Top 10 PHP Security Tips for Linux Admins
By Damian Wolf, livecoding.tv
PHP is one of the most used server scripting programming languages. The market share speaks volumes about its dominance. The fact that PHP 7 is already out makes the programming language more appealing to current developers. Even though the changes have come out, many developers are skeptical about PHP's future. One reason is PHP security.
PHP security is a primary concern for developers. PHP offers robust security inside out, but it is in the hands of developers to implement them correctly. In this article, we will look at some PHP security tips for Linux admins. The tips will help you secure your Web application and ensure proper functioning in the long run.
Before we start, understanding the system we are working with is necessary. For demonstration purposes, we are using Fedora. However, the tips should work fine with the Ubuntu version or any other Linux distro. Check your OS distro manual for more information.
Let's go through some of the key files of our setup. In your case, they should be similar or equivalent to the following:
- Default Web server: Apache
- DocumentRoot: /var/www/html
- PHP configuration file: /etc/php.ini
- Extensions config directory: /etc/php.d/
- Security file: /etc/php.d/security.ini
These tricks will help you protect your Web site from different types of common attacks, such as SQL injection, XSS, sea-surf attacks, eval(), File uploads, and so forth. Check the common attack list here.
1. Get Rid of Unnecessary Modules
PHP comes with built-in PHP modules. They are useful for many tasks, but not every project requires them. You can view the available PHP modules by typing the following command:
# php - m
Once you get hold of the list, you now can get rid of the unnecessary modules. The reduced number of modules will help you to ramp up the performance and security of the Web application you are working on.
2. Restrict PHP Information Leakage
It is common for platforms to leak vital information. For example, PHP releases information such as versions and the fact that it is installed on the server. This is done through the expose_php directive. To prevent the leak, you need to set the directive to off in /etc/php.d/security.ini.
If anyone needs to know the version and its state, a simple run of the Curl command over the Web site address will produce this information.
Curl - I http://www.livecoding.tv/index.php
The preceding command will return the following information:
HTTP/1.1 200 OK X-Powered-By: PHP/7.0.10 Content-type: text/html; charset=UTF-8
3. Disable Remote Code Execution
Remote code execution is one of the common security flaws in PHP security. By default, remote code execution is enabled on your system. The "allow_url_fopen" directive allows functions such as require, include, or URL-aware fopen wrappers to get direct access to the PHP files. The remote access is done by using HTTP or FTP protocol and can cause the system to be defenseless against the code injection vulnerabilities.
To ensure that your system is secure from remote code execution, you can set the directive "Off", as shown below:
4. Log PHP Errors
Another simple way of tightening the security of your Web applications is to not show errors to the visitors. This will ensure that the hacker in no way can compromise the security of the Web site. The edit needs to be done in the /etc/php.d/security.ini file.
Now, you're probably wondering after this, "How can a developer debug without the help of errors?" Developers can use the log_errors directive for debugging purposes. All they need to do is enable the log_errors directive to "On" in the security.ini file.
5. Control Resources Properly
Controlling resources is important for making your app secure. To ensure proper execution and security, you need to set the limit for PHP script execution. Furthermore, you also may want to set a limit on the time spent on parsing request data. With execution time under control, other resources such as the memory usage by a script should also be configured accordingly. All of these metrics can be managed by editing the security.ini file.
# set in seconds max_execution_time = 25 max_input_time = 25 memory_limit = 30M
6. Disable Dangerous PHP Functions
PHP comes with useful functions for developmental purposes, but it is also plagued with functions that can be used by hackers to exploit the Web app. Disabling the functions can improve the overall security and ensure that you are not affected by dangerous PHP functions.
To do so, you first need to edit the php.ini file. Once there, find the disable_functions directive and set the dangerous functions in it. You can do it by just copy/pasting the following code.
disable_functions =exec,passthru, shell_exec,system,proc_open,popen,curl_exec, curl_multi_exec,parse_ini_file,show_source
You can read more about disabling dangerous PHP functions here.
7. Upload Files
If your app doesn't require uploading any files, disabling the functionality to upload files can lead to better security. To disable file uploading from users, you need to edit the security.ini file in the /etc/php.d/ directory and set the file_uploads directive to Off.
8. Keep Things Up to Date
Developers are working 24/7 to patch the technology that you are using. PHP is no different. With an open source community surrounding it, patches and bug fixes are released frequently. The updates also offer security fixes for first-day exploits and other security vulnerabilities. If you are serious about the security of your app, always keep your PHP solution up to date. Also, keeping the other associated technology to the latest patch will ensure maximum security.
9. Control File System Access
By default, PHP can access files by using functions such as fopen(). The open_basedir directive provides the access. For starters, always keep the open_basedir directive set to the /var/www/html directory. Setting it to any other directory can lead to security issues.
10. Control the POST Size
Our last PHP security tip is to control the POST size function. The HTTP POST function uses the client's browser to send data to the Web server. For example, a user can upload a certificate and send it to the Web browser for processing purposes. Everything works fine until one day a hacker attempts to send a huge file size to clog the server resources. This can easily lead to crashes or slow responses from the server. To protect your server from this exploit, you need to set the POST size. The POST size can be set in the /etc/php.d/security.ini file.
Security is one of the biggest concerns for Web developers and Linux administrators. With the preceding tips, you are sure to harden the security around the development environment and the PHP Web app. If you think we missed something important, don't forget to comment below and let us know.
About the Author
Damian Wolf is an author and tech enthusiast with articles published on top technology & coding Web sites such as InfoWorld, DZone, HongKiat, and more. In addition to working with PHP Web apps, he loves trying out new things: apps, software, and trends, and will gladly share his views.
- Twitter: http://twitter.com/damianlwolf
- Facebook: http://www.facebook.com/damianlwolf
- Google+: https://plus.google.com/+DamianWolf/posts
# # #
*** This article was contributed. © All rights reserved, Developer.com. ***