Apache and PHP Security


Jun 13, 2012 (5 years and 10 days ago)


Apache and PHP Security

Abbreviated Talk Outline…

Basic machine lockdown

Apache Configuration and Hardening

PHP Configuration and Hardening

Secure Practices for PHP Development

Secure Configuration of Common PHP

Before taking action understand the
Role of the Server

Who will have physical access?

Who will have shell access?

Will apache write to the filesystem?

Will you need perl, python etc. within the
OS or for apache?

If possible can you limit what kind of
post/get/cookie/file payloads can be

Basic Lockdown

Turn off unused services, update the
machine regularly, use recommended
configuration files etc.

Enable logwatch or logcheck and actually
read the reports.

Enable a well configured file integrity

Configure iptables

Ports 22, 80, 443

Lockdown Continued

Possibly survive a SYN flood attack

In /etc/sysctl.conf set

net.ipv4.tcp_syncookies = 1

More Information:


Restrict cron and at access using cron.allow and
at.allow. chmod/chown /etc/cron* and

Lockdown Continued

Configure NTP for logfile accuracy.

Filesystem lockdown:

If possible set quota to “1” for apache.
Especially /tmp and /var.

Sessions can write to a user configured
directory OR preferably a database.

/var, /data, /home should be mounted

Is it reasonable to make /usr or /usr/local ro?

Securing Apache

Configuring Apache

Turn off any unnecessary capabilities.
Unfortunately many things are on by default.

Before making changes, research potential
exploits …especially in the context of the
machine’s services.

Look into alternatives

Example: If running php, use it instead of server
side includes.

<?php include ‘footer.html’; ?>

XBitHack not necessary

More Configuration Options

Remove /var/www/ directories to protect

Create custom /var/www/error files


Easy to configure

Can help evade DoS attacks by blocking ip
addresses or URLs temporarily.

Blocks if:

Requests are made for the same page more than X times per second
per host

More than X concurrent requests on the same child per second are

First sends 403 error then blacklists.

Can log to syslog and send email.

Can also communicate with firewall or router and execute system

Example Configuration

LoadModule dosevasive20_module modules/mod_dosevasive20.so

<IfModule mod_dosevasive20.c>

DOSHashTableSize 3097

DOSPageCount 2

DOSPageInterval 1

DOSSiteCount 50

DOSSiteInterval 1

DOSBlockingPeriod 10


DOSLogDir "/tmp/mod_dosevasive“ (make writable by apache only)



Very Powerful

Can be tricky to configure. Lots of testing.

Especially useful if web server runs a
small amount of applications.

mod_security Features

Filters requests before apache.

Filters all requests including post payloads
and SSL.

Understands the http protocol, allowing
fine tuning.

Complete logging, including post data.

Custom rules using regular expressions
can be applied at the virtual host level.

More mod_security features

Upon “catch” can filter, email, log, redirect, send error
code, or execute system binary.

Can execute action upon file upload. Example


Easier and better apache chrooting. No modules or
libraries needed. Logs already open. One Line:
SecChrootDir /chroot/apache

Can use snort web attack signatures

Rules are created and posted for web application

Can change the identity of the web server in the http
header without editing the source. Finger printing still
works though.

Example mod_security

<IfModule mod_security.c>

SecFilterEngine On

# Prevent OS specific keywords

SecFilter /etc/passwd

# Prevent path traversal (..) attacks

SecFilter "

# Very crude filters to prevent SQL injection attacks

SecFilter "delete[[:space:]]+from"

SecFilter "insert[[:space:]]+into"

SecFilter "select.+from"


Scanning your server




CIS Linux Benchmark Scan


PHP Security

Types of PHP Attacks

Command execution and/or writing to the filesystem.

Sql injection

Session Hijacking

Cross Site Scripting (xss)

Cross Site Request Forgeries (CSRF)

Session reading/predicting

Securing PHP

Default php.ini < V.4.8


; This is the default settings file for new PHP installations.

; By default, PHP installs itself with a configuration suitable for

; development purposes, and *NOT* for production purposes.

Newer installs are better.

Many php applications are installed with a
default php.ini. Therefore vulnerabilities
can be exploited.

Secure PHP Settings

Recommended configurations

display_errors = Off (turn on with ini_set or

log_errors = On

error_reporting = E_ALL (better error reporting)

session.save_path=/opt/php/session (Should be
specified by the user. Where /opt has no apache

session.gc_maxlifetime=600 (ten minutes of

More Settings

magic_quotes_gpc = Off

Escapes incoming get/post/cookie data, but for
what application/database. Broken Crutches.

Better to use specific php functions.

More later…

More Settings

register_globals = Off

Never turn on

Too easy to write insecure code

Auto initializes variables from Get/Post/Cookie data

URL= index.php?administrator=xyz


if (isset($administrator))


$authorized = true;



More Settings

safe_mode = On (enable if possible)

safe_mode_gid = On (enable if possible)

Especially useful in Highly Critical attacks.

Can not see files not owned by script

Can not execute files not owned by script

Developing Best Practices

Develop with security and production in mind.

Form strict policies concerning how data is sanitized and
at what stage.

$_GET, $_COOKIE, $_POST should always be
sanitized according to where it’s going not where it came

Mysql = mysql_real_escape_string()

Postgres = pg_escape_string ()

The P.E.A.R. DB class handles database data with “?”

To browser = htmlentities () or strip_tags()

To Shell = escapeshellcmd()

To Remove Javascript and reduce
XSS attacks

Use preg_replace() on …

javascript: onclick ondblclick onmousedown
onmouseup onmouseover
onmousemove onmouseout onkeypress
onkeydown onkeyup

Developing Best Practices cont.

Form strict policies concerning sessions.
(storage, timeouts, session id length, etc.)

If on a multiuser machine make a custom
session.save_path or save session data to
a database.

Use session_regenerate_id() to prevent
fixation. Especially after privilege

Developing Best Practices cont.
Securing Includes

Place them outside of document root.


But, if you have to place them in root…

End them in .php, so source is not revealed. Ex.

<Files ~ "

Order allow,deny

Deny from all


Where to put db_connect.inc.php

Not in document root.

If possible, make it non
world readable.
Apache group readable.

Web Applications

Secure Configuration of Common
PHP Applications


Protect config.inc.php if db access is

If possible use mod_cas

If using http authentication force ssl using

RewriteRule ^/$ /index.php

RewriteCond %{SERVER_PORT}!443$

RewriteRule ^(.*) https://host.com:443$1 [R=301,L]

Secure Configuration of Common
PHP Applications


If configuring remotely via the web, use ssl.

Sanity.A worm attacked a flaw that allowed for system
calls to be sent using GET vars.

Evil PHP:


$term = urldecode($_GET['sterm']);


$_GET is decoded once by php then again by urldecode.
The second time quotes or other harmful symbols can be
decoded and applied to system(). Assuming no magic
quotes would have prevented the problem using

Secure Configuration of Common
PHP Applications


Verify that gallery has written to the
.htaccess and config.php file after install.


chmod 644 .htaccess

chmod 644 config.php

chmod 400 setup

Secure Configuration of Common
PHP Applications


Move config.php outside of DocumentRoot

Edit mainfile.php to path of moved

Web Applications

When installing free web applications
always be aware of security advisories.

Maintain a backup of your database.

Practice restoring the database.

Be familiar with how to update the

If possible always use mod_cas.
Especially with tools like phpMyAdmin.