Securing PHP Environment Against Hacking

[SnapPop]

well the point is we are threatening all the time and the reason is hackable PHP Scripts
i searched for every possible configuration and ways to secure the php processes
well i found some but i guess that's not all
here's all i got to configure php.ini

Disable remote URLs (which may cause code injection vulnerabilities) for file handling functions.
allow_url_fopen=Off
allow_url_include=Off

Disable register_globals.
register_globals=Off

Restrict where PHP processes can read and write on a file system.
IIS: open_basedir="c:\inetpub\"

Limit script execution time.
max_execution_time=30
max_input_time=60

Limit memory usage and file sizes.
memory_limit=16M
upload_max_filesize=2M
post_max_size=8M
max_input_nesting_levels=64

Configure error messages and logging.
display_errors=Off
log_errors=On
error_log="C:\path\of\your\choice"

Hide presence of PHP.
expose_php=Off

Enable Safe Mode
safe_mode=On

Make sql.safe_mode as Off. If it is on mysqli_connect() and mysql_connect() will connect to mysql with default username and password

Enable magic_quotes_gpc so that you can make your user inputs secure. It work s same as addslashes() function. It will add a backslash () with every single quotes, double quotes
magic_quotes_gpc=On

The most important part is disabling the malicious functions like these functions
disable_functions = apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode

so if you guys have some messing configuration for php.ini or the web server itself or even the machine please share so we can get the maximum security

Edit: found something for Apache web server

Spoiler:

install the lastet version
In older versions are bugs which could be used from attackers.


Hide the Apache Version number, and other sensitive information

here are two directives that you need to add, or edit in your httpd.conf file:

Code:

ServerSignature Off 
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting
it to Prod it sets the HTTP response header as follows:

Code:

Server: Apache

If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security

Ensure that files outside the web root are not served

We don't want apache to be able to access any files out side of its web root.
So assuming all your web sites are placed under one directory (we will call this
C:/apache2/htdocs), you would set it up as follows:

Code:

<Directory /> 
  Order Deny,Allow 
  Deny from all 
  Options None 
  AllowOverride None 
</Directory> 
<Directory C:/apache2/htdocs> 
  Order Allow,Deny 
  Allow from all 
</Directory>

Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server.
You now have to add them explicitly for each directory that requires an Option or Override

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Code:

Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Code:

Options -Includes

Turn off CGI execution

If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Code:

Options -ExecCGI

Turning off multiple Options

Now combine all stuff!

shortest

Code:

Options None

or

Code:

Options -ExecCGI -Includes -Indexes

Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

Code:

AllowOverride None

Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn
what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line.


Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:

Code:

Order Deny,Allow 
Deny from all 
Allow from 192.18.0.0/16

or by IP

Code:

Order Deny,Allow 
Deny from all 
Allow from 127.0.0.1 192.168

[MentaL]

[Caosfox]

this is really a good idea

[SnapPop]

so any contribution or even correction for what i've posted above ?

[SuperHer0]

All That can Baypass easy :) Thx for share

[Caustik]

Install suhosin for added security too.
Hardened-PHP Project - PHP Security - Suhosin

[SnapPop]

All That can Baypass easy :) Thx for share

you welcome but that's not all about PHP i'm pretty sure there are more configuration

Install suhosin for added security too.
Hardened-PHP Project - PHP Security - Suhosin

thanks for contribution buddy i'll try Suhosin when i get linux

@thread found something for Apache web server

Spoiler:

install the lastet version
In older versions are bugs which could be used from attackers.


Hide the Apache Version number, and other sensitive information

here are two directives that you need to add, or edit in your httpd.conf file:

Code:

ServerSignature Off 
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting
it to Prod it sets the HTTP response header as follows:

Code:

Server: Apache

If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security

Ensure that files outside the web root are not served

We don't want apache to be able to access any files out side of its web root.
So assuming all your web sites are placed under one directory (we will call this
C:/apache2/htdocs), you would set it up as follows:

Code:

<Directory /> 
  Order Deny,Allow 
  Deny from all 
  Options None 
  AllowOverride None 
</Directory> 
<Directory C:/apache2/htdocs> 
  Order Allow,Deny 
  Allow from all 
</Directory>

Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server.
You now have to add them explicitly for each directory that requires an Option or Override

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Code:

Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Code:

Options -Includes

Turn off CGI execution

If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Code:

Options -ExecCGI

Turning off multiple Options

Now combine all stuff!

shortest

Code:

Options None

or

Code:

Options -ExecCGI -Includes -Indexes

Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

Code:

AllowOverride None

Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn
what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line.


Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:

Code:

Order Deny,Allow 
Deny from all 
Allow from 192.18.0.0/16

or by IP

Code:

Order Deny,Allow 
Deny from all 
Allow from 127.0.0.1 192.168