建站所有步骤,网站开发主管岗位说明,网站建设的优势与不足,龙光城业主论坛家在深圳PHP环境安全性能检查 PHP在Linux环境下安全配置是一个复杂的过程#xff0c;其中涉及到很多的细节设置#xff0c;在这里发出来一个脚本#xff0c;通过这个脚本来检测你的PHP环境是否存在安全隐患#xff0c;从而针对这些对你的PHP环境进行加固。功能#xff1a; 1.检测P…PHP环境安全性能检查 PHP在Linux环境下安全配置是一个复杂的过程其中涉及到很多的细节设置在这里发出来一个脚本通过这个脚本来检测你的PHP环境是否存在安全隐患从而针对这些对你的PHP环境进行加固。功能 1.检测PHP环境安全配置2.应禁用的功能。3.危险的设置可能会导致本地或远程文件包含。4.错误处理。5.在编译时定义的常量。安装PHP环境后将此三个文件脚本放在网站web目录下audit.php php.xml style.css 进行浏览器查看他将在你配置的基础中通过XML文件中匹配规则检测出可能存在的配置错误存在问题的选项它会用红色突出的颜色显示。当然还有一些东西可以根据你的要求更改。效果如下audit.php ?php/** * PHP Security Auditor */class Audit { static private $rules;static private $constants;static private $phpVer; static public $report; /*** Converts settings such as 1M 1G 1K to their byte equivilent values** param string $n* return string*/static private function convertToBytes($n) { // If n is -1 then there is no limit if ($n -1) return PHP_INT_MAX; switch (substr($n, -1)) { case B: return substr($n,0,-1); case K: return substr($n,0,-1) * 1024; case M: return substr($n,0,-1) * 1024 * 1024; case G: return substr($n,0,-1) * 1024 * 1024 * 1024; } return $n; } static private function MakeReport($type, $title) { ksort(self::$report[$type]); $html h1 . $title . /h1tabletr classhthSetting/ththCurrent/ththRecomended/ththDescription/th/tr; foreach(self::$report[$type] as $key $values) { if ($values[p] 1) $classr; else $classv; $html . trtd classe . htmlentities($key) . /td .td class. $class . . htmlentities($values[c]) . /td .td class. $class . . htmlentities($values[r]) . /td .td class. $class . . htmlentities($values[d]) . /td/tr; } $html . /table; return $html;} static public function HTMLReport() { $class ; $html !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN DTD/xhtml1-transitional.dtd .htmlhead . link relstylesheet typetext/css mediaall hrefstyle.css/ . /headbody; $html . self::MakeReport(ini, PHP INI); $html . self::MakeReport(disabled, PHP Disabled Functions); $html . self::MakeReport(const, PHP CONST); $html . /html; echo($html . \n);} /** * Adds an item to the reporting array. * * param string $type - the type (ini or const) * param string $key - the name of the variable * param string $currentValue - the current ini or const value * param string $recomended - the recomended value * param string $desc - a description of the issue * param boolean $problem - true if not complaint, false if compliant */static private function Report($type, $key, $currentValue, $recomended, $desc, $problem){if (isset(self::$report[$type][$key]))if ((self::$report[$type][$key][r] $recomended) (self::$report[$type][$key[p]] 1))return; self::$report[$type][$key] array(c $currentValue,r $recomended,d $desc,p $problem);} /*** Loads the rules from an XML file** param string $file*/static public function LoadRules($file php.xml){ if (!defined(PHP_VERSION_ID)){$version explode(., PHP_VERSION);self::$phpVer ($version[0] * 10000 $version[1] * 100 $version[2]);} elseself::$phpVer PHP_VERSION_ID; self::$constants get_defined_constants();self::$rules simplexml_load_file($file);} /*** Processes the XML ruleset against const and ini values found in PHP**/static public function ProcessXML() { foreach(self::$rules as $null $entry) {$ruleID $entry-attributes()-id; // Check the version of PHP the rule applies to $version (string)$entry-version; if ($version ! ) { $op (string)$entry-version-attributes()-op; switch ($op) {case before:if ($version self::$phpVer)continue 2;break;}} // Evaluate the rule as we are sure it applys to the version of PHP running switch((string)$entry-type){// Look at CONST values in PHPcase const: $key (string)$entry-key; // e.g LIBXML_NOENT$cValue self::$constants[$key]; // The current value$rValue (string)$entry-value; // The recomended value$desc (string)$entry-description; // Description switch((string)$entry-value-attributes()-op){case eq:self::Report(const, $key, $cValue, $rValue, $desc, ($cValue $rValue) ? 0 : 1);break;} break; // Check the list of functions that should be restricted case disable_functions: $disabled ini_get(disable_functions);$list explode(,, $disabled); $xmlList (array)($entry-list);$xmlList $xmlList[function]; foreach($xmlList as $null $function) {$de array_search($function, $list);self::Report(disabled, $function, (($de 0) ? enabled : disabled), disabled, , (($de 0) ? 1 : 0));} break; // Look at values defined within the INI files case ini: $key (string)$entry-key; // e.g. display_errors$cValue trim(self::convertToBytes(ini_get($key))); // Current value$rValue (string)$entry-value; // Recomended value$desc (string)$entry-description; // Description if (is_numeric($rValue) $cValue ) $cValue 0; // Deals with where one value should be compared to another if ((string)$entry-value-attributes()-type key)$rValue self::convertToBytes(ini_get((string)$entry-value)); switch((string)$entry-value-attributes()-op){// Equal tocase eq:self::Report(ini, $key, $cValue, $rValue, $desc, ($cValue $rValue) ? 0 : 1);break; // Less than or equal tocase lt:self::Report(ini, $key, $cValue, $rValue, $desc, ($cValue $rValue) ? 0 : 1);break; // Greater than or equal tocase gt:self::Report(ini, $key, $cValue, $rValue, $desc, ($cValue $rValue) ? 0 : 1);break; // Not equal tocase ne:$neValue (string)$entry-value-attributes()-net;$notBlank (string)$entry-value-attributes()-notblank; if ($notBlank true) {self::Report(ini, $key, $cValue, $rValue, $desc, ($cValue ! ) ? 0 : 1);break;} self::Report(ini, $key, $cValue, $rValue, $desc, ($cValue ! $neValue) ? 0 : 1);break; } break;} } } } Audit::LoadRules();Audit::ProcessXML();Audit::HTMLReport(); php.xml代码如下 ?xml version1.0 encodingUTF-8?rulesentry id1typeini/typekeyupload_max_filesize/keyvalue oplt4194304/valuedescriptionSets the maximum size of an uploaded file. Reduce this to mitigate the risk of DOS attacks./description/entryentry id29typeini/typekeyupload_max_filesize/keyvalue oplt typekeymemory_limit/valuedescriptionThe maximum size of an uploaded file should be able to fit within the avaliable memory limit./description/entryentry id30typeini/typekeypost_max_size/keyvalue oplt typekeymemory_limit/valuedescriptionThe maximum post size of data posted to the server should be within the avaliable memory limit./description/entryentry id32typeini/typekeyalways_populate_raw_post_data/keyvalue opeq0/valuedescriptionThis does not need to be used. The preferred method for accessing the raw POST data is php://input./description/entryentry id33typeini/typekeymagic_quotes_gpc/keyvalue opeq0/valuedescriptionSets magic_quotes state for GPC (GET PUT COOKIE) data. Relying on this feature is highly discouraged./descriptionversion opbefore50300/versionurlhttp://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc/url/entryentry id34typeini/typekeymagic_quotes_runtime/keyvalue opeq0/valuedescriptionSets magic_quotes state for data from external sources. Relying on this feature is highly discouraged./descriptionversion opbefore50300/versionurlhttp://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime/url/entryentry id35typeini/typekeysafe_mode/keyvalue opeq0/valuedescriptionThis feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged./descriptionversion opbefore50300/version/entryentry id36typeini/typekeymemory_limit/keyvalue oplt16777216/valuedescriptionThe maximum memory limit for each script should be 16M or less./description/entryentry id5typeini/typekeyupload_max_filesize/keyvalue oplt typekeypost_max_size/valuedescriptionThe maximum upload file size should be less than or equal to the maximum post size./description/entryentry id2typeini/typekeymax_file_uploads/keyvalue oplt10/valuedescriptionThe maximum mumber of files that can be uploaded in 1 go./description/entryentry id3typeini/typekeyfile_uploads/keyvalue opeq0/valuedescriptionThis may be impractical but if not needed file uploading should be disabled./description/entryentry id4typeini/typekeypost_max_size/keyvalue oplt4194304/valuedescriptionThe maximum post size should as small as reasonably possible to mitigate the risk of DOS attacks./description/entryentry id6typeini/typekeyregister_long_arrays/keyvalue opeq0/valuedescriptionPopulates HTTP_*_VARS which should no longer be used./descriptionversion opbefore50300/version/entryentry id7typeini/typekeyregister_globals/keyvalue opeq0/valuedescriptionHighly dangerous feature enabling variables to be defined in scripts from the GPC paramaters. This should be always be turned off./descriptionversion opbefore50300/version/entryentry id8typeini/typekeysession.hash_function/keyvalue opeq1/valuedescriptionMD5 should be replaced with SHA-160 as it is a more complex and secure hashing algorithm./descriptionversion opafter50000/version/entryentry id9typeini/typekeysession.hash_bits_per_character/keyvalue opgt5/valuedescriptionThe number of bits encoded per character of the session key./descriptionversion opafter50000/version/entryentry id10typeini/typekeysession.entropy_file/keyvalue opne net/dev/random/valuedescriptionProvides a random seed for generating the session./description/entryentry id11typeini/typekeysession.entropy_length/keyvalue opgt32/valuedescriptionThe number of bytes to read for gathering entropy for session generation./description/entryentry id12typeini/typekeysession.name/keyvalue opne netPHPSESSIDCustom String/valuedescriptionThe name given to the PHP Session. It is recomended this be changed from the default./description/entryentry id14typeini/typekeysession.save_path/keyvalue opne net/tmp notblanktrue/custom/location/valuedescriptionThe save path for the session should be changed from the default /tmp./description/entryentry id15typeini/typekeysession.use_trans_sid/keyvalue opeq0/valuedescriptionSessions should not be allowed in GET paramaters./description/entryentry id18typeini/typekeydisplay_errors/keyvalue opeq0/valuedescriptionError messages should be suppressed/description/entryentry id19typeini/typekeyallow_url_fopen/keyvalue opeq0/valuedescriptionRemote files should not be accessable using fopen./description/entryentry id20typeini/typekeyallow_url_include/keyvalue opeq0/valuedescriptionYou should not be able to include remote scripts using include./description/entryentry id31typeini/typekeysession.cookie_httponly/keyvalue opeq1/valuedescriptionCookies must be httponly by default/descriptionversion opafter50200/version/entryentry id20typeini/typekeyopen_basedir/keyvalue opne net/ notblanktrue/the/webroot/valuedescriptionLimit the files that can be opened by PHP to the webroot./description/entryentry id32typeini/typekeyupload_tmp_dir/keyvalue opne net/tmp notblanktrue/custom/location/valuedescriptionChange the location of where files are initally uploaded to/description/entryentry id21typeini/typekeymax_execution_time/keyvalue oplt20/valuedescriptionExecution time should be limited to 20 seconds or less./description/entryentry id22typeini/typekeymax_input_nesting_level/keyvalue oplt32/valuedescriptionMaximum level of nesting of objects 32 is sufficent./description/entryentry id23typeini/typekeyenable_dl/keyvalue opeq0/valuedescriptionDisable loading of dynamic extensions./description/entryentry id24typeini/typekeydisplay_startup_errors/keyvalue opeq0/valuedescriptionStartup errors should be suppressed./description/entryentry id25typeini/typekeylog_errors/keyvalue opeq1/valuedescriptionAll errors generated by PHP should be logged to a file./description/entryentry id26typeini/typekeylog_errors_max_len/keyvalue opgt2048/valuedescriptionAt least 2048 characters of the error message should be stored in the error log./description/entryentry id27typeini/typekeyerror_log/keyvalue opne net/custom/location/valuedescriptionShould be set to the location of the php error log./description/entryentry id28typeconst/typekeyLIBXML_NOENT/keyvalue opeq0/valuedescriptionExternal entities should be disabled for XML parsing/description/entryentry id37typeini/typekeysession.use_only_cookies/keyvalue opeq1/valuedescriptionSession variables should only be passed in cookies./description/entryentry id29typeconst/typekeyLIBXML_NONET/keyvalue opeq0/valuedescriptionNetwork access for XML parsers should be disabled./description/entryentry id38typedisable_functions/typelistfunctionfsocket_open/functionfunctionpack/functionfunctionescapeshellarg/functionfunctionescapeshellcmd/functionfunctionexec/functionfunctionpassthru/functionfunctionproc_close/functionfunctionphp_uname/functionfunctiongetmyuid/functionfunctiongetmypid/functionfunctionpassthru/functionfunctionleak/functionfunctionlisten/functionfunctiondiskfreespace/functionfunctiontmpfile/functionfunctionlink/functionfunctionignore_user_abort/functionfunctionset_time_limit/functionfunctionlimit/functionfunctionexec/functionfunctionhighlight_file/functionfunctionshow_source/functionfunctionfpaththru/functionfunctionvirtual/functionfunctionposix_ctermid/functionfunctionposix_getcwd/functionfunctionposix_getegid/functionfunctionposix_geteuid/functionfunctionposix_getgid/functionfunctionposix_getgrgid/functionfunctionposix_getgrnam/functionfunctionposix_getgroups/functionfunctionposix_getlogin/functionfunctionposix_getpgid/functionfunctionposix_getpgrp/functionfunctionposix_getpid/functionfunctionposix/functionfunctionposix_getpwnam/functionfunctionposix_getpwuid/functionfunctionposix_getrlimit/functionfunctionposix_getsid/functionfunctionposix_getuid/functionfunctionposix_isatty/functionfunctionposix_kill/functionfunctionposix_mkfifo/functionfunctionposix_setegid/functionfunctionposix_seteuid/functionfunctionposix_setgid/functionfunctionposix_setpgid/functionfunctionposix_setsid/functionfunctionposix_setuid/functionfunctionposix_times/functionfunctionposix_ttyname/functionfunctionposix_uname/functionfunctionproc_open/functionfunctionproc_close/functionfunctionproc_get_status/functionfunctionproc_nice/functionfunctionproc_terminate/functionfunctionphpinfo/functionfunctionproc_open/functionfunctionshell_exec/functionfunctionsystem/functionfunctionset_time_limit/functionfunctionini_alter/functionfunctiondl/functionfunctionpopen/functionfunctionparse_ini_file/function/list/entry/rules style.css代码如下 CHARSET UTF-8; body { color: #000000;}body, td, th, h1, h2 {font-family: sans-serif;}pre {margin: 0px; font-family: monospace;}table {border-collapse: collapse;}td, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline; padding-left:5px; padding-right:5px;}h1 {font-size: 150%;}h2 {font-size: 125%;}.p {text-align: left;}.e { font-weight: bold; color: #000000;}.h {background-color: #9999cc; font-weight: bold; color: #000000;}.v { color: #000000; padding-left:5px;}.r {background-color: #c50000; color: #000000; padding-left:5px;} 三个文件已经打包php-security-check.zip转自http://lanlan611.sinaapp.com/?p112 转载请标明文章来源:《https://www.centos.bz/2012/03/php-security-check/》 转载于:https://www.cnblogs.com/L-H-R-X-hehe/p/3955084.html
