|
Objective:
Harden PHP via basic security
configurations, harden MySQL, harden postgresql, to allow Apache to connect to MySQL socket and postgresql.
Apache
/etc/apache2/conf/commonapache.conf
Prevent information disclosure.
ServerAdmin
Este endereço de e-mail está protegido contra spambots. Você deve habilitar o JavaScript para visualizá-lo.
ServerTokens Prod
ServerSignature Off
ServerTokens Prod will not display module information (mod_php, etc)
ServerSignature Off will on display Apache in the headers, no version numbers, etc.
PHP
Here are some configuration options that were adjusted in /etc/php/apache2-php4/php.ini
safe_mode = on
Limits what php can do. Prevents system calls and heavily enforces file ownership
disable_functions = phpinfo, curl_exec, curl_init, passthru, show_source, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system
Prevents php scripts to use these functions. These functions are 'high-end' system function and are not normally used in standard web applications.
expose_php = Off
Hides php info in headers
display_errors = Off
Will not display errors to the browser. A white screen will be presented if error occurs and is not handled via code.
log_errors = On
Make sure we log those php errors
MySQL
Here are some basic configurations to MySQL to improve security. Edit /etc/mysql/my.cnf
socket = /var/chroot/apache/var/run/mysqld/mysqld.sock
This is where the socket will be dropped. This is required for PHP to communicate properly with MySQL while in chroot.
set-variable = local-infile=0
Prevent mysql to read and write files on the system
skip-networking
With this value set MySQL will not listen on tcp port 3306 and just listen with internal sockets
bind-address=YOUR-SERVER-IP
After everything is compiled and configured, restart the services.
/etc/init.d/apache2 restart
/etc/init.d/mysqld restart
Postgresql
nano /var/lib/pgsql/data/postgresql.conf
and add the follow line to configure what ip address to listen on:
listen_addresses = localhost
|
