Build linux + nginx + PHP FPM MySQL (MariaDB) environment
1.Linux selects centos7 installed before
Thoughts on security reinforcement of mainframe based on CentOS 7
Although there are a lot of data summary and reference here, what you can remember is that you know the significance of reinforcement. In other words, you have really attacked from here, or you just look at the flowers. At the same time, the safety problems here are limited by their lack of professionalism, but they just think about it by themselves.
a. Account number
cat /etc/pwsswd | wc -l How many users are counted cat /etc/passwd | grep :0 see root Users with permissions cat /etc/shadow have! *Users who are locked and unable to log in cat /etc/group View user groups
(these provide the basic account information of a Linux host. Of course, there are account uid and other details under the extension. I won't repeat them first. The purpose of these is to form their own context. The following are summarized to level 2. They don't go deep into Level 3 and level 4 operations.)
vi /etc/pam.d/su Edit this setting to disable ordinary users su reach root
b. Authorization
chmod Command sets the permissions of important files, such as log file, historical command record file, account configuration file, etc. umask Set as 027 Service authorization such as ftp The service prohibits some users from logging in anonymously
c. Password
vi /etc/pam.d/system-auth Password complexity settings, such as numbers, uppercase and lowercase letters and special characters composed of eight digits or more. More often, the penetration is weak, the password is fatal and the light is black. 123456 eternal God. vi /etc/pam.d/sshd Continuous password error locking to avoid blasting vi /etc/login.defs The password update cycle is forced to be updated every how many days, and it should be different before and after.
d. Remote login
vi /etc/hosts.allow(deny) limit IP Access to household accounts vi /etc/profile Timeout setting vi /etc/ssh/sshd_config Prohibit direct login root Account, need from general account su reach root;Combined with the prohibition in front su reach root,Only local root The account is logged in.
e. Port off
First of all, the firewall must be on,
firewall-cmd --list-port See which ports are open firewall-cmd --zone=public --add-port=3838/tcp --permanent increase tcp When the port is closed add Change to remove firewall-cmd --zone=public --add-port=3838/udp --permanent firewall-cmd --reload Reloading does not interrupt user connection and lose status information. I've learned that I used to restart here. It's a great blessing that I didn't die in the production environment. Shit.
f. Log
audit To record security related logs, you need to adjust the rule base in combination with the business syslog It is an error log biased towards the application layer. Configure log server for important logs
g. Kernel adjustment
Prevent stack overflow. I just read it and don't understand it.
h. Address resolution order
Change the host address resolution order to prevent IP deception.
i. Patch update
uname -a Look at the version leak ms17-010 This kind of, new three years old three years, ah, patch server settings.
j.banner information shielding
system banner Information(/etc/rc.d/rc.local),ftp banner(/etc/vsftp.d/vsftp.conf)Information, etc#Drop.
2.Nginx installation
2.1 preparation before Yum installation: since there is no Yum source by default, you need to add nginx to the yum source and install nginx
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
ps: it has been installed through source code compilation before. For source code installation, you should first install GCC compiler (compile the source code into binary program), PCRE (parse regular expression), zlib (function library providing data compression), OpenSSL (NGINX application HTTPS, MD5, SHA1, etc.
2.2 successful installation
ps:Nginx configuration information
Default directory for storing website files
/usr/share/nginx/html
Site default site configuration
/etc/nginx/conf.d/default.conf
Customize the storage directory of Nginx site configuration files
/etc/nginx/conf.d/
Nginx global configuration
/etc/nginx/nginx.conf
Thoughts on security reinforcement of web container based on nginx
As an excellent forward and reverse proxy web server, nginx has the characteristics of multithreading and high concurrency. By the way, write down the forward and reverse proxy. The proxy client is the forward, while the proxy server is the reverse proxy. In addition, the forward agent can be used as the management of online behavior; In addition to load balancing, reverse proxy exposes the IP of the proxy server on the public network and hides the intranet web server.
For nginx, remember to restart the backup every time you modify it. It is recommended to restart nginx -s reload smoothly
a. Restrict directory access
vi /etc/nginx/nginx.conf stay HTTP Module addition autoindex off; because nginx Will download automatically web Files in the directory to increase threat exposure.
b. Hide version information
vi /etc/nginx/nginx.conf stay HTTP Module addition server_tokens off Hide version information, such as HTTP I can't see it in the response. You have to restart here. Reloading the configuration doesn't work.
c. Restrict HTTP request methods
vi /etc/nginx/conf.d/default.conf stay server Module addition if ($request_method !~* GET|POST|HEAD) { return 403; } //Reject requests other than get|post|head
d.nginx power reduction
vi /etc/nginx/nginx.conf increase user nobody; That's it web If the service authority fails, it will not be root jurisdiction. This also involves operation and maintenance knowledge, nobody yes Linux Users who are used to execute processes other than the main process of the service. In order to achieve the effect of loss without loss, if they are used at the beginning root Deployed nginx,After load balancing, restart the service every time root,Trouble; And if you want to change it, it will also lead to insufficient cache access rights, slow process, service paralysis and other future problems.
e. Anti theft chain
edit nginx.conf configuration file(vi /etc/nginx/nginx.conf ),stay server Add the following contents to the label: location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ { valid_referers none blocked server_names *.nsfocus.com http://localhost baidu.com; if ($invalid_referer) { rewrite ^/ [img]http://www.XXX.com/images/default/logo.gif[/img]; #return 403; } }
f. Restrict IP access
edit nginx.conf configuration file(vi /etc/nginx/nginx.conf ),stay server Add the following contents to the label: location / { deny ip; allow ip; }
g. Patch update
nginx -v #View version information nginx -t #View profile Then select the patch
3. Install PHP FPM
3.1 integrate the following commands to install PHP
yum install php php-fpm php-mysql php-mbstring php-xml -y
3.2 check whether php and its extensions are installed successfully
Thoughts on security reinforcement based on PHP FPM
PHP FPM configuration file path: / etc / PHP FPM d/www.conf
php configuration file path: / etc / php ini
a. PHP FPM weight reduction
modify/etc/php-fpm.d/www.conf,take user = apache group = apache,Change to user = nobody group = nobody;about nobody stay Linux The role of the system is mentioned above.
b. Security mode
Originally, but it was abandoned after 5.3.
c. Disable unsafe PHP functions
vi /etc/php.ini disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,phpinfo #In this way, the previously tested php nginx and the general phpinfo function will fail.
d. Close error log
vi /etc/php.ini display_errors = Off #Avoid file upload or sql error injection and getshell caused by exposing the physical path. One of the previous ctf primary training camps in i spring and autumn is to use PHP to report errors and check the database version.
e. Enable HTTPOnly
vi /etc/php.ini session.cookie_httponly = 1 adopt document Embezzle cookie prevention XSS,But you can socket Layer capture program advanced attack.
f. Turn off PHP information
vi /etc/php.ini expose_php = Off This is set in http I can't see it in the request x-powered-by:php/5.4.16 Yes
g. Restrict directory access
vi /etc/php.ini open_basedir = ./:/tmp:/home/www/The disadvantage of the configured directory is the impact IO flow
h. Restricted upload directory
vi /etc/php.ini upload_tmp_dir = /tmp Directory traversal is defined to prevent uploading.
4. The connection test between nginx and PHP FPM is successful
In index Write <? php phpinfo(); ?>, Then visit the browser and you can see that the PHP code has been executed successfully.
It should be noted that the default site configuration file of nginx website has been modified: remove the annotation symbol #, as shown in the above figure, and $document_root has been modified, and don't forget to indicate the PHP file storage path to PHP FPM: / usrshare/nginx/html. I have installed it many times before and found that this problem will not exist in the source code compilation and installation, and this path will exist in the yum installation, indicating that the problem needs special attention!!
5. Install MySQL (MariaDB is now installed after the acquisition)
5.1 install mysql using yum
yum install mariadb* -y
Start and set the self starting mysql service at the same time.
5.2 setting mysql password:
mysql -uroot -p
The database here needs to change the initial password before it can be used. In addition, delete from under the update statement correction.
Thoughts on security reinforcement based on mysql
a. Running mysql under a general account
vi /etc/my.cnf [mysql.server] user=mysql
b.root remote login restrictions - trusted IP login, etc
mysql> grant all privileges on *.* to 'root' @localhost identified by 'password'with grant option; mysql> flush priveleges; mysql> grant all privileges on *.* to 'user name' @'Access allowed IP address' identified by 'password'with grant option; mysql> flush priveleges; //Only this address is allowed, but all permissions are given mysql> grant all privileges on *.* to 'user name' @'Access allowed IP address' identified by 'password'; mysql> flush priveleges; //Only this address is allowed, but not all permissions are given
c. Delete empty password account (anonymous account)
mysql> delete from user where user=""; mysql> flush priveleges;
d. Historical command protection to prevent the disclosure of sensitive information such as configuration
rm .bash_history .mysql_history //Delete history ln -s /dev/null .bash_history ln -s /dev/null .mysql_history //Set the database operation record not to be recorded in 2 files
e. Configure log, password complexity and replacement cycle, limit the number of single user sessions, login failure processing functions, etc
6. The connection test between PHP and mysql is successful
cd /usr/share/nginx/html/ vi mysql.php //Write PHP test code connecting mysql.
7. Summary
If you step on the pit, pay attention to the alignment of the configuration file format. yum install nginx to indicate the path to read the PHP file; Then, PHP supports mysqli after the higher version; Make sure to back up before modifying anything, write out the technical scheme first, and restart or reload after modification; The first step of mysql is to modify the empty password before it can be used;
Gain a lot, let the fragmentary knowledge coupled, deployment and reinforcement at the same time, can realize the importance of integrating attack and defense to promote progress. For example, when strengthening PHP HTTPOnly, it is associated with the content of cosine's "uncover the secrets of web front-end hacker technology", which is more integrated and promotes understanding. More profound understanding of the interaction between PHP: fastm and CGI: fastm