Happy new year to you guys. I haven’t updated my blog for another half month. Update is also more casual, think of what to write something, convenient and everyone work with learning summary.
Recently, I talked about PHP security related issues with my colleagues and recorded some experience.
Due to many reasons of script language and early version design, there are many security risks in PHP project. From the perspective of configuration options, you can do the following optimization.
1. Block PHP error output.
In / etc/ php.ini (default profile location), change the following configuration value to off
Do not output the error stack information directly to the web page to prevent hackers from using the relevant information.
The right approach is:
Write the error log to the log file for troubleshooting.
2. Block PHP version.
By default, the PHP version will be displayed in the return header, such as:
Response Headers X-powered-by: PHP/7.2.0
take php.ini The following configuration value in is changed to off
3. Turn off global variables.
If you turn on global variables, the data submitted by some forms will be automatically registered as global variables. The code is as follows:
If the global variable is enabled, the server-side PHP script can use $username and $password to get the user name and password, which will cause great danger of script injection.
The opening method is php.ini , amend to read:
It is recommended to close, with the following parameters:
When it’s closed, you can only$_ POST、$_ GET、$_ Obtain the relevant parameters in request.
4. File system restrictions
You can open_ Basedir to restrict the system directories that PHP can access.
If you do not restrict the use of the following script code（ hack.php ）The system password can be obtained.
<?php echo ('/etc/passwd');
When it is set, an error will be reported and relevant information will not be displayed, so that system directory B will not be accessed illegally:
PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3
Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3 PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3
Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3
The setting method is as follows:
5. Prohibit remote resource access.
Other third party security extensions
Suhosin is a protection system for PHP programs. It is designed to protect servers and users from known or unknown defects in PHP programs and PHP core (it feels practical and can resist some small attacks). Suhosin has two independent parts, which can be used separately or jointly.
The first part is a patch for PHP core, which can resist the weakness of buffer overflow or format string (this is necessary!) ;
The second part is a powerful PHP extension (the extension mode is very good, easy to install…) , including all other protection measures.
wget http://download.suhosin.org/suhosin-0.9.37.1.tar.gz tar zxvf suhosin-0.9.37.1.tar.gz cd suhosin-0.9.37.1/ phpize ./configure --with-php-config=/usr/local/bin/php-config make make install stay php.ini Join below suhosin.so that will do extension=suhosin.so
- Simulator protection mode
- Add two functions sha256() and sha256_ File () to the PHP core
- All platforms, join crypt_ Blowfish in function crypt()
- Turn on transparent protection for phpinfo() page
- SQL database user protection (test phase)
- Encrypt cookies
- Prevent different types of inclusion vulnerabilities (do not allow remote URL inclusion (black / white list); do not allow uploaded files; prevent directory traversal attacks)
- Allow preg to be disabled_ replace()
- Allow eval() function to be disabled
- Prevent infinite recursion by configuring a maximum execution depth
- Support black and white list configuration for each Vhost
- Provide a separate black and white list of functions for code execution
- Prevent HTTP response splitting vulnerability
- Prevent script control memory_ Limit option
- Protect PHP’s super globals, such as extract(), import_ request_ vars()
- Prevent new line attack of mail() function
- Prevent preg_ Replace() attack
- Encrypt session data
- Prevent session hijacking
- Prevent super long session ID
- Prevent malicious session ID
The data in session is usually stored in plaintext on the server. Here, encryption and decryption are performed on the server
$_SESSION。 In this way, when the session handle is stored in Memcache or database, it will not be easily broken. In many cases, our session data will store some sensitive fields.
This feature is enabled by default. You can also use the php.ini To modify:
suhosin.session.encrypt = On suhosin.session.cryptkey = zuHywawAthLavJohyRilvyecyondOdjo suhosin.session.cryptua = On suhosin.session.cryptdocroot = On ;; IPv4 only suhosin.session.cryptraddr = 0 suhosin.session.checkraddr = 0
The HTTP header of the cookie in the client browser is also clear text. By encrypting cookies, you can protect your application against many attacks, such as
- Cookie tampering: an attacker may try to guess other reasonable cookie values to attack the program.
Cookie encryption in php.ini Configuration in:
suhosin.cookie.encrypt = On ;; the cryptkey should be generated, e.g. with 'apg -m 32' suhosin.cookie.cryptkey = oykBicmyitApmireipsacsumhylWaps1 suhosin.cookie.cryptua = On suhosin.cookie.cryptdocroot = On ;; whitelist/blacklist (use only one) ;suhosin.cookie.cryptlist = WALLET,IDEAS suhosin.cookie.plainlist = LANGUAGE ;; IPv4 only suhosin.cookie.cryptraddr = 0 suhosin.cookie.checkraddr = 0 Blocking Functions test ##The default PHP session is saved in the TMP path ll -rt /tmp | grep sess ##View the data of a session when the extension is not enabled cat sess_ururh83qvkkhv0n51lg17r4aj6 //Records are clear text ##View the data of a session after the extension is enabled cat sess_ukkiiiheedupem8k4hheo0b0v4 //The record is ciphertext We can see the importance of encryption to security
##Explicitly specify the specified whitelist list suhosin.executor.func.whitelist = ,, suhosin.executor.eval.whitelist = ,, '); eval('echo htmlentities("");');
##Explicitly specify the specified blacklist list suhosin.executor.func.blacklist = ,,,,,,,,hail,, suhosin.executor.eval.whitelist = ,,,,,,,,hail,, View the black and white list of illegal calls through the log suhosin.simulation = 1 suhosin.. = 511 suhosin...name = /tmp/suhosin-alert.
Other configuration items
suhosin.executor.include .max_ Maximum depth of traversal directory expansion, which can shield switching to illegal path suhosin.executor.include . whitelist allowed URLs, separated by commas suhosin.executor.include . blacklist forbidden URLs, separated by commas suhosin.executor.disable_ Eval = on disable Eval function suhosin.upload.max_uploads suhosin.upload.disallow_elf suhosin.upload.disallow_binary suhosin.upload.remove_binary suhosin.upload.verification_ Script upload file check script to check whether the uploaded content contains webshell features
With suhosin, you can get some error logs. You can put these logs in the system log or write them to any other log file at the same time;
It can also create blacklist and whitelist for each virtual host;
You can filter get and post requests, file uploads, and cookies;
You can also send encrypted sessions and cookies, and you can set storage lines that cannot be transferred, etc;
Unlike the original PHP enhanced patch, suhosin is compatible with third-party extensions like Zend optimizer.