How to secure your server from PHP shells!

[Skream Example]

Adding these things in ur php.ini file, protect your server from execution of shells.

disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc?_open,
ini_alter,dl,popen,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error?,
socket_close,socket_connect
safe_mode = On
register_globals = Off
display_errors = Off
allow_url_fopen = Off
allow_url_include = Off
enable open_basedir(set it to webroot path)

[The Dev!L]

that will not make any difrence

you can bypass this thing by this code

<?php

print file_get_contents("/etc/passwd");

?>

[The Dev!L]

that will not make any difrence

you can bypass this thing by this code

<?php
print file_get_contents("/etc/passwd");
?>

[Cheater]

you can configure your server with jailkit: Jailkit - chroot jail utilities

[pyth0n3]

The first step

Chroot the server

After that He can only see and interact with his own mini-environment

About chroot environment

A malicious client visits user X's site and uploads files and executes them, he is running as user X, and he may be able to damage user X's files

User Y will still be save

safe_mode = On

PHP scripts are able to access files only when their owner is the owner of the PHP scripts

Effectively counteracts unauthorized attempts to access system files

For example /etc/passwd

allow_url_include = Off

It is turned off by default under php5

safe_mode_gid = Off

When safe_mode is turned on and safe_mode_gid is turned off, PHP scripts are able to access files not only when UIDs are the same, but also when the group of the owner of the PHP script is the same as the group of the owner of the file

open_basedir = directory[:...]

When the open_basedir parameter is enabled, PHP will be able to access only those files, which are placed in the specified directories (and subdirectories).

expose_php = Off it is important ,PHP will not disclose information about itself in HTTP headers

register_globals = Off It is turned off from php4 by default

If register-global is turned on, the (Environment, GET, POST, Cookie and Server) variables are automatically registered as global variables

display_errors = Off

errors, warnings are not being displayed

Final note:

Using an IDS system

Even if you try to make 2 or 3 queries of SQLI or maybe to upload a file the admin will get an email in real time

Your ip will be automatically blocked

[Cheater]

Here is a part of my apache config, it's optimized for security and speed:

SuexecUserGroup "#1011" "#1008" // Activate SUEXEC
ServerName dns.tld
ServerAlias www.dns.tld
ServerAlias webmail.dns.tld
ServerAlias admin.dns.tld
DocumentRoot /home/dns/public_html
ErrorLog /var/log/virtualmin/dns.tld_error_log
CustomLog /var/log/virtualmin/dns.tld_access_log combined
ScriptAlias /cgi-bin/ /home/dns.tld/cgi-bin/
ScriptAlias /awstats/ /home/dns.tld/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/dns/public_html>
<IfModule mod_security.c>
    php_flag SecFilterEngine On
    php_flag SecFilterScanPOST On
</IfModule>
<IfModule mod_php4.c> //rules for php4, if you don't want to add them to php.ini
php_admin_flag safe_mode On
php_admin_flag expose_php Off
php_admin_flag Enable_dl Off
php_admin_flag magic_quotes On
php_admin_flag register_globals off
php_flag display_startup_errors on
php_flag display_errors on
php_flag html_errors on
php_value docref_root 1008
php_value docref_ext 1008
php_flag magic_quotes_gpc On
php_flag allow_url_include Off
php_admin_flag short_open_tag On
    php_flag register_globals Off
    php_value default_charset utf-8
 php_value zlib.output_compression 16386
</IfModule>
<IfModule mod_php5.c>  //rules for php5, if you don't want to add them to php.ini
php_admin_flag safe_mode On
php_admin_flag expose_php Off
php_admin_flag Enable_dl Off
php_admin_flag magic_quotes On
php_admin_flag register_globals off
php_flag display_startup_errors on
php_flag display_errors on
php_flag html_errors on
php_value docref_root 1008
php_value docref_ext 1008
php_flag magic_quotes_gpc On
php_flag allow_url_include Off
php_admin_flag short_open_tag On
    php_flag allow_url_include Off
    php_flag register_globals Off
    php_value default_charset utf-8
 php_value zlib.output_compression 16386 //for compresion
</IfModule>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
<IfModule mod_expires.c>
    php_flag suhosin.session.cryptua on //  mod_security

    php_flag zend.ze1_compatibility_mode On
############################################
## Add default Expires header
## http://developer.yahoo.com/performance/rules.html#expires

    ExpiresDefault "access plus 1 year"

</IfModule>
SetEnv TZ Europe/Bucharest //if the server have diferent time zone, add your time 
//zone to correct the clock
SetEnv SERVER_ADMIN office@dns.tld
ServerSignature Off //hide informations about server
<FilesMatch "\.(htm|html|css|js|php)$">
   AddDefaultCharset UTF-8
   DefaultLanguage ro
</FilesMatch>

<ifModule mod_gzip.c> //compress files in order to speed up page loading
    mod_gzip_on Yes
    mod_gzip_dechunk Yes
    mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler ^cgi-script$
    mod_gzip_item_include mime ^text/.*
    mod_gzip_item_include mime ^application/x-javascript.*
    mod_gzip_item_exclude mime ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
<ifModule mod_expires.c> //adjust expority in order to speed up page loading
    ExpiresActive On
    ExpiresDefault "access plus 1 seconds"
    ExpiresByType text/html "access plus 1 seconds"
    ExpiresByType image/gif "access plus 2592000 seconds"
    ExpiresByType image/jpeg "access plus 2592000 seconds"
    ExpiresByType image/png "access plus 2592000 seconds"
    ExpiresByType text/css "access plus 604800 seconds"
    ExpiresByType text/javascript "access plus 216000 seconds"
    ExpiresByType application/x-javascript "access plus 216000 seconds"
</ifModule>
<ifModule mod_headers.c> //adjust expority in order to speed up page loading
    <filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
 Header set Cache-Control "max-age=2592000, public"
    </filesMatch>
    <filesMatch "\\.(css)$">
 Header set Cache-Control "max-age=604800, public"
    </filesMatch>
    <filesMatch "\\.(js)$">
 Header set Cache-Control "max-age=216000, private"
    </filesMatch>
    <filesMatch "\\.(xml|txt)$">
 Header set Cache-Control "max-age=216000, public, must-revalidate"
    </filesMatch>
    <filesMatch "\\.(html|htm|php)$">
 Header set Cache-Control "max-age=1, private, must-revalidate"
    </filesMatch>
</ifModule>

//very important!!!! restrict open_basedir and include_path

php_admin_value open_basedir .:/home/dns/:/home/dns/public_html/:/usr/share/php:/usr/share/pear:/home/dns/public_html/includes/libs/
php_admin_value include_path .:/home/dns/:/home/dns/public_html/:/usr/share/php:/usr/share/pear:/home/dns/public_html/includes/libs/
Options -Indexes +IncludesNOEXEC +FollowSymLinks -MultiViews
allow from all
AllowOverride All
AddType application/x-httpd-ruby .rb
AddType application/x-httpd-ruby .rbx
Action application/x-httpd-ruby /cgi-bin/ruby.cgi
</Directory>
<Directory /home/dns/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.dns.tld
RewriteRule ^(.*) https://dns.tld:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.dns.tld
RewriteRule ^(.*) https://dns.tld:10222/ [R]
RLimitNPROC 10 10 
RLimitCPU 180 180 //limit cpu
RLimitMEM 2097152 2097152 //limit memory
<Files awstats.pl>
AuthName "dns.tld statistics"
AuthType Basic
AuthUserFile /home/dns.tld/.awstats-htpasswd
require valid-user
</Files>

[pyth0n3]

Using some modules like mod_evasive ,

mod_security will also increase the security

Note:

In mod_security you can customize the rules or write new rules

Read documentation , it also provide a web based admin panel

It was developed by OWASP WeBekci Project

Note:

Having the safe_mode set to ON in php configuration file will not permit to open the panel page in webekci

Note:

After installation don't forget to change the default htpasswd credentials “webekci” and password “1234", you can also raname the default directory "webekci/"

Example of htaccess with limit set

AuthType Basic

<Limit GET POST> - This will set limits on GET's and POST's.

require valid-user .

</Limit>

An IDS-IPS system will provide real time prevention , logging analysis and mail notification

Will also block the remote ip address based on rules using iptables or pf packet filter

Edited March 22, 2011 by pyth0n3