Hardening and securing PHP on Linux

Published on by

Hardening PHP on linux to increase security is a complex process involving a plethora of settings. A while back I developed a script in order to check for any security settings that were out of place.

The idea is that you run the script on your web server and it tells you what security settings are potentially mis-configured based on the rules that it reads from an XML file. Any settings that are not configured in line with best security practices are highlighted in red. It works in a similar way to the Centre for Internet Security's benchmark scripts for other technologies. The one caveat is that it does need access to the ini_get function and requires at least PHP 5 to run.

The auditing script checks for (amongst other things):

  • Secure session settings.
  • Depreciated functions that might be relied upon.
  • Functions that should be disabled.
  • Dangerous settings that could lead to remote or local file inclusion.
  • Error handling.
  • Constants defined at compile time.

You might disagree with some of the recommended security settings or they might just not suit your current application; you can always change the XML file. A sample of the report generated by the Auditor is shown below.

Hardening PHP using the PHP Auditor

You can download the script and use it to harden / secure your PHP installation. The tool is by no means a definitive hardening guide and any feedback or suggested rules / settings are welcome.

Download the PHP auditor