Tuesday, May 25, 2010

Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Blog Has Moved

Link to the same post in the new blog: Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

Pre-installation notes
The guide bellow is based on the previous guides:
Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)
Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)

Installation and configuration phase
1. Login to the server using Root account.
2. Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
rpm -ivh glibc-headers-2.5-42.x86_64.rpm
rpm -ivh glibc-devel-2.5-42.x86_64.rpm
rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm
3. Download MySQL development RPM from:
http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
4. Download PHP 5.3.2 source files from:
http://php.net/downloads.php
5. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
6. Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
7. Move to /tmp
cd /tmp
8. Install the MySQL development RPM:
rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
9. Remove MySQL development RPM:
rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
10. Extract the php-5.3.2.tar.gz file:
tar -zxvf php-5.3.2.tar.gz
11. Move to the PHP source folder:
cd /tmp/php-5.3.2
Run the commands bellow to compile the PHP environment:
./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib

make

make install
12. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
Make sure the following string exists at the end of the LoadModule section:
LoadModule php5_module modules/libphp5.so
Add the following string, to the end of the AddType section:
AddType application/x-httpd-php .php
Replace the line from:
DirectoryIndex index.html
To:
DirectoryIndex index.php index.html index.htm
13. Copy the PHP.ini file
cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
14. Change the permissions on the php.ini file:
chmod 640 /etc/php.ini
15. Edit using VI, the file /etc/php.ini and replace the following values:
From:
mysql.default_host =
To:
mysql.default_host = 127.0.0.1:3306

From:
allow_url_fopen = On
To:
allow_url_fopen = Off

From:
expose_php = On
To:
expose_php = Off

From:
memory_limit = 128M
To:
memory_limit = 8M

From:
;open_basedir =
To:
open_basedir = "/www"

From:
post_max_size = 8M
To:
post_max_size = 2M

From:
upload_max_filesize = 2M
To:
upload_max_filesize = 1M

From:
disable_functions =
To:
disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

From:
;include_path = ".:/php/includes"
To:
include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

From:
display_errors = On
To:
display_errors = Off

From:
display_startup_errors = On
To:
display_startup_errors = Off

16. Run the commands bellow to restart the Apache service:
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
17. Remove the PHP source and test files:
rm -rf /tmp/php-5.3.2
rm -f /tmp/php-5.3.2.tar.gz
rm -rf /usr/local/apache2/lib/php/test
rm -rf /usr/local/lib/php/test
18. Uninstall the following RPM:
rpm -e libxml2-devel-2.6.26-2.1.2.8
rpm -e gcc-4.1.2-46.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-42
rpm -e glibc-headers-2.5-42
rpm -e kernel-headers-2.6.18-164.el5

Labels: , , ,

2 Comments:

At May 28, 2010 at 3:47 PM , Blogger Ronpel said...

Nice work!
Thank you for sharing this.

 
At June 18, 2010 at 6:45 PM , Blogger Chris said...

very nice, thanks! Keep 'em coming.

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home