วิธีการตรวจสอบว่า PHP config ของเรานั้นปลอดภัยแค่ไหน

หลายครั้งที่ต้องทำ server จำพวก PHP แน่นอนว่า PHP มันใช้งานง่าย เขียนง่าย แต่สิ่งที่ง่ายพวกนี้มักจะทำให้เราเพลิดเพลินจนละเลยในด้านความปลอดภัยไป จะดีแค่ไหนถ้าหากเราป้องกันก่อนที่จะโดนเจาะระบบ ไปเจอเครื่องมือตัวนึงเข้าซึ่งมีชื่อว่า iniscanมันจะทำหน้าที่ตรวจสอบการตั้งค่าของไฟล์ php.ini ในเครื่องเราว่า ควรจะแก้ไขตรงไหน ควรตั้งค่าอย่างไร วิธีใช้นั้นก็แสนง่ายครับ

เริ่มแรกติดตั้ง composer ในเครื่องเราเสียก่อน (หากมีแล้วก็ข้ามขั้นตอนนี้ไปครับ)

[shell]
curl -sS https://getcomposer.org/installer | php
[/shell]

หลังจากนั้นทำการติดตั้ง iniscan ผ่านทาง composer ครับ

[shell]composer require psecio/iniscan[/shell]

เสร็จแล้วเรียกใช้งาน iniscan พร้อมกับที่เก็บไฟล์ php.ini ของเราครับ

[shell]
vendor/bin/iniscan scan –path=/etc/php5/fpm/php.ini
[/shell]

จะได้ผลลัพท์ดังต่อไปนี้

== Executing INI Scan [07.21.2015 13:42:15] ==

Results for /etc/php5/fpm/php.ini:
============
Status | Severity | PHP Version | Key                      | Description
----------------------------------------------------------------------
PASS   | ERROR    |             | session.use_cookies      | Accepts cookies to manage sessions
PASS   | ERROR    | 4.3.0       | session.use_only_cookies | Must use cookies to manage sessions, don't accept session-ids in a link
FAIL   | WARNING  |             | session.cookie_domain    | It is recommended that you set the default domain for cookies.
FAIL   | ERROR    | 5.2.0       | session.cookie_httponly  | Setting session cookies to 'http only' makes them only readable by the browser
PASS   | ERROR    | 4.3.0       | session.bug_compat_42    | An undocumented feature/bug that allows initialize of a session in the global scope even if register_globals is disabled for PHP up to 5.3.22
PASS   | WARNING  | 4.3.0       | session.bug_compat_warn  | Disable warnings for session.bug_compat_42
FAIL   | WARNING  |             | session.hash_function    | Weak hashing algorithms in use. Rather use one of these: adler32, crc32, crc32b, fnv132, fnv164, fnv1a32, fnv1a64, haval128,3, haval128,4, haval128,5, haval160,3, haval160,4, haval160,5, haval192,3, haval192,4, haval192,5, haval224,3, haval224,4, haval224,5, haval256,3, haval256,4, haval256,5, ripemd128, ripemd160,
ripemd256, ripemd320, sha224, sha256, sha384, sha512, tiger128,3, tiger128,4, tiger160,3, tiger160,4, tiger192,3, tiger192,4, whirlpool
PASS   | WARNING  |             | session.save_path        | Session save path should be set and writeable by only the web user
PASS   | ERROR    | 4.0.3       | session.use_trans_sid    | If used 'use_trans_sid' setting puts the session ID on the URL, making it easier to hijack
FAIL   | ERROR    | 4.0.4       | session.cookie_secure    | Cookie secure specifies whether cookies should only be sent over secure connections.
PASS   | WARNING  |             | session.entropy_file     | A file should be provided to help provide session entropy
FAIL   | WARNING  | 5.5.2       | session.use_strict_mode  | Strict mode prevents uninitialized session IDs in the built-in session handling.
FAIL   | ERROR    | 4.0.3       | allow_url_fopen          | Do not allow the opening of remote file resources ('Off' recommended)
PASS   | ERROR    | 5.2.0       | allow_url_include        | Do not allow the inclusion of remote file resources ('Off' recommended)
FAIL   | WARNING  |             | display_errors           | Don't show errors in production ('Off' recommended)
PASS   | WARNING  |             | log_errors               | Log errors in production ('On' recommended)
PASS   | WARNING  |             | expose_php               | Showing the PHP signature exposes additional information
PASS   | ERROR    |             | register_globals         | The register globals setting is dangerous and has been deprecated ('Off' recommended)
PASS   | ERROR    |             | magic_quotes_gpc         | Magic quotes automatically adds quotes to incoming data ('Off' recommended)
PASS   | ERROR    |             | magic_quotes_runtime     | Magic quotes should be disabled at runtime in addition to being off for incoming data
PASS   | WARNING  |             | post_max_size            | A too large value for the maximum post size could allow for DoS against your application
PASS   | ERROR    |             | safe_mode                | It's not actually 'safe' ('Off' recommended)
PASS   | WARNING  |             | register_long_arrays     | Registering long arrays turns on the HTTP_*_VARS (Recommended Off)
FAIL   | WARNING  |             | max_input_vars           | A maximum number of input variables should be defined to prevent performance issues
PASS   | WARNING  |             | display_startup_errors   | Showing startup errors could provide extra information to potential attackers
FAIL   | WARNING  |             | open_basedir             | Restricting PHP's access to the file system to a certain directory prevents file-based attacks in unauthorized areas.
PASS   | WARNING  |             | error_reporting          | Error reporting should be different based on context, off in production
PASS   | WARNING  |             | upload_max_filesize      | A maximum upload size should be defined to prevent server overload from large requests
PASS   | WARNING  |             | upload_max_filesize      | The max upload size should not be too high, to prevent server overload from large requests
PASS   | WARNING  |             | post_max_size            | A maximum post size should be defined to prevent server overload from large requests
PASS   | WARNING  |             | post_max_size            | The max upload size should not be too high, to prevent server overload from large requests
PASS   | WARNING  |             | memory_limit             | A memory limit should be defined to prevent server overload from large processes
FAIL   | WARNING  |             | memory_limit             | The standard memory limit should not be too high, if you need more memory for a single script you can adjust that during runtime using ini_set()
PASS   | WARNING  |             | asp_tags                 | Old versions of PHP allowed for ASP-style tags (<% %>) instead of <?php. This should be disabled.
PASS   | WARNING  |             | xdebug.default_enable    | Xdebug should be disabled in production
PASS   | WARNING  |             | xdebug.remote_enable     | Xdebug should not be trying to contact debug clients
FAIL   | WARNING  |             | disable_functions        | Methods still enabled - exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec
PASS   | WARNING  |             | soap.wsdl_cache_dir      | Checks to see if the SOAP WSDL cache directory is inside open_basedir for PHP before 5.3.22 and 5.4.x before 5.4.13
PASS   | WARNING  |             | upload_tmp_dir           | Checks to see if the upload_tmp_dir is inside the open_basedir folder

28 passing
3 failure(s) and 8 warnings

 

หลังจากนั้นก็ทำการแก้ไขไฟล์ php.ini ตามที่มันแนะนำครับ 🙂

อ่านเพิ่มเติม https://github.com/psecio/iniscan

0
ball Written by:

Teerapat Khunpech Live, Tech, Beers, Bike, Cafe Racer, Docker, Devops, Eco-System