PHP Security - cPanel University

bemutefrogtownΑσφάλεια

18 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

62 εμφανίσεις

PHP Security
T
he issue of
PHP
security is often either overlooked completely or under utilized.
PHP

Security not only involves minimizing programming errors as much as possible, but putting
proper safeguards in place to protect against possible vulnerabilities. This often means using
several “layers” of protection to guard sensitive data against hackers, which if compromised,
could cause a catastrophic result to the website or entire server.
PHP
exploits are responsible for the vast majority of compromised servers. Securing
PHP

itself starts with ensuring the server is properly configured and as secure as possible. The
cPanel documentation links below highlight some proper server security practices.
cPanel SecureServerChecklist
cPanel PhpSecurityConcepts
Recommended cPanel Security settings.
Types of PHP vulnerabilities include some of the following:
1.
RFI
: or
R
emote
F
ile
I
nclusion
-
Allows an attacker to execute
PHP
code on your server
from a remote source. The best way to secure your site from RFI attacks is through
php.ini directives, specifically the allow_url_fopen and the allow_url_include directives.
The allow_url_fopen directive is set to “on” by default, and the allow_url_include is set
to “off.” These two simple directives will help protect your site from RFI attacks.
2.
SQL Injection -
Allows an attacker to retrieve crucial information from a Web server's
database through unsanitized input being passed to PHP scripts.
3.
Format string vulnerabilities -
A malicious user may use the %s and %x format
tokens, among others, to print data from the stack or other locations in memory.
4.
(
XSS):

C
ross
S
ite
S
cripting
-
This attack requires the victim to execute a malicious URL
which may be crafted in such a manner to appear to be legitimate at first look.
Although there are many other types of vulnerabilities, these are the most common.
Thereʼs no such thing as a 100% secure server no matter how many layers of security you
add. You can utilize common server security practices and ward off most hackers since
they generally go for easy targets. Security is not only a reaction but an action in an
ongoing process.
3RD Party Protection
H
ere are some common 3rd party applications that can be utilized to help secure your
Apache and/or PHP implementations. These are options included with cPanel, easily
implemented via EasyApache.

mod_security
(web application firewall) -
mod_security checks HTTP requests for malicious payloads by matching against regex
rules. Mod_security rules are not included by default and must be manually added and
maintained. Sites such as gotroot.com provide rules you can utilize and customize to
your needs.

mod_evasive
(DOS prevention)
mod_evasive is an apache module that helps protect against DoS Attacks.

Hardened
PHP
(
Suhosin
)
Suhosin is a secure php hardening module that offers many security features such as
disabling binary uploads and disabling memory_limit function.

suPHP
(mod_suphp Runs
PHP
as the user.) -
suPHP performs various security checks before executing
PHP
scripts. suPHP also
runs PHP as the user.
Best Practices for PHP and Apache Security
B
est practices begin with the Server Administrator. If you donʼt know what youʼre doing,
then find or hire someone that does. If you cannot properly secure your server or websites
then itʼs just a matter of “when” you will get hacked, not “if”.
1.
Always use latest secure version of
PHP
and
Apache
and keep them updated.
2.
Never put phpinfo() in your webroot. You can disable it using disable_functions in
php.ini
3.
Never trust other users
4.
Store passwords with Encryption
5.
Utilize
PHP
limits -
PHP
allows you to set restrictions on the amount of memory that
can be used by a script or the maximum execution time of every script. Use sane
values for these resources.

max_execution_time = 300 ; Maximum execution time of each script, in seconds

max_input_time = 60 ; Maximum amount of time each script may spend parsing data

memory_limit = 8M ; Maximum amount of memory a script may consume (8MB)

expose_php = Off

safe_mode = On

enable_dl = Off (unless needed)

allow_url_fopen = Off

allow_url_include = Off

disable_functions = show_source, system, ini_set, shell_exec, passthru, exec,
phpinfo, popen, proc_open
6.
Turn off register_globals (
PHP
6.0.0 has removed the feature.)
7.
safe_mode -
Enabling safe_mode causes
PHP
to check the user ID (
UID
) of the script
as it attempts to open a file against that file's (or directory's)
UID
. If the user IDs do not
match, the script cannot open or modify the file or directory. (Deprecated in PHP-5.3.0)
8.
Stop users from setting up .htaccess files which can override security features you've
configured. Here's one way to do it in the Apache Includes file.

<Directory />

AllowOverride None

</Directory>
9. Server Side Includes - If you don't need it, then disable it.
10. Use PHP open_basedir protection ( WHM > Security)
11. Use an Anti Virus to scan uploaded files (ClamAV)
12. Use a Caching System

Memcached

APC

XCache

Zend Cache

eAccelerator
13.
Disable modules you donʼt use.
14.
Limit memory usage where possible in Apache and PHP.
MySQL
W
hen talking about PHP security this will usual entail MySQL. Most MySQL changes are
about optimization and not security.
To secure MySQL this basically comes down to binding MySQL to the localhost so external
access cannot occur. Usually only websites on the server locally need to access MySQL.
Unless youʼre using a Remote MySQL setup, simply binding MySQL to the localhost is the
most secure option you can use. If youʼre using remote MySQL or need to allow remote
MySQL access, limit connections to MySQL only for authorized users. This can be done
using firewall rules or MySQL access host settings in WHM & cPanel.
/etc/my.cnf

bind-address = 127.0.0.1
PHP Based Software
I
f your server runs Joomla, Wordpress, or
PHP
Based Forum software, then your server
and sites are extremely vulnerable. The vast majority of
PHP
exploits out there are not the
result of these applications themselves but are instead the result of poorly coded 3rd party
plugins and applications created for use with the software.
Keeping PHP up to date is very important, but the PHP applications and software using
PHP also need to be kept up to date. Being one version behind can leave your sites
vulnerable to exploits or hackers.
Conclusion
T
he only true way to secure
PHP
is not to use it, but as with most sites and hosting
providers,
PHP
is necessary. Simply including
PHP
or allowing it is not enough. As
threats evolve and hackers find new ways to exploit PHP, work must be done to secure it
from hackers, exploits, and other users on an ongoing basis.

Summary:
Apache
Set appropriate file and directory permissions
Set read permissions for 'nobody' and 'user'; no access for 'other'
Disable write for everyone
Disable execute on files for everyone
Disable access to *.sql, *.bak files
Disable Server Side Include (SSI) if not needed
Limit Memory usage Apache can use
Disable modules you donʼt need or use.
Limit memory usage
PHP
Keep
PHP
updated to latest version.
Use suPHP, mod_security and Suhosin.
Disable allow_url_fopen
Disable allow_url_fopen
Disable register_globals, expose_php, enabled_dl
Set disable_functions to turn off unwanted PHP functions
Use open_basedir protection
Use Caching system
Set sane values for the use of resources (memory, execution time)
When uploads are needed, make sure that the PHP codes sanitizes the user input
Mysql
Bind only to the localhost address (127.0.0.1)
System
Secure system from unwanted intrusion or exploit
Keep system Kernel updated to prevent kernel exploits
Practice secure methods with passwords