How to Harden PHP in WHM/cPanel Servers

PHP exploits are responsible for the vast majority of compromised servers.

Overview

This document lists several methods that you can use to to harden your PHP configuration.

Local file inclusion attacks

Local file inclusion attacks occur when an attacker pulls local files into PHP scripts in order to view sensitive information on or about your system. For example, an attacker may use a local file inclusion vulnerability in a PHP script to view the /etc/passwd file. This would allow an attacker to discover basic information about all of your web server's accounts.

To limit the impact of local file inclusion vulnerabilities in PHP scripts, enable the open_basedir feature in WHM's PHP open_basedir Tweak interface (Home >> Security Center >> PHP open_basedir Tweak). This feature limits an attacker's access to a single directory via local includes and makes local file inclusion attacks more difficult.

Remote file inclusion attacks

Remote file inclusion attacks occur when an attacker pulls files from a remote location on to your server. When you use remote includes, an attacker can write a PHP script and host it on a server, and then use a remote inclusion method to take advantage of inclusion vulnerabilities on your server. If your PHP configuration is insecure, attackers can execute the malicious data from their servers, even without read or write permissions on your server.

To prevent remote file inclusion attacks, set the allow_url_fopen and allow_url_include parameters to Off in the Advanced Mode section of WHM's PHP Configuration Editor interface (Home >> Service Configuration >> PHP Configuration Editor).

Note:

If the settings do not appear in that interface, you can make the changes directly to the /usr/local/lib/php.ini file. Use WHM's PHP Configuration Editor - Advanced Mode interface (Home >> Service Configuration >> PHP Configuration Editor) to confirm that the system accepts the changes.

The disable_functions directive

Some PHP functions are not safe for a production environment. If your PHP developers do not require these functions, we recommend that you disable them so that an attacker cannot use them. Generally, when you disable these functions, you can stop an attacker who manages to load a malicious PHP script on to your system.

To disable a list of functions, add them in a comma-delimited list to the disable_functions text box in the Advanced Mode section of WHM's PHP Configuration Editor interface (Home >> Service Configuration >> PHP Configuration Editor).

For an example of functions to disable, read nixCraft's post on disable_functions.

Important:

Many functions in PHP perform the same tasks. Ask your developers to standardize on one or two of these functions for a task so that you can disable the rest.

Prevent information disclosure

Error messages that disclose important system information can help attackers plan an attack strategy. This information includes your directory structure, database names, and usernames. If PHP does not print errors to the web application's user interface, you can inhibit attackers' ability to gain information that they could use to compromise your system.

To limit the display of error messages, set the display_errors setting to Off in the Advanced Mode section of WHM's PHP Configuration Editor interface (Home >> Service Configuration >> PHP Configuration Editor).

Note:

When you disable the display_errors setting, your developers can still retrieve helpful information from debug codes in the appropriate PHP logs.

Restrict file uploads

Attackers often upload malicious programs to vulnerable systems in order to compromise them. If you restrict all file uploads, this can ensure that attackers cannot exploit your PHP configuration to inject their own PHP scripts.

To restrict file uploads, use the file_uploads setting in the Advanced Mode section of WHM's PHP Configuration Editor interface (Home >> Service Configuration >> PHP Configuration Editor).

Notes:

Some developers will want to include the ability to upload files to your server via PHP. If you must allow file uploads, set the upload_tmp_dir parameter to On in order to change the default temporary directory for file uploads.
 Many administrators also use the upload_max_filesize parameter to limit the maximum file size that users can upload. However, this parameter does not improve the security of your PHP configuration. Administrators set this parameter in order to help manage the server's load from PHP scripts.

Protect sessions

Some attackers attempt to hijack sessions. This occurs when an attacker steals a user's web application session and performs actions as that user. PHP uses long, randomly-generated session identifiers for its URLs. While this makes session URLs exceedingly difficult to guess, the filesystem stores this value. Attackers can inject JavaScript into pages to steal cookies that contain these session IDs, which would allow them to hijack sessions.

To protect these session IDs from session hijackers, you can enable the session.cookie_httponly setting in the Advanced Mode section of WHM's PHP Configuration Editor interface (Home >> Service Configuration >> PHP Configuration Editor).

Notes:

This directive makes certain that JavaScript cannot access a PHP application's session cookies. If your developers require that JavaScript has access to session cookies, do not enable this option.
You may also wish to allow PHP to check HTTP referrer values. This ensures that sensitive session information passes internally during a user's session, so that users cannot accidentally publish sensitive session information when they share URLs.

Disable register globals

Global variables allow a PHP script to receive and process variables without a specified source. This allows attackers to overwrite configuration variables in order to gain access to areas of your system that it ordinarily restricts.

To remove this vulnerability, disable the register_globals setting in the Advanced Mode section of WHM's PHP Configuration Editor interface (Home >> Service Configuration >> PHP Configuration Editor).

Important:

This option no longer exists for PHP version 5.4 and above.
  • 65 Users Found This Useful
Was this answer helpful?

Related Articles

Do you provide DDoS protection? How does it work?

We provide inbound DDoS filtering options for all our services where stated.DDoS Protection is...

How do I block an IP address in my Linux Server?

If you want to block an IP to access your linux server, you will need to login to the shell as...

How to check if your Linux server is under DDOS Attack?

Login to your server as root and fire the following command, using  which you can check if your...