หลายครั้งที่ต้องทำ server จำพวก PHP แน่นอนว่า PHP มันใช้งานง่าย เขียนง่าย แต่สิ่งที่ง่ายพวกนี้มักจะทำให้เราเพลิดเพลินจนละเลยในด้านความปลอดภัยไป จะดีแค่ไหนถ้าหากเราป้องกันก่อนที่จะโดนเจาะระบบ ไปเจอเครื่องมือตัวนึงเข้าซึ่งมีชื่อว่า iniscanมันจะทำหน้าที่ตรวจสอบการตั้งค่าของไฟล์ php.ini ในเครื่องเราว่า ควรจะแก้ไขตรงไหน ควรตั้งค่าอย่างไร วิธีใช้นั้นก็แสนง่ายครับ
เริ่มแรกติดตั้ง composer ในเครื่องเราเสียก่อน (หากมีแล้วก็ข้ามขั้นตอนนี้ไปครับ)
[shell]
curl -sS https://getcomposer.org/installer | php
[/shell]
หลังจากนั้นทำการติดตั้ง iniscan ผ่านทาง composer ครับ
[shell]composer require psecio/iniscan[/shell]
เสร็จแล้วเรียกใช้งาน iniscan พร้อมกับที่เก็บไฟล์ php.ini ของเราครับ
[shell]
vendor/bin/iniscan scan –path=/etc/php5/fpm/php.ini
[/shell]
จะได้ผลลัพท์ดังต่อไปนี้
== Executing INI Scan [07.21.2015 13:42:15] ==
Results for /etc/php5/fpm/php.ini:
============
Status | Severity | PHP Version | Key | Description
----------------------------------------------------------------------
PASS | ERROR | | session.use_cookies | Accepts cookies to manage sessions
PASS | ERROR | 4.3.0 | session.use_only_cookies | Must use cookies to manage sessions, don't accept session-ids in a link
FAIL | WARNING | | session.cookie_domain | It is recommended that you set the default domain for cookies.
FAIL | ERROR | 5.2.0 | session.cookie_httponly | Setting session cookies to 'http only' makes them only readable by the browser
PASS | ERROR | 4.3.0 | session.bug_compat_42 | An undocumented feature/bug that allows initialize of a session in the global scope even if register_globals is disabled for PHP up to 5.3.22
PASS | WARNING | 4.3.0 | session.bug_compat_warn | Disable warnings for session.bug_compat_42
FAIL | WARNING | | session.hash_function | Weak hashing algorithms in use. Rather use one of these: adler32, crc32, crc32b, fnv132, fnv164, fnv1a32, fnv1a64, haval128,3, haval128,4, haval128,5, haval160,3, haval160,4, haval160,5, haval192,3, haval192,4, haval192,5, haval224,3, haval224,4, haval224,5, haval256,3, haval256,4, haval256,5, ripemd128, ripemd160,
ripemd256, ripemd320, sha224, sha256, sha384, sha512, tiger128,3, tiger128,4, tiger160,3, tiger160,4, tiger192,3, tiger192,4, whirlpool
PASS | WARNING | | session.save_path | Session save path should be set and writeable by only the web user
PASS | ERROR | 4.0.3 | session.use_trans_sid | If used 'use_trans_sid' setting puts the session ID on the URL, making it easier to hijack
FAIL | ERROR | 4.0.4 | session.cookie_secure | Cookie secure specifies whether cookies should only be sent over secure connections.
PASS | WARNING | | session.entropy_file | A file should be provided to help provide session entropy
FAIL | WARNING | 5.5.2 | session.use_strict_mode | Strict mode prevents uninitialized session IDs in the built-in session handling.
FAIL | ERROR | 4.0.3 | allow_url_fopen | Do not allow the opening of remote file resources ('Off' recommended)
PASS | ERROR | 5.2.0 | allow_url_include | Do not allow the inclusion of remote file resources ('Off' recommended)
FAIL | WARNING | | display_errors | Don't show errors in production ('Off' recommended)
PASS | WARNING | | log_errors | Log errors in production ('On' recommended)
PASS | WARNING | | expose_php | Showing the PHP signature exposes additional information
PASS | ERROR | | register_globals | The register globals setting is dangerous and has been deprecated ('Off' recommended)
PASS | ERROR | | magic_quotes_gpc | Magic quotes automatically adds quotes to incoming data ('Off' recommended)
PASS | ERROR | | magic_quotes_runtime | Magic quotes should be disabled at runtime in addition to being off for incoming data
PASS | WARNING | | post_max_size | A too large value for the maximum post size could allow for DoS against your application
PASS | ERROR | | safe_mode | It's not actually 'safe' ('Off' recommended)
PASS | WARNING | | register_long_arrays | Registering long arrays turns on the HTTP_*_VARS (Recommended Off)
FAIL | WARNING | | max_input_vars | A maximum number of input variables should be defined to prevent performance issues
PASS | WARNING | | display_startup_errors | Showing startup errors could provide extra information to potential attackers
FAIL | WARNING | | open_basedir | Restricting PHP's access to the file system to a certain directory prevents file-based attacks in unauthorized areas.
PASS | WARNING | | error_reporting | Error reporting should be different based on context, off in production
PASS | WARNING | | upload_max_filesize | A maximum upload size should be defined to prevent server overload from large requests
PASS | WARNING | | upload_max_filesize | The max upload size should not be too high, to prevent server overload from large requests
PASS | WARNING | | post_max_size | A maximum post size should be defined to prevent server overload from large requests
PASS | WARNING | | post_max_size | The max upload size should not be too high, to prevent server overload from large requests
PASS | WARNING | | memory_limit | A memory limit should be defined to prevent server overload from large processes
FAIL | WARNING | | memory_limit | The standard memory limit should not be too high, if you need more memory for a single script you can adjust that during runtime using ini_set()
PASS | WARNING | | asp_tags | Old versions of PHP allowed for ASP-style tags (<% %>) instead of <?php. This should be disabled.
PASS | WARNING | | xdebug.default_enable | Xdebug should be disabled in production
PASS | WARNING | | xdebug.remote_enable | Xdebug should not be trying to contact debug clients
FAIL | WARNING | | disable_functions | Methods still enabled - exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec
PASS | WARNING | | soap.wsdl_cache_dir | Checks to see if the SOAP WSDL cache directory is inside open_basedir for PHP before 5.3.22 and 5.4.x before 5.4.13
PASS | WARNING | | upload_tmp_dir | Checks to see if the upload_tmp_dir is inside the open_basedir folder
28 passing
3 failure(s) and 8 warnings
หลังจากนั้นก็ทำการแก้ไขไฟล์ php.ini ตามที่มันแนะนำครับ 🙂
อ่านเพิ่มเติม https://github.com/psecio/iniscan
