files<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Edit \/etc\/php.d\/security.ini and set the following directive to disable file uploads for security reasons:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #000099; margin: 0px; padding: 0px;\">file_uploads<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">Off<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\n\">If users of your application need to upload files, turn this feature on by setting<a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-unix-apache-increase-php-upload-limit\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"PHP Increase Upload File Size Limit\" target=\"_blank\" rel=\"noopener\">upload_max_filesize limits the maximum size of files<\/a>&nbsp;that PHP will accept through uploads:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #000099; margin: 0px; padding: 0px;\">file_uploads<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">On<\/span><br \/># user can only upload upto 1MB via php<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">upload_max_filesize<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">1M<\/span><br \/>&nbsp;<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#7: Turn Off Remote Code Execution<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">If enabled, allow_url_fopen allows PHP&#8217;s file functions &#8212; such as file_get_contents() and the include and require statements &#8212; can retrieve data from remote locations, like an FTP or web site.<\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/php-resources-limits\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">allow_url_fopen<\/a>&nbsp;option allows PHP&#8217;s file functions &#8211; such as file_get_contents() and the include and require statements &#8211; can retrieve data from remote locations using ftp or http protocols. Programmers frequently forget this and don&#8217;t do proper input filtering when passing user-provided data to these functions, opening them up to code&nbsp;<a href=\"http:\/\/phpsec.org\/projects\/phpsecinfo\/tests\/allow_url_fopen.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">injection vulnerabilities<\/a>. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. Edit \/etc\/php.d\/security.ini and set the following directive:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #000099; margin: 0px; padding: 0px;\">allow_url_fopen<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">Off<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">I also recommend to disable allow_url_include for security reasons:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #000099; margin: 0px; padding: 0px;\">allow_url_include<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">Off<\/span><\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#8: Enable SQL Safe Mode<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Edit \/etc\/php.d\/security.ini and set the following directive:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">sql.<span style=\"color: #000099; margin: 0px; padding: 0px;\">safe_mode<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">On<\/span><br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">If&nbsp;<a href=\"http:\/\/www.php.net\/manual\/en\/ini.core.php#ini.sql.safe-mode\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">turned<\/a>&nbsp;On, mysql_connect() and mysql_pconnect() ignore any arguments passed to them. Please note that you may have to make some changes to your code. Third party and open source application such as WordPress, and others may not work at all when sql.safe_mode enabled. I also recommend that you turn off&nbsp;<a href=\"http:\/\/php.net\/manual\/en\/security.magicquotes.php\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">magic_quotes_gpc<\/a>&nbsp;for all php 5.3.x installations as the filtering by it is ineffective and not very robust. mysql_escape_string() and custom filtering functions serve a better purpose (hat tip to&nbsp;<a href=\"https:\/\/www.facebook.com\/EricHansen.SFU\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Eric Hansen<\/a>):<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #000099; margin: 0px; padding: 0px;\">magic_quotes_gpc<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">Off<\/span><\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#9: Control POST Size<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The HTTP POST request method is used when the client (browser or user) needs to send data to the Apache web server as part of the request, such as when uploading a file or submitting a completed form. Attackers may attempt to send oversized POST requests to eat your system resources. You can limit the maximum size POST request that PHP will process. Edit \/etc\/php.d\/security.ini and set the following directive:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; Set a realistic value here <\/span><br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">post_max_size<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">1K<\/span><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The 1K sets max size<br \/>\n of post data allowed by php apps. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize. I also suggest that you limit available methods using Apache web server. Edit, httpd.conf and set the following directive for DocumentRoot \/var\/www\/html:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/>&lt;Directory \/var\/www\/html&gt;<br \/>    &lt;LimitExcept GET POST&gt;<br \/>        Order allow,deny<br \/>    &lt;\/LimitExcept&gt;<br \/>## Add rest of the config goes here... ##<br \/>&lt;\/Directory&gt;<br \/>&nbsp;<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#10: Resource Control (DoS Control)<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can set&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/php-resources-limits\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">maximum execution time of each php script<\/a>, in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume. Edit \/etc\/php.d\/security.ini and set the following directives:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># set in seconds<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">max_execution_time <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">  <span style=\"margin: 0px; padding: 0px;\">30<\/span><\/span><br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">max_input_time <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> <span style=\"margin: 0px; padding: 0px;\">30<\/span><\/span><br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">memory_limit <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\"> 40M<\/span><br \/>&nbsp;<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#11: Install Suhosin Advanced Protection System for PHP<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">From the&nbsp;<a href=\"http:\/\/www.hardened-php.net\/suhosin\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">project page<\/a>:<\/div>\n<blockquote style=\"background-color: white; border-left-color: rgb(221, 221, 221); border-left-style: solid; border-left-width: 1px; color: #666666; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 0.786em; padding: 0px 0px 0px 0.786em;\">\n<div style=\"margin-bottom: 1.571em; padding: 0px;\">Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.<\/div>\n<\/blockquote>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">See how to&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-linux-install-suhosin-php-protection\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"Red Hat \/ CentOS Linux Install Suhosin PHP 5 Protection Security Patch\" target=\"_blank\" rel=\"noopener\">install and configure suhosin<\/a>&nbsp;under Linux operating systems.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#12 Disabling Dangerous PHP Functions<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in \/etc\/php.d\/security.ini&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-unix-apache-lighttpd-phpini-disable-functions\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security\" target=\"_blank\" rel=\"noopener\">using disable_functions directive<\/a>:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/><span style=\"color: #000099; margin: 0px; padding: 0px;\">disable_functions <\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source<\/span><br \/>&nbsp;<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#13 PHP Fastcgi \/ CGI &#8211; cgi.force_redirect Directive<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">PHP work with FastCGI. Fascgi reduces the memory footprint of your web server, but still gives you the speed and power of the entire PHP language. You can configure<a href=\"http:\/\/www.cyberciti.biz\/tips\/rhel-centos-fedora-apache2-fastcgi-php-configuration.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Apache2+PHP+FastCGI<\/a>&nbsp;or&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/rhel-centos-fedora-apache2-fastcgi-php-configuration.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">cgi as described here<\/a>. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http:\/\/www.cyberciti.biz\/cgi-bin\/php\/hackerdir\/backdoor.php. Turn on cgi.force_redirect for security reasons. Edit \/etc\/php.d\/security.ini and set the following directive:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; Enable cgi.force_redirect for security reasons in a typical *Apache+PHP-CGI\/FastCGI* setup<\/span><br \/>cgi.<span style=\"color: #000099; margin: 0px; padding: 0px;\">force_redirect<\/span>=<span style=\"color: #660066; margin: 0px; padding: 0px;\">On<\/span><br \/>&nbsp;<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0\npx 0.611em; padding: 0px;\">#14 PHP User and Group ID<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">mod_fastcgi is a cgi-module for Apache web server. It can connect to an external FASTCGI server. You need to make sure php run as non-root user. If PHP executes as a root or UID under 100, it may access and\/or manipulate system files. You must execute PHP CGIs as a non-privileged user using&nbsp;<a href=\"https:\/\/wiki.archlinux.org\/index.php\/Apache,_suEXEC_and_Virtual_Hosts\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Apache&#8217;s suEXEC<\/a>&nbsp;or&nbsp;<a href=\"http:\/\/www.suphp.org\/DocumentationView.html?file=apache\/CONFIG\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">mod_suPHP<\/a>. The suEXEC feature provides Apache users the ability to run CGI programs under user IDs different from the user ID of the calling web server. In this example, my php-cgi is running as phpcgi user and apache is running as apache user:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># ps aux | grep php-cgi<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">phpcgi      6012  0.0  0.4 225036 60140 ?        S    Nov22   0:12 \/usr\/bin\/php-cgi<br \/>phpcgi      6054  0.0  0.5 229928 62820 ?        S    Nov22   0:11 \/usr\/bin\/php-cgi<br \/>phpcgi      6055  0.1  0.4 224944 53260 ?        S    Nov22   0:18 \/usr\/bin\/php-cgi<br \/>phpcgi      6085  0.0  0.4 224680 56948 ?        S    Nov22   0:11 \/usr\/bin\/php-cgi<br \/>phpcgi      6103  0.0  0.4 224564 57956 ?        S    Nov22   0:11 \/usr\/bin\/php-cgi<br \/>phpcgi      6815  0.4  0.5 228556 61220 ?        S    00:52   0:19 \/usr\/bin\/php-cgi<br \/>phpcgi      6821  0.3  0.5 228008 61252 ?        S    00:55   0:12 \/usr\/bin\/php-cgi<br \/>phpcgi      6823  0.3  0.4 225536 58536 ?        S    00:57   0:13 \/usr\/bin\/php-cgi<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can use&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/freebsd-configure-nginx-php-fastcgi-server\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">tool such as spawn-fcgi<\/a>&nbsp;to spawn remote and local FastCGI processes as phpcgi user (first,&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-linux-add-user-to-group\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"How to add user to a group\" target=\"_blank\" rel=\"noopener\">add phpcgi user to the system<\/a>):<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># spawn-fcgi -a 127.0.0.1 -p 9000 -u phpcgi -g phpcgi -f \/usr\/bin\/php-cgi<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Now, you can configure&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/rhel-fedora-centos-apache2-external-php-spawn.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Apache<\/a>,&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/lighttpd-mod_proxy-to-run-php-fastcgi-app-server.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Lighttpd<\/a>, and&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-fedora-install-configure-nginx-php5\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Nginx<\/a>&nbsp;web server to use external php FastCGI running on port 9000 at 127.0.0.1 IP address.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#15 Limit PHP Access To File System<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen(), and others. If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround. For example only allow access to \/var\/www\/html directory and not to \/var\/www, or \/tmp or \/etc directories:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\"><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; Limits the PHP process from accessing files outside <\/span><br \/><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; of specifically designated directories such as \/var\/www\/html\/<\/span><br \/>open_basedir=<span style=\"color: #993333; margin: 0px; padding: 0px;\">\"\/var\/www\/html\/\"<\/span><br \/><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; ------------------------------------<\/span><br \/><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; Multiple dirs example <\/span><br \/><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; open_basedir=\"\/home\/httpd\/vhost\/cyberciti.biz\/html\/:\/home\/httpd\/vhost\/nixcraft.com\/html\/:\/home\/httpd\/vhost\/theos.in\/html\/\"<\/span><br \/><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; ------------------------------------<\/span><br \/>&nbsp;<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#16 Session Path<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\"><a href=\"http:\/\/www.cyberciti.biz\/tips\/lighttpd-beware-of-default-php-session-path-permission.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Session support<\/a>&nbsp;in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. This path is defined in \/etc\/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option. The default is as follows under RHEL\/CentOS\/Fedora Linux:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">session.save_path=<span style=\"color: #993333; margin: 0px; padding: 0px;\">\"\/var\/lib\/php\/session\"<\/span><br \/><span style=\"color: #666666; font-style: italic; margin: 0px; padding: 0px;\">; Set the temporary directory used for storing files when doing file upload<\/span><br \/>upload_tmp_dir=<span style=\"color: #993333; margin: 0px; padding: 0px;\">\"\/var\/lib\/php\/session\"<\/span><br \/>&nbsp;<\/pre>\n<div style=\"backgrou\nnd-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Make sure path is&nbsp;<strong style=\"margin: 0px; padding: 0px;\">outside \/var\/www\/html<\/strong>&nbsp;and&nbsp;<strong style=\"margin: 0px; padding: 0px;\">not readable or writeable<\/strong>&nbsp;by any other system users:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># ls -Z \/var\/lib\/php\/<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">drwxrwx---. root apache system_u:object_r:httpd_var_run_t:s0 session<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Note: The -Z option to the&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/ls-command-to-examining-the-filesystem\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">ls command<\/a>&nbsp;display SELinux security context such as file mode, user, group, security context and file name.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#17 Keep PHP, Software, And OS Up to Date<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Applying security patches is an important part of maintaining Linux, Apache, PHP, and MySQL server. All php security update should be reviewed and applied as soon as possible using any one of the following tool (if you&#8217;re installing PHP via a package manager):<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">#&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-centos-fedora-linux-yum-command-howto\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"yum command: Update \/ Install Packages Under Redhat Enterprise \/ CentOS Linux Version 5.x\" target=\"_blank\" rel=\"noopener\">yum update<\/a><\/code><br style=\"margin: 0px; padding: 0px;\" \/>OR<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">#&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-debian-package-management-cheat-sheet.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"Debian Linux apt-get package management cheat sheet\" target=\"_blank\" rel=\"noopener\">apt-get update &amp;&amp; apt-get upgrade<\/a><\/code><br style=\"margin: 0px; padding: 0px;\" \/>You can configure Red hat \/ CentOS \/ Fedora Linux to send&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/red-hat-centos-fedora-send-package-update-notification-via-email\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">yum package update notification via email<\/a>. Another option is to&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/fedora-automatic-update-retrieval-installation-with-cron\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">apply all security updates<\/a>&nbsp;via a&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">cron job<\/a>. Under Debian \/ Ubuntu Linux you can&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/apt-get-apticron-send-email-upgrades-available\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">use apticron to send security<\/a>&nbsp;notifications.<\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Note: Check&nbsp;<a href=\"http:\/\/php.net\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">php.net<\/a>&nbsp;for the most recent release for source code installations.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#18: Restrict File and Directory Access<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Make sure you run Apache as a non-root user such as Apache or www. All files and directory should be owned by non-root user (or apache user) under \/var\/www\/html:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">#&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/how-to-use-chmod-and-chown-command\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">chown -R apache:apache \/var\/www\/html\/<\/a><\/code><br style=\"margin: 0px; padding: 0px;\" \/>\/var\/www\/html\/ is a subdirectory and DocumentRoot which is modifiable by other users since root never executes any files out of there, and shouldn&#8217;t be creating files in there.<\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Make sure file permissions are set to 0444 (read-only) under \/var\/www\/html\/:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># chmod -R 0444 \/var\/www\/html\/<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Make sure all directories permissions are set to 0445 under \/var\/www\/html\/:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\">#&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-findinglocating-files-with-find-command-part-1.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">find \/var\/www\/html\/ -type d -print0 | xargs -0 -I {} chmod 0445 {}<\/a><\/code><\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">A Note About Setting Up Correct File Permissions<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue',\nHelvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The chown and chmod command make sures that under no circumstances DocumentRoot or files contained in DocumentRoot are writable by the Web server user apache. Please note that you need to set permissions that makes the most sense for the development model of your website, so feel free to adjust the chown and chmod command as per your requirements. In this example, the Apache server run as apache user. This is configured with the&nbsp;<em style=\"margin: 0px; padding: 0px;\">User<\/em>&nbsp;and&nbsp;<em style=\"margin: 0px; padding: 0px;\">Group<\/em>directives in your httpd.conf file. The apache user needs to have read access to everything under DocumentRoot but should not have write access to anything.<\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Make sure httpd.conf has the following directives for restrictive configuration:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/>&lt;Directory \/ &gt;<br \/>    Options None<br \/>    AllowOverride None<br \/>    Order allow,deny<br \/>&lt;\/Directory&gt;<br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You should only grant write access when required. Some web applications such as wordpress and others may need a caching directory. You can grant a write access to caching directory using the following commands:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># chmod a+w \/var\/www\/html\/blog\/wp-content\/cache<br style=\"margin: 0px; padding: 0px;\" \/>### block access to all ###<br style=\"margin: 0px; padding: 0px;\" \/># echo 'deny from all' &gt; \/var\/www\/html\/blog\/wp-content\/cache\/.htaccess<\/code><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#19: Write Protect Apache, PHP, and, MySQL Configuration Files<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Use the&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/linux-write-protecting-a-file\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">chattr command<\/a>&nbsp;to write protect configuration files:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># chattr +i \/etc\/php.ini<br style=\"margin: 0px; padding: 0px;\" \/># chattr +i \/etc\/php.d\/*<br style=\"margin: 0px; padding: 0px;\" \/># chattr +i \/etc\/my.ini<br style=\"margin: 0px; padding: 0px;\" \/># chattr +i \/etc\/httpd\/conf\/httpd.conf<br style=\"margin: 0px; padding: 0px;\" \/># chattr +i \/etc\/<\/code><\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The chattr command can write protect your php file or files in \/var\/www\/html directory too:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># chattr +i \/var\/www\/html\/file1.php<br style=\"margin: 0px; padding: 0px;\" \/># chattr +i \/var\/www\/html\/<\/code><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#20: Use Linux Security Extensions (such as SELinux)<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Linux comes with various security patches which can be used to guard against misconfigured or compromised server programs. If possible use&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-fedora-redhat-selinux-protection\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">SELinux<\/a>&nbsp;and&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/selinux-vs-apparmor-vs-grsecurity.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">other Linux security extensions<\/a>&nbsp;to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel and Apache web server. To list all Apache SELinux protection variables, enter:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># getsebool -a | grep httpd<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Sample outputs:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">allow_httpd_anon_write --&gt; off<br \/>allow_httpd_mod_auth_ntlm_winbind --&gt; off<br \/>allow_httpd_mod_auth_pam --&gt; off<br \/>allow_httpd_sys_script_anon_write --&gt; off<br \/>httpd_builtin_scripting --&gt; on<br \/>httpd_can_check_spam --&gt; off<br \/>httpd_can_network_connect --&gt; off<br \/>httpd_can_network_connect_cobbler --&gt; off<br \/>httpd_can_network_connect_db --&gt; off<br \/>httpd_can_network_memcache --&gt; off<br \/>httpd_can_network_relay --&gt; off<br \/>httpd_can_sendmail --&gt; off<br \/>httpd_dbus_avahi --&gt; on<br \/>httpd_enable_cgi --&gt; on<br \/>httpd_enable_ftp_server --&gt; off<br \/>httpd_enable_homedirs --&gt; off<br \/>httpd_execmem --&gt; off<br \/>httpd_read_user_content --&gt; off<br \/>httpd_setrlimit --&gt; off<br \/>httpd_ssi_exec --&gt; off<br \/>httpd_tmp_exec --&gt; off<br \/>httpd_tty_comm --&gt; on<br \/>httpd_unified --&gt; on<br \/>httpd_use_cifs --&gt; off<br \/>httpd_use_gpg --&gt; off<br \/>httpd_use_nfs --&gt; off<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">To disable Apache cgi support, enter:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># setse<br \/>\nbool -P httpd_enable_cgi off<\/code><br style=\"margin: 0px; padding: 0px;\" \/>See&nbsp;<a href=\"http:\/\/docs.redhat.com\/docs\/en-US\/Red_Hat_Enterprise_Linux\/6\/html\/Security-Enhanced_Linux\/index.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Red Hat SELinux guide<\/a>&nbsp;for more information.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#21 Install Mod_security<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">ModSecurity is an open source intrusion detection and prevention engine for web applications. You can&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-fedora-centos-httpd-mod_security-configuration\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">easily install mod_security under Linux and protect apache and php<\/a>&nbsp;based apps from xss and various other attacks:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/>## A few Examples ##<br \/># Do not allow to open files in \/etc\/<br \/>SecFilter \/etc\/<br \/>&nbsp;<br \/># Stop SQL injection<br \/>SecFilter <span style=\"color: #993333; margin: 0px; padding: 0px;\">\"delete[[:space:]]+from\"<\/span><br \/>SecFilter <span style=\"color: #993333; margin: 0px; padding: 0px;\">\"select.+from\"<\/span><br \/>&nbsp;<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#22 Run Apache \/ PHP In a Chroot Jail If Possible<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Putting PHP and\/or Apache in a chroot jail minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can use traditional&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/chroot-apache-under-rhel-fedora-centos-linux.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">chroot kind of setup with Apache<\/a>. However, I recommend&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-setup-freebsd-jail-with-ezjail\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">FreeBSD jails<\/a>,&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/rhel-centos-xen-virtualization-installation-howto.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">XEN virtulization<\/a>,&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/centos-rhel-linux-kvm-virtulization-tutorial\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">KVM virtulization<\/a>, or&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/openvz-rhel-centos-linux-tutorial\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">OpenVZ virtualization<\/a>&nbsp;which uses the concept of containers.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#23 Use Firewall To Restrict Outgoing Connections<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">The attacker will download file locally on your web-server using tools such as wget. Use iptables to block outgoing connections from apache user. The ipt_owner module attempts to match various characteristics of the packet creator, for locally generated packets. It is only valid in the OUTPUT chain. In this example, allow vivek user to connect outside using port 80 (useful for RHN or centos repo access):<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/>\/sbin\/iptables -A OUTPUT -o eth0 -m owner --uid-owner vivek -p tcp --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -m state --state NEW,ESTABLISHED  -j ACCEPT<br \/>&nbsp;<\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Here is another example that blocks all outgoing connections from apache user except to our own smtp server, and spam validation API service:<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">&nbsp;<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># ....  <\/span><br \/>\/sbin\/iptables --new-chain apache_user<br \/>\/sbin\/iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br \/>\/sbin\/iptables --append OUTPUT -m owner --uid-owner apache -j apache_user<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># allow apache user to connec to our smtp server <\/span><br \/>\/sbin\/iptables --append apache_user -p tcp --syn -d <span style=\"color: black; margin: 0px; padding: 0px;\">192.168<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.1<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.100<\/span> --dport <span style=\"color: black; margin: 0px; padding: 0px;\">25<\/span> -j RETURN<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Allow apache user to connec to api server <span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">for<\/span> spam validation<\/span><br \/>\/sbin\/iptables --append apache_user -p tcp --syn -d  <span style=\"color: black; margin: 0px; padding: 0px;\">66.135<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.58<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.62<\/span> --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -j RETURN<br \/>\/sbin\/iptables --append apache_user -p tcp --syn -d  <span style=\"color: black; margin: 0px; padding: 0px;\">66.135<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.58<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.61<\/span> --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -j RETURN<br \/>\/sbin\/iptables --append apache_user -p tcp --syn -d  <span style=\"color: black; margin: 0px; padding: 0px;\">72.233<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.69<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.89<\/span> --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -j RETURN<br \/>\/sbin\/iptables --append apache_user -p tcp --syn -d  <span style=\"color: black; margin: 0px; padding: 0px;\">72.233<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.69<\/span><span style=\"color: black; margin: 0px; padding: 0px;\">.88<\/span> --dport <span style=\"color: black; margin: 0px; padding: 0px;\">80<\/span> -j RETURN<br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">#########################<\/span><br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">## Add <span style=\"color: #c20cb9; font-weight: bold; margin: 0px; padding: 0px;\">more<\/span> rules here ##<\/span><br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\">#########################<\/span><br \/><span style=\n\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># No editing below<\/span><br \/><span style=\"color: grey; font-style: italic; margin: 0px; padding: 0px;\"># Drop everything <span style=\"color: black; font-weight: bold; margin: 0px; padding: 0px;\">for<\/span> apache outgoing connection<\/span><br \/>\/sbin\/iptables --append apache_user -j REJECT<br \/>&nbsp;<\/pre>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#24 Watch Your Logs &amp; Auditing<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Check the&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/apache-logs\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">apache log file<\/a>:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># tail -f \/var\/log\/httpd\/error_log<br style=\"margin: 0px; padding: 0px;\" \/># grep 'login.php' \/var\/log\/httpd\/error_log<br style=\"margin: 0px; padding: 0px;\" \/># egrep -i \"denied|error|warn\" \/var\/log\/httpd\/error_log<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Check the&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/error_log-defines-file-where-script-errors-logged\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">php log file<\/a>:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># tail -f \/var\/log\/httpd\/php_scripts_error.log<br style=\"margin: 0px; padding: 0px;\" \/># grep \"...etc\/passwd\" \/var\/log\/httpd\/php_scripts_error.log<\/code><br style=\"margin: 0px; padding: 0px;\" \/>Log files will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present or not. The auditd service is provided for system auditing. Turn it on&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-audit-files-to-see-who-made-changes-to-a-file.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">to audit SELinux events<\/a>, authetication events, file modifications, account modification and so on. I also recommend using standard &#8220;<a href=\"http:\/\/www.cyberciti.biz\/tips\/top-linux-monitoring-tools.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Linux System Monitoring Tools<\/a>&#8221; for monitoring your web-server.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#25 Run Service Per System or VM Instance<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">For large installations it is recommended that you run, database, static, and dynamic content from different servers.<\/div>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); clear: both; color: #111111; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin-bottom: 1.833em; overflow: auto; padding: 0.667em 0.917em;\">\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/<br \/>\/ ISP\/Router \/<br \/>\/\/\/\/\/\/\/\/\/\/\/\/\/\/<br \/>  <br \/>   |<br \/>   Firewall<br \/>     <br \/>      |<br \/>     +------------+<br \/>     | LB01       |<br \/>     +------------+                 +--------------------------+<br \/>                  |                 | static.lan.cyberciti.biz |<br \/>    +-----------------+--------------------------+<br \/>                                    | phpcgi1.lan.cyberciti.biz|<br \/>                                    +--------------------------+<br \/>                                    | phpcgi2.lan.cyberciti.biz|<br \/>                                    +--------------------------+<br \/>                                    | mysql1.lan.cyberciti.biz |<br \/>                                    +--------------------------+<br \/>                                    | mcache1.lan.cyberciti.biz|<br \/>                                    +--------------------------+<br \/><\/pre>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\"><small style=\"margin: 0px; padding: 0px;\">(Fig.01: Running Services On Separate Servers)<\/small><\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Run different network services on separate servers or VM instances. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he \/ she will get an access to entire server including other services running on the same server (such as MySQL, e-mail server and so on). But, in the above example content are served as follows:<\/div>\n<ol style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">static.lan.cyberciti.biz<\/strong>&nbsp;&#8211; Use lighttpd or nginx server for static assets such as js\/css\/images.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">phpcgi1.lan.cyberciti.biz<\/strong>&nbsp;and&nbsp;<strong style=\"margin: 0px; padding: 0px;\">phpcgi2.lan.cyberciti.biz<\/strong>&nbsp;&#8211; Apache web-server with php used for generating dynamic content.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">mysql1.lan.cyberciti.biz<\/strong>&nbsp;&#8211; MySQL database server.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">mcache1.lan.cyberciti.biz<\/strong>&nbsp;&#8211; Memcached server is very fast caching system for MySQL. It uses libevent or epoll (Linux runtime) to scale to any number of open connections and uses non-blocking network I\/O.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><strong style=\"margin: 0px; padding: 0px;\">LB01<\/strong>&nbsp;&#8211; A nginx web and reverse proxy server in front of Apache Web servers. All connections coming from the Internet addressed to one of the Web servers are routed through the nginx proxy server, which may either deal with the request itself or pass the request wholly or partially to the main web servers. LB01 provides simple load-balancing.<\/li>\n<\/ol>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">#26 Additional Tools<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">From the&nbsp;<a href=\"https:\/\/phpids.org\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">project page<\/a>:<\/div>\n<blockquote style=\"background-color: white; border-left-color: rgb(221, 221, 221); border-left-style: solid; border-left-width: 1px; color: #666666; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: \n<p>  0px 0px 1.571em 0.786em; padding: 0px 0px 0px 0.786em;\"><\/p>\n<div style=\"margin-bottom: 1.571em; padding: 0px;\">PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.<\/div>\n<\/blockquote>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You can use PHPIDS to detect malicious users, and log any attacks detected for later review. Please note that I&#8217;ve personally not used this tool.<\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">From the&nbsp;<a href=\"http:\/\/phpsec.org\/projects\/phpsecinfo\/index.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">project page<\/a>:<\/div>\n<blockquote style=\"background-color: white; border-left-color: rgb(221, 221, 221); border-left-style: solid; border-left-width: 1px; color: #666666; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 0.786em; padding: 0px 0px 0px 0.786em;\">\n<div style=\"margin-bottom: 1.571em; padding: 0px;\">PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.<\/div>\n<\/blockquote>\n<div style=\"background-color: white; border: 0px none rgb(221, 221, 221); clear: both; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; font-style: italic; line-height: 21.9939994812012px; margin: 0px auto 1.571em 0px; padding: 0px; text-align: center; width: 609px;\"><a href=\"http:\/\/www.cyberciti.biz\/tips\/php-security-best-practices-tutorial.html\/security_information_about_php\" rel=\"attachment wp-att-8231 noopener\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" alt=\"Security Information About PHP Application\" class=\"size-full wp-image-8231\" height=\"799\" src=\"http:\/\/files.cyberciti.biz\/uploads\/tips\/2011\/11\/Security_Information_About_PHP.png\" style=\"border: 0px; margin: 0px; padding: 0px;\" title=\"Security Information About PHP Application\" width=\"599\" \/><\/a><\/p>\n<div style=\"font-size: 0.857em; line-height: 1.5em; padding: 0px;\">Fig.02: Security Information About PHP Application<\/div>\n<\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">See&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/tips\/linux-security.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Linux security hardening tips<\/a>&nbsp;which can reduce available vectors of attack on the system.<\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">A Note About PHP Backdoors<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">You may come across php scripts or so called common backdoors such as c99, c99madshell, r57 and so on. A backdoor php script is nothing but a hidden script for bypassing all authentication and access your server on demand. It is installed by an attackers to access your server while attempting to remain undetected. Typically a PHP (or any other CGI script) script by mistake allows inclusion of code exploiting vulnerabilities in the web browser. An attacker can use such exploiting vulnerabilities to upload backdoor shells which can give him or her a number of capabilities such as:<\/div>\n<ul style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; list-style: square; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\">Download files<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Upload files<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Install rootkits<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Set a spam mail servers \/ relay server<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Set a proxy server to hide tracks<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Take control of server<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Take control of database server<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Steal all information<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Delete all information and database<\/li>\n<li style=\"margin: 0px; padding: 0px;\">Open TCP \/ UDP ports and much more<\/li>\n<\/ul>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Tip: How Do I Search PHP Backdoors?<\/h3>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Use&nbsp;<a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-use-grep-command-in-linux-unix\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" title=\"Grep unix and linux command\" target=\"_blank\" rel=\"noopener\">Unix \/ Linux grep command<\/a>&nbsp;to search c99 or r57 shell:<br style=\"margin: 0px; padding: 0px;\" \/><code style=\"background: none 0px 0px repeat scroll rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); display: block; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; margin: 0px 0px 1.833em; overflow: auto; padding: 0.667em 0.917em;\"># grep -iR 'c99' \/var\/www\/html\/<br style=\"margin: 0px; padding: 0px;\" \/># grep -iR 'r57' \/var\/www\/html\/<br style=\"margin: 0px; padding: 0px;\" \/># find \/var\/www\/html\/ -name *.php -type f -print0 | xargs -0 grep c99<br style=\"margin: 0px; padding: 0px;\" \/># grep -RPn \"(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)\" \/var\/www\/html\/<\/code><\/div>\n<h2 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">Conclusion<\/h2>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Your PHP based server is now properly harden and ready to show dynamic webpages. However, vulnerabilities are caused mostly by&nbsp;<strong style=\"margin: 0px; padding: 0px;\">not following best practice programming rules<\/strong>. You should be consulted further resources for your web applications security needs especially php programming which is beyond the scope of sys admin work.<\/div>\n<h3 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 1.286em; font-weight: normal; line-height: 1.222em; margin: 1.833em 0px 0.611em; padding: 0px;\">References:<\/h3>\n<ol style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/php.net\/manual\/en\/security.php\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">PHP security<\/a>&nbsp;&#8211; from the official php project.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/phpsec.org\/projects\/guide\/\" style=\"color\n: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">PHP security guide<\/a>&nbsp;&#8211; from the PHP security consortium project.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/httpd.apache.org\/docs\/current\/suexec.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Apache suseexec<\/a>&nbsp;&#8211; documentation from the Apache project.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/httpd.apache.org\/docs\/current\/misc\/security_tips.html\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Apache 2.2<\/a>&nbsp;&#8211; security tips from the Apache project.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"https:\/\/www.owasp.org\/index.php\/Category:Attack\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">The Open Web Application Security Project<\/a>&nbsp;&#8211; Common types of application security attacks.<\/li>\n<\/ol>\n<h4 style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px; padding: 0px;\">Recommended readings:<\/h4>\n<ol style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin: 0px 0px 1.571em 1.571em; padding: 0px;\">\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/php.robm.me.uk\/\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">PHP Security Guide<\/a>: This guide aims to familiarise you with some of the basic concepts of online security and teach you how to&nbsp;<strong style=\"margin: 0px; padding: 0px;\">write more secure PHP scripts<\/strong>. It&#8217;s aimed squarely at beginners, but I hope that it still has something to offer more advanced users.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.amazon.com\/gp\/product\/059600656X\/ref=as_li_ss_tl?ie=UTF8&amp;tag=cyberciti-20&amp;linkCode=as2&amp;camp=217145&amp;creative=399369&amp;creativeASIN=059600656X\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">Essential PHP Security<\/a>&nbsp;(<a href=\"http:\/\/www.amazon.com\/gp\/product\/B0026OR358\/ref=as_li_ss_tl?ie=UTF8&amp;tag=cyberciti-20&amp;linkCode=as2&amp;camp=217145&amp;creative=399373&amp;creativeASIN=B0026OR358\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">kindle<\/a>&nbsp;edition): A book about web application security written specifically for PHP developers. It covers 30 of the most common and dangerous exploits as well as simple and effective safeguards that protect your PHP applications.<\/li>\n<li style=\"margin: 0px; padding: 0px;\"><a href=\"http:\/\/www.amazon.com\/gp\/product\/1597494240\/ref=as_li_ss_tl?ie=UTF8&amp;tag=cyberciti-20&amp;linkCode=as2&amp;camp=217145&amp;creative=399373&amp;creativeASIN=1597494240\" style=\"color: #2361a1; margin: 0px; padding: 0px;\" target=\"_blank\" rel=\"noopener\">SQL Injection Attacks and Defense<\/a>&nbsp;This book covers sql injection and web-related attacks. It explains SQL injection. How to find, confirm, and automate SQL injection discovery. It has tips and tricks for finding SQL injection within the code. You can create exploits using SQL injection and design to avoid the dangers of these attacks.<\/li>\n<\/ol>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Please add your favorite php security tool or tip in the comments.<\/div>\n<div style=\"background-color: white; color: #111111; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif; font-size: 14px; line-height: 21.9939994812012px; margin-bottom: 1.571em; padding: 0px;\">Updated for accuracy!<\/div>\n","protected":false},"excerpt":{"rendered":"<p>PHP is an open-source server-side scripting language and it is a widely used. The Apache web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,5],"tags":[],"class_list":["post-67","post","type-post","status-publish","format-standard","hentry","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/67","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/comments?post=67"}],"version-history":[{"count":0,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/67\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media?parent=67"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/categories?post=67"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/tags?post=67"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}