• Visitor Count
    RSS Security Google Group
    RSS Security Patch Management

    Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)

    PostDateIcon July 22nd, 2010 | PostAuthorIcon Author: eyalestrin

    Pre-installation notes
    The guide bellow is based on the previous guides:

    Installation and configuration phase

    1. Login to the server using Root account.
    2. Before compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder:
      rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm
      rpm -ivh glibc-headers-2.5-42.x86_64.rpm
      rpm -ivh glibc-devel-2.5-42.x86_64.rpm
      rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm
      rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm
      rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm
      rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm
      rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm
      rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm
    3. Download MySQL development RPM from:
      http://download.softagency.net/MySQL/Downloads/MySQL-5.1/
    4. Download PHP 5.3.2 source files from:
      http://php.net/downloads.php
    5. Copy the MySQL development RPM using PSCP (or SCP) into /tmp
    6. Copy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp
    7. Move to /tmp
      cd /tmp
    8. Install the MySQL development RPM:
      rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
    9. Remove MySQL development RPM:
      rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm
    10. Extract the php-5.3.2.tar.gz file:
      tar -zxvf php-5.3.2.tar.gz
    11. Move to the PHP source folder:
      cd /tmp/php-5.3.2
    12. Run the commands bellow to compile the PHP environment:
      ./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib

      make

      make install

    13. Edit using VI, the file /usr/local/apache2/conf/httpd.conf
      Make sure the following string exists at the end of the LoadModule section:
      LoadModule php5_module modules/libphp5.so
      Add the following string, to the end of the AddType section:
      AddType application/x-httpd-php .php
      Replace the line from:
      DirectoryIndex index.htmlTo:
      DirectoryIndex index.php index.html index.htm
    14. Copy the PHP.ini file
      cp /tmp/php-5.3.2/php.ini-development /etc/php.ini
    15. Change the permissions on the php.ini file:
      chmod 640 /etc/php.ini
    16. Edit using VI, the file /etc/php.ini and replace the following values:
      From:
      mysql.default_host =To:
      mysql.default_host = 127.0.0.1:3306

      From:
      allow_url_fopen = OnTo:
      allow_url_fopen = Off

      From:
      expose_php = OnTo:
      expose_php = Off

      From:
      memory_limit = 128MTo:
      memory_limit = 8M

      From:
      ;open_basedir =To:
      open_basedir = "/www"

      From:
      post_max_size = 8MTo:
      post_max_size = 2M

      From:
      upload_max_filesize = 2MTo:
      upload_max_filesize = 1M

      From:
      disable_functions =To:
      disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid

      From:
      ;include_path = ".:/php/includes"To:
      include_path = "/usr/local/lib/php;/usr/local/apache2/include/php"

      From:
      display_errors = OnTo:
      display_errors = Off

      From:
      display_startup_errors = OnTo:
      display_startup_errors = Off

    17. Run the commands bellow to restart the Apache service:
      /usr/local/apache2/bin/apachectl stop
      /usr/local/apache2/bin/apachectl start
    18. Remove the PHP source and test files:
      rm -rf /tmp/php-5.3.2
      rm -f /tmp/php-5.3.2.tar.gz
      rm -rf /usr/local/apache2/lib/php/test
      rm -rf /usr/local/lib/php/test
    19. Uninstall the following RPM:
      rpm -e libxml2-devel-2.6.26-2.1.2.8
      rpm -e gcc-4.1.2-46.el5
      rpm -e libgomp-4.4.0-6.el5
      rpm -e gmp-4.1.4-10.el5
      rpm -e glibc-devel-2.5-42
      rpm -e glibc-headers-2.5-42
      rpm -e kernel-headers-2.6.18-164.el5
    Print Friendly Version of this pagePrint Get a PDF version of this webpagePDF
    PostCategoryIcon Posted in Apache, MySQL, PHP, RedHat

    3 Responses to “Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)”

    Leave a Reply

    Search This Blog
    Blog Archive
    Labels
    NetworkedBlogs

    Log in
    Copyright © 2013 Security 24/7. All Rights Reserved.

    Powered by Wordpress.org, WP Theme Design Powered by playstation wordpress templates and free provided by nixcheckcashing.com.