Secure PHP configuration for production

The Comprehensive Guide to Securing PHP Configuration for Production on Linux Bash

As a web developer, one of your crucial responsibilities is ensuring that your application is secure, especially in a production environment. PHP, being one of the most popular scripting languages for web development, demands particular attention to security configurations to prevent common vulnerabilities. This guide will walk you through setting up a secure PHP environment on a Linux server, utilizing Bash scripting for automation and consistency.

Why Focus on PHP Security?

PHP powers a significant portion of the web including many high-traffic websites. Despite its popularity, default PHP configurations are not optimized for security, making careful configuration adjustments essential. Vulnerabilities in PHP can lead to data breaches, unauthorized access, and other critical security risks.

Step-by-Step PHP Security Configuration

Below, we'll detail various aspects of securing your PHP configuration for production in a Linux environment:

1. Install PHP

First, ensure you have PHP installed on your Linux server. You can install PHP using your Linux distribution’s package manager. On different distributions, the commands vary:

• For Ubuntu:

  sudo apt-get update
  sudo apt-get install php php-cli
  

• For RHEL, CentOS (using DNF):

  sudo dnf install php php-cli
  

• For openSUSE (using Zypper):

  sudo zypper install php7 php7-cli
  

Make sure to install any necessary PHP extensions as well, depending on your application's requirements.

2. Adjust php.ini Settings

The php.ini file is the core configuration file for PHP. You can find this file in different locations based on your Linux distribution (e.g., /etc/php/7.4/apache2/php.ini for PHP 7.4 on Ubuntu with Apache).

Here's how you should configure some of the critical settings:

• Disable Dangerous Functions

  Edit the disable_functions directive to disable functions that can be misused by attackers:

  disable_functions = exec,system,shell_exec,passthru
  

• Set expose_php to Off

  This setting prevents PHP from sending its version in HTTP headers, making it slightly harder for attackers to discover potential version-specific vulnerabilities:

  expose_php = Off
  

• Error Reporting

  Configure PHP to log errors instead of displaying them to the user, which can provide attackers hints on how to exploit your system:

  display_errors = Off
  log_errors = On
  error_log = /var/log/php_error.log
  

• Limit Resources

  Restricting resource usage per script can prevent denial-of-service attacks:

  max_execution_time = 30
  memory_limit = 128M
  post_max_size = 8M
  upload_max_filesize = 2M
  

• Session Security

  Enhance session security with the following settings:

  session.cookie_httponly = 1
  session.use_only_cookies = 1
  session.cookie_secure = 1
  

3. File Permissions

Ensure scripts and PHP files do not have more permissions than necessary:

find /var/www/html -type f -exec chmod 644 {} \;

This sets file permissions to 644, giving read and write access to the owner, and read access to everyone else.

4. Regularly Update PHP

Stay on top of security patches. Use the appropriate command based on your distribution:

• For Ubuntu:

  sudo apt-get update && sudo apt-get upgrade php
  

• For RHEL, CentOS (using DNF):

  sudo dnf update php
  

• For openSUSE (using Zypper):

  sudo zypper update php7
  

5. Use TLS/SSL

Ensure all data transmitted between your server and clients is encrypted. For Ubuntu:

sudo apt-get install certbot
sudo certbot --apache

For other distributions, replace apt-get with dnf or zypper as per the system's package management tool.

6. Consider Security Extensions

Evaluate PHP security extensions like Suhosin or disable certain risky extensions like eval.

Automating with Bash Scripts

You can automate many of these security practices with simple Bash scripts. For instance, a script to update PHP and reset permissions could look like this:

#!/bin/bash
sudo apt-get update
sudo apt-get upgrade php
sudo find /var/www/html -type f -exec chmod 644 {} \;

Conclusion

Securing PHP in a production environment on a Linux server involves careful configuration of your php.ini file, diligent system updates, permissions management, and the use of encrypted connections. While the steps outlined provide a strong foundation for security, always adapt and evolve your strategies based on specific threats and new vulnerabilities. Stay informed about PHP security best practices and continuously audit and test your applications for enhanced protection.

Further Reading

For additional reading on specific aspects of PHP security and best practices in Linux environments, consider exploring the following resources:

• OWASP PHP Security Cheat Sheet

  • A comprehensive guide detailing common PHP security vulnerabilities and how to mitigate them.
  • OWASP PHP Security Cheat Sheet

• Hardening PHP from php.ini

  • An article explaining critical PHP configuration options that enhance security at the php.ini level.
  • Hardening PHP from php.ini

• Automating Security in Linux with Bash Scripts

  • Discusses methods to use Bash scripting for automating security practices on Linux servers.
  • Automating Security in Linux

• Securing Apache and PHP Installations on Linux

  • Provides a guide for securing Apache web servers with PHP installed, pertinent for PHP applications.
  • Securing Apache with PHP

• Introduction to Linux Permissions for Web Servers

  • Explores the fundamentals of Linux file and directory permissions in the context of a web server environment.
  • Linux Permissions for Web Servers

These resources will equip you with further knowledge to refine your approach toward securing PHP applications in a production environment.