Top 10 PHP Security best practices for Linux sys administrators. – DebYum

share on:
php security best practices

PHP is a well known open source general-purpose scripting language. It is well suited server-side web development. Securing a PHP application is always a difficult task. To secure our PHP application,we also need to secure our hardware, platform and configure PHP securely.

These Php security best practices will help you in configuring your PHP securely on your server.

The steps involved in configuring PHP securely are as follows.

 

1. Disable the insecure PHP functions.

The first of php security tips to secure our PHP installation is to disable the  insecure/dangerous PHP functions.

We will define the names of all the insecure PHP functions that we want to disable in disable_functions directive in the loaded php.ini file.

First of all, we need to find the location of the loaded php.ini file in our server.

shell> php -i | grep php.ini
Loaded Configuration File => /etc/php.ini

 

For PHP 7.0 in CentOS 7.

shell> php70 -i | grep php.ini
Configuration File (php.ini) Path => /etc/opt/remi/php70
Loaded Configuration File => /etc/opt/remi/php70/php.ini

 

Add this line at the end of your php.ini file.

disable_functions = system,phpinfo,exec,passthru,shell_exec,passthru,popen,proc_open,proc_terminate,curl_exec,curl_multi_exec,parse_ini_file,show_source

 

Here’s a list of PHP functions that Flywheel hosting disables for security in PHP.

 

2. Disable Unused PHP Modules.

This second php security tip is to enhance performance and security of PHP. It is highly recommended to minimize the number of modules used with PHP.  We can see the list of modules installed by executing the following command:

shell> php -m
[PHP Modules]
bz2
calendar
Core
posix
date

 

For PHP 7.0

shell> php70 -m
[PHP Modules]
bz2
calendar
Core
posix
date

 

We can disable any unused module in the system by changing configuration file name. For example, if we want to disable POSIX module from loading in PHP, then we can use these steps.

shell> cd /etc/php.d/
shell> mv posix.ini posix.ini.disable

 

For PHP 7.0

The names of modules are slightly different in PHP 7.

shell> cd /etc/opt/remi/php70/php.d

 

shell> ls -l
total 148
-rw-r--r--. 1 root root 4078 Nov 8 20:25 10-opcache.ini
-rw-r--r--. 1 root root 47 Nov 8 20:26 20-bz2.ini
-rw-r--r--. 1 root root 51 Nov 8 20:26 20-posix.ini
-rw-r--r--. 1 root root 57 Nov 8 20:26 20-calendar.ini
-rw-r--r--. 1 root root 51 Nov 8 20:26 20-ctype.ini
.......

 

Disable the module.

shell> mv posix.ini posix.ini.disable

 

 

3. Disable Remote Code Execution

If allow_url_fopen is enabled on your setup, It allows file functions like file_get_contents() and the include and require statements. These functions can retrieve data from http or ftp remote locations and execute their code. These functions can cause php security issues if not disabled. We will disable allow_url_fopen and allow_url_include in our php.ini file.

allow_url_fopen=Off
allow_url_include=Off

 

 

4. Limit PHP Access To File System 

Another important tip for your PHP web application security is to limit the PHP to get access to the directories allowed only by setting open_basedir directive.

Enter your server’s document root to limit PHP file access operations to that directory only. If your document root is /var/www/html then you should use something like this.

Edit your php.ini file.

open_basedir="/var/www/"

 

 

5.  Secure Location to store PHP temporary files.

After setting open_basedir option, there’s a chance that you will start getting an upload_tmp_dir error when you are trying to upload files through PHP. You can solve this by specifying the upload_tmp_dir option. This can help also you in dealing with file upload vulnerability issue.

Also, Make sure the path specified in the upload_tmp_dir is inside this path defined in open_basedir.

If open_basedir directive is on, then the system default directory must be allowed for an upload to succeed.

You should set upload_tmp_dir to a folder that is:

  • outside the document root of your website
  • not readable or writable by any other system users

Create a folder to store temporary PHP files. Make sure it is inside the directory structure defined in open_basedir directive.

shell> mkdir -p /var/www/php/sessions

 

Edit php.ini file.

upload_tmp_dir = /var/www/php/sessions

 

Make sure it is non-world writable

shell> chmod 770 -R /var/www/php

 

 

6. Configure PHP logging.

We will configure secure logging for PHP by not displaying the PHP errors to everyone.

Edit php.ini file.

display_errors = off
log_errors = on
error_log = /var/log/nginx/php-errorrs.log
ignore_repeated_errors = Off

 

 

7. Hide PHP version Information.

Different PHP versions have their own loopholes. we can make it a bit difficult for anyone to exploit those shortcomings by hiding the version information of our PHP.

Edit php.ini to hide the version information of PHP.

expose_php = Off

 

 

8. Make your PHP configuration files immutable.

Another PHP security tip is to secure important files and folders from accidental deletion or modification even as a root user. We can set the immutable attribute to those files and folders to prevent them from accidental deletion and modification.

To set immutable attribute on php.ini file , log in as root as use the following command.

shell> chattr +i /etc/php.ini
shell> lsattr php.ini
----i----------- php.ini

 

Now, try to delete this file as root user.

[email protected]:~# rm -rf php.ini
rm: cannot remove 'php.ini': Operation not permitted

 

Now php.ini cannot be altered without changing this attribute first.

To alter this file again, use this command.

shell> chattr -i /etc/php.ini
shell> lsattr php.ini
---------------- php.ini

 

Moreover, You can use this attribute to secure other important files also.

 

9. Enable Limits in PHP.

We can also control how many and maximum size of files are allowed to upload by PHP. Other limits on max execution time and max input time for scripts should also be configured properly.

To allow users to upload files of maximum size, update following configuration value.

upload_max_filesize = 256K # Recommended

 

  • Maximum execution time of each script.
max_execution_time = 30 # seconds

 

  •  The maximum amount of time each script may spend parsing request data.
max_input_time = 60 # seconds

 

  • The maximum size of POST data that PHP will accept.
post_max_size = 200K # Recommended

 

  • Set the Maximum amount of memory a script may consume.
memory_limit = 8M # Recommended.

 

However, These are the recommended values but you should change them to suit your server requirements.

 

10. Disallow Uploading Files

Set file_uploads to off to turn off any file uploads to your site unless you require this feature

Edit php.ini file.

file_uploads = off # Only if you don't require uploading files to server.

 

 

11. Turn on cgi.force_redirect in php.ini

cgi.force_redirect is necessary to provide security in running PHP as a CGI under most web servers. Left undefined, PHP turns this on by default.

Edit php.ini file.

cgi.force_redirect = 1

 

 

12. Test you PHP settings via running PHPSECINFO in your server.

Now that we have applied all the PHP security best practices, we can now use phpsecinfo for php security test. Phpsecinfo reports security information about the PHP environment. It can be used to test our PHP security configuration.

  • How to use PHPSECINFO.
    Download phpsecinfo.zip from here.
  • upload phpsecinfo.zip to your server and extract it to your document root.
  • Access phpsecinfo from your browser by visiting.
    http://your-server-ip/phpsecinfo-20070406/index.php

phpsecinfo-20070406 is the name of phpsecinfo folder after extracting it on my server. It can have a different name in our case.

 

php security best practices

 

 

In conclusion, These Php security best practices are important to improve the security of your PHP installation. The longer you will wait to implement these security measures in PHP, the less effective they will become. These security measures must be implemented from the start alongside your applications you want to use.

Thanks for visiting this page and Have a Good day. 🙂

 

 

Review overview

Helpful10

Summary

10
share on:
engy

engy

Hello there, My name is Rishi Guleria and I work as a Linux system administrator. I have created this blog to share what I have learned so far and to learn new things. Good Day. :)

Leave a Response

share on: