Apache安全
1、修改/etc/apache2/apache2.conf配置文件:
用独立的用户和组运行apache
User username
Group username
禁用目录列示、服务器包含、CGI支持
Options -Indexes -Includes -ExecCGI
隐藏服务器版本信息
ServerTokens ProductOnlyServerSignature Off
禁用apache对文件上传目录的php解释
<Directory /dir>
php_flag engine off
</Directory>
2、修改程序文件所属者:
groupadd username
useradd -d /dir -g username -s /usr/sbin/nologin username
chown -R username:username /dir
chmod -R 744 /dir
3、安装并启用apache安全模块:
apt-get install libapache2-mod-security2
a2enmod security2
apt-get install libapache2-mod-evasive
a2enmod evasive
/etc/init.d/apache2 force-reload
PHP安全配置
1、修改/etc/php5/apache2/php.ini文件:
allow_url_fopen = Off
sql.safe_mode = On
expose_php = Off
cgi.fix_pathinfo = 0
disable_functions = ... , phpinfo, get_cfg_var,chroot,scandir,chgrp,chown,proc_open,error_log,ini_alter,ini_restore,dl,pfsockopen,syslog,readlink,symlink,popen,
MySQL安全配置
1、采用独立账号访问数据库:
>grant select,insert,update,delete on mydb.* to www-data@localhost identified by ‘password’;
>flush privileges;
2、修改配置文件/etc/mysql/my.cnf:
禁用远程访问skip-networking
3、移除~/.mysql_history文件:
rm ~/.mysql_history
ln -s /dev/null ~/.mysql_history
4、移除匿名账户和废弃账户:
>select * from mysql.user where user=””;
>delete from mysql.user where user=”***”;
5、定期备份数据库:
Mysqldump -u root -p mydb > mydb_year_month_day.sql