Hide PHP version information

It is better to hide the php version information because of scans that are done on systems to detect software versions that have some known bugs and use that info to compromise the system. To do this edit the following option:

expose_php = Off

Error logging

PHP can handle error reporting several ways: logging to a server log or log errors to the browser of the client. The second method can affect the security of your system because with some errors paths to files are revealed, so it's better to log the errors to a file on the server, to do this use these settings:

display_errors = Off
log_errors     = On

Disable dangerous functions

There are functions that you do not need for your application to run and that are a big security risk for the system. We can disable all uwanted functions from php by using this setting:

disable_functions = phpinfo, mail, dl ...

This is a list of functions you should consider removing if you are not using them:

• curl_exec - perform a cURL session

• curl_multi_exec - run the sub-connections of the current cURL handle

• disk_free_space - returns available space on filesystem or disk partition

• dl - loads a PHP extension at runtime

• exec - execute an external command

• fsockopen - open internet or unix domain socket connection

• getmypid - gets PHP's process ID

• getmyuid - gets PHP script owner's UID

• highlight_file - syntax highlighting of a file

• ignore_user_abort — Set whether a client disconnect should abort script execution

• mail - send mail

• parse_ini_file - parse a configuration file

• passthru - execute an external program and display raw output

• phpinfo - outputs a large amount of information about the current state of PHP

• php_uname - returns information about the operating system PHP is running on

• popen - opens process file point

• posix_ctermid - get path name of controlling terminal

• posix_getcwd - pathname of current directory

• posix_getegid - return the effective group ID of the current process

• posix_geteuid - return the effective user ID of the current process

• Other posix functions: posix_getgrgid, posix_getgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix

• proc_open - execute a command and open file pointers for Input/Output

• proc_close - close a process opened by proc_open and return the exit code of that process

• Other functions involving processes: proc_close, proc_get_status, proc_nice, proc_terminate

• shell_exec - execute command via shell and return the complete output as a string

• show_source - show the source of a file

• symlink - creates a symbolic link

• system - execute an external program and display the output

• virtual - perform an Apache sub-request

   

Register globals

This is what php.ini recommends:

 You should do your best to write your scripts so that they do not require
 register_globals to be on;  Using form variables as globals can easily lead
 to possible security problems, if the code is not very well thought of.

and I strongly aggree with that, so with that in mind we should set, if is not already set:

register_globals = Off

Limit resources

If you don't intend to upload files on the server through php you should disable file uploads.

file_uploads = Off

If you are going to do file uploads from php, then you should limit the file upload size to what value you think it will be good for you and also restrict the directory where this uploads are made, if possible

upload_tmp_dir = /var/php_tmp
upload_max_filezize = 2M

Remember that the upload temporary directory should be owned by apache user:

#chown apache: /var/php_tmp

You should also consider limiting the  resources your php scripts use:

; Maximum execution time of each script, in seconds
max_execution_time = 30

; Maximum amount of time each script may spend parsing request data
max_input_time = 60

; Maximum amount of memory a script may consume (8MB)
memory_limit = 8M

; Maximum size of POST data that PHP will accept.
post_max_size = 8M

Disable remote files includes

Top prevent remote scripts from being included and executed on your server you should disable remote files access from your php environment.

allow_url_fopen = Off
allow_url_include = Off

Restrict file access on server from php

Allow access for php only to specific portions of your file system, like you web directory or other shared libraries.

open_basedir = "/var/www/html/:/usr/local/php/"

Conclusion

This was the last of our 4 blogs regarding the security of a LAMP server, in this one we used the php settings to improve the security of any php environment, thus avoiding our php application from getting compromised and therefore the risk of the system to get breached. This setting depend much on what application you are running and what php functions it needs, so you would have to adapt this to your needs.