打造安全的CENTOS服务器---php安全
Posted in andylau at 2008/07/21 / Comments(0) »
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
硬件配置:
AMD 3200+
华硕主板
KST 512M DDR400 *2
120G IDE
软件配置:
httpd-2.0.52-28.ent.centos4
php-4.3.9-3.15
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1、开启安全模式(做为商业应用的服务器不建议开启)
复制内容到剪贴板
代码:
#vi /usr/local/Zend/etc/php.ini (没装ZO时php.ini文件位置为:/etc/php.ini)
safe_mode = On
2、锁定PHP程序应用目录
复制内容到剪贴板
代码:
#vi /etc/httpd/conf.d/virtualhost.conf
加入
php_admin_value open_basedir /home/*** (***为站点目录)
3、千万不要给不必要的目录给写权限,也就是777权限,根目录保持为711权限,如果不能运行PHP请改为755
4、屏蔽PHP不安全的参数(webshell)
复制内容到剪贴板
代码:
#vi /usr/local/Zend/etc/php.ini (没装ZO时php.ini文件位置为:/etc/php.ini)
disable_functions = system,exec,shell_exec,passthru,popen
以下为我的服务器屏蔽参数:
复制内容到剪贴板
代码:
disable_functions = passthru,exec,shell_exec,system,set_time_limit,ini_alter,dl,
pfsockopen,openlog,syslog,readlink,symlink,link,leak,fsockopen,popen,escapeshell
cmd,error_log
centos配置ssh
Posted in server at 2008/05/07 / Comments(0) »
在VMware安装一个CentOS的Sever版,终端里的内容不可滚动,不方便。在win下远程登录不错(win下有个Xshell)。默认安装ssh是有的。只是hosts访问问题。
1.在hosts.deny文件尾添加sshd:ALL
意思是拒绝所有访问请求
[root@localhost ~]# vi /etc/hosts.deny
修改后看起来如下:
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
sshd:ALL
2.在hosts.allow文件尾添加sshd:192.168.0.
意思是允许192.168.0.1 到254的主机,内网。
[root@localhost ~]# vi /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd:192.168.0.
3.重启ssh
[root@localhost ~]# /etc/rc.d/init.d/sshd restart
停止 sshd: [ 确定 ]
启动 sshd [ 确定 ]
好了,用putty和Xshell(Xmanager)可以登录了。
1.在hosts.deny文件尾添加sshd:ALL
意思是拒绝所有访问请求
[root@localhost ~]# vi /etc/hosts.deny
修改后看起来如下:
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
sshd:ALL
2.在hosts.allow文件尾添加sshd:192.168.0.
意思是允许192.168.0.1 到254的主机,内网。
[root@localhost ~]# vi /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd:192.168.0.
3.重启ssh
[root@localhost ~]# /etc/rc.d/init.d/sshd restart
停止 sshd: [ 确定 ]
启动 sshd [ 确定 ]
好了,用putty和Xshell(Xmanager)可以登录了。
很烦
Posted in life at 2008/04/10 / Comments(1) »
最近工作上的事情比较多。而且多是棘手的事情。有的事儿其实是板上钉钉的事情了,但搞到最好不定出现什么岔子。实在是佩服天朝政府部门和天朝所谓国有企业的办事儿效率。有时候真想睡他几天几夜。昨晚应酬到凌晨3点多才回来睡。现在撑不住了。等会儿就睡觉去。
孔繁森纪念馆
Posted in life at 2008/04/10 / Comments(0) »
前几天去看了一下,很没意思。
Andox下载
Posted in andylau at 2008/01/25 / Comments(0) »
Designed By 404cn & Cheer for