{"id":75,"date":"2007-09-06T00:14:13","date_gmt":"2007-09-05T22:14:13","guid":{"rendered":"http:\/\/www.shukko.com\/x3\/2007\/09\/06\/harden-phpini-for-shared-hosting-servers\/"},"modified":"2007-09-15T03:19:09","modified_gmt":"2007-09-15T01:19:09","slug":"harden-phpini-for-shared-hosting-servers","status":"publish","type":"post","link":"https:\/\/www.shukko.com\/x3\/2007\/09\/06\/harden-phpini-for-shared-hosting-servers\/","title":{"rendered":"harden php.ini for shared hosting servers."},"content":{"rendered":"

“disable_functions” (G\u00fcvenlik)
\n“disable_functions” ile server\u0131n\u0131zda bir\u00e7ok fonksiyonun \u00e7al\u0131\u015fmas\u0131n\u0131 engelleyebilirsiniz bu sayede sitenize inject edilen scriptler, sheller i\u00e7in g\u00fcvenli\u011finizi alm\u0131\u015f olursunuz. Bu kadar fonksiyon fazla gelebilir ama iyi bir g\u00fcvenlik i\u00e7in \u015fart.<\/p>\n

Code:
\ndisable_functions = foreach, glob, openbasedir, posix_getpwuid, f_open, system,dl, array_compare, array_user_key_compare, passthru, cat, exec, popen, proc_close, proc_get_status, proc_nice, proc_open, escapeshellcmd, escapeshellarg, show_source, posix_mkfifo, ini_restore, mysql_list_dbs, get_current_user, getmyuid,pconnect, link, symlink, fin, passthruexec, fileread, shell_exec, pcntl_exec, ini_alter, parse_ini_file, leak, apache_child_terminate, chown, posix_kill, posix_setpgid, posix_setsid, posix_setuid, proc_terminate, syslog, allow_url_fopen, fpassthru, execute, shell, curl_exec, chgrp, stream_select, passthru, socket_select, socket_create, socket_create_listen, socket_create_pair, socket_listen, socket_accept, socket_bind, socket_strerror, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, openlog, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, virtual
\nE\u011fer bu kadar fonsiyonu devre d\u0131\u015f\u0131 b\u0131rakmak fazla geldiyse alttaki gibi de ayarlayabilirsiniz bu da g\u00fcvenli\u011finiz i\u00e7in yeterlidir:<\/p>\n

Code:
\ndisable_functions = glob, posix_getpwuid, array_compare, array_user_key_compare, ini_restore, exec, proc_get_status, proc_nice, proc_open, allow_url_fopen, fin, pconnect, system, dl, passthruexec, shell_exec, proc_close, proc_get_status, chown, chgrp, escapeshellcmd, escapeshellarg, fileread, passthru, popen,curl_exec, shell, execute<\/p>\n

Safe Mode G\u00fcvenlik
\n“Safe Mode” ad\u0131ndan da anla\u015f\u0131laca\u011f\u0131 gibi “G\u00fcvenli Mod” anlam\u0131na geliyor. “Safe Mode” genelde bir\u00e7ok serverda “Off” durumdad\u0131r ve bu da bir\u00e7ok tehlikeye davetiye \u00e7\u0131karan unsurlar aras\u0131nda yer al\u0131r. “G\u00fcvenli Modu A\u00e7\u0131k” durumuna getirmek shellerin server\u0131m\u0131zda istedikleri gibi dola\u015fmalar\u0131n\u0131, exploitlerin \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131n\u0131 ve komutlar\u0131n execute edilmelerini \u00f6nler. G\u00fcn\u00fcm\u00fczde “a\u00e7\u0131k olan g\u00fcvenlik modunu” kapal\u0131 duruma getiren scriptler mevcut fakat altta anlat\u0131lan \u00f6nlemlerle bunun da \u00f6n\u00fcne ge\u00e7ilebilir.<\/p>\n

Code:
\nsafe_mode = on
\n\u00e7al\u0131\u015fmayan script olursa httpd.conf ve .htaccess dosyas\u0131ndan kullan\u0131c\u0131ya gerekli izin verilebilir. \u00f6rnek a\u015fa\u011f\u0131daki gibi<\/p>\n

Code:
\nphp_flag safe_mode Off
\n“register_globals” (G\u00fcvenlik ve Performans)
\nphp.ini dosyas\u0131nda bulunan “post” “get” ile g\u00f6nderilen de\u011ferlere kullan\u0131c\u0131 adlar\u0131yla ula\u015f\u0131l\u0131p ula\u015f\u0131lamayaca\u011f\u0131n\u0131 belirtir. Session, cookie de\u011ferlerini kendi ad\u0131yla tan\u0131mlayarak birer de\u011fi\u015fken olmas\u0131na neden olur. “Off” olarak ayarlan\u0131rsa bu gibi de\u011ferlere kendi tan\u0131mlad\u0131\u011f\u0131 \u015fekilde ula\u015f\u0131lamaz.<\/p>\n

Code:
\nregister_globals = off
\n\u00e7al\u0131\u015fmayan script olursa on de\u011ferini htaccess dosyas\u0131na koyup sadece o siteye a\u00e7abilirsiniz. veya httpd.conf dosyas\u0131na<\/p>\n

Code:
\nphp_flag register_globals on
\n“allow_url_fopen” (G\u00fcvenlik)
\n“allow_url_fopen” default olarak “a\u00e7\u0131k” \u015feklinde gelir ve bunun “on” a\u00e7\u0131k olmas\u0131 “file_get_contents()”, “include()”, “require()” fonksiyonlar uzaktaki dosyalar\u0131 da i\u015flemesine olanak tan\u0131r. Bunlara verilen bilgiler hi\u00e7bir kontrolden ge\u00e7irilmezse kritik g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 sebep olur. (e\u011fer safe mode a\u00e7\u0131ksa ve open basedir aktif ise bunun a\u00e7\u0131k kalmas\u0131nda hi\u00e7 bir sorun yok. Kapal\u0131 kalmas\u0131 durumunda bir \u00e7ok script \u00e7al\u0131\u015fmaz. en basit \u00f6rnek olarak php nuke \u00e7al\u0131\u015fmaz.)<\/p>\n

Code:
\nallow_url_fopen = off
\n“display_errors” (G\u00fcvenlik)
\nBu se\u00e7enek sitenizin \u00e7al\u0131\u015fmas\u0131nda olu\u015facak bir hatay\u0131 taray\u0131c\u0131ya yans\u0131t\u0131p yans\u0131tmayaca\u011f\u0131n\u0131 belirler yani siteniz i\u00e7in diyelim bir forum veya portal kullan\u0131yorsunuz ve bunlar\u0131n \u00e7al\u0131\u015fmas\u0131 esnas\u0131nda genelde “Fatal error: Call to undefined function get_header() in \/home\/ahmo\/public_html\/index.php on line 37” \u015feklinde benzeri hata g\u00f6r\u00fcl\u00fcr bunlar\u0131n g\u00f6z\u00fckmesini engellemek i\u00e7in bu de\u011feri kapal\u0131 duruma getirmek gerekir zira k\u00f6t\u00fc niyetli ki\u015filer sitenizin serverda bulunan tam yolunu \u00f6\u011frenmi\u015f olurlar.
\n(E\u011fer safe mod a\u00e7\u0131k ve open basedir aktif ise bunu kapatman\u0131za gerek yoktur. zira bu t\u00fcr hatalar ayr\u0131ca scriptinde hata neresinde oldu\u011funu g\u00f6sterdi\u011fi i\u00e7in host kullan\u0131c\u0131s\u0131na sitesini d\u00fczenlemesi i\u00e7in b\u00fcy\u00fck kolayl\u0131k sa\u011fl\u0131yor.)<\/p>\n

Code:
\ndisplay_errors = Off
\n“cgi.force_redirect” (G\u00fcvenlik)
\nBu de\u011fer normalde “on” “1” yani a\u00e7\u0131k olarak gelir ve Windows sunucular\u0131nda IIS, OmniHTTPD gibi buralarda kapat\u0131lmas\u0131 gerekir. Kendi sunucunuz i\u00e7in bu durum yoksa de\u011fi\u015ftirmenize gerek yoktur.<\/p>\n

Code:
\ncgi.force_redirect = 0
\n“magic_quotes_gpc” (G\u00fcvenlik ve Performans)
\nMagic Quotes i\u015flemi GET\/POST y\u00f6ntemiyle gelen Cookie datas\u0131n\u0131 otomatikmen PHP script’e ka\u00e7\u0131r\u0131r. \u00d6nerilen bu de\u011ferin kapal\u0131 olmas\u0131d\u0131r.<\/p>\n

Code:
\nmagic_quotes_gpc = off
\n“magic_quotes_runtime” (G\u00fcvenlik ve Performans)
\nMagic quotes \u00e7al\u0131\u015fma s\u00fcrecinde data olu\u015fturur, SQL’den exec()’den, vb.
\n\u00d6nerilen:<\/p>\n

Code:
\nmagic_quotes_runtime = Off
\n“magic_quotes_sybase” (G\u00fcvenlik ve Performans)
\nSybase-style magic quotes kullan\u0131r (Bunun yerine \\’ ‘ bununla ” ka\u00e7\u0131r\u0131r)<\/p>\n

Code:
\nmagic_quotes_sybase = Off
\n“session.use_trans_sid” (G\u00fcvenlik)
\nBu ayar\u0131 dikkatli ayarlay\u0131n, kullan\u0131c\u0131 emaile aktif oturum ID’si i\u00e7eren URL g\u00f6nderebilir
\nkulln\u0131c\u0131n\u0131n g\u00fcvenli\u011fi i\u00e7in bunu kapat\u0131yoruz.
\n\u00d6nerilen:<\/p>\n

Code:
\nsession.use_trans_sid = off
\n“expose_php” (G\u00fcvenlik)
\n“expose_php” a\u00e7\u0131k ise kapal\u0131 yap\u0131lmas\u0131 \u00f6nerilir. Aksi takdirde PHP ile yapt\u0131\u011f\u0131n\u0131z her\u015feyde sunucu taraf\u0131ndan PHP s\u00fcr\u00fcm\u00fc gibi bilgiler g\u00f6sterilir. Hackerlar hatta Lamerlar bu bilgileri severler (ne boh anl\u0131yorlarsa sanki). Bunlar\u0131 engellemek i\u00e7in “off” konumuna getiriniz.<\/p>\n

Code:
\nexpose_php = Off
\n“html_errors” (G\u00fcvenlik)
\nBu de\u011ferin a\u00e7\u0131k olmas\u0131 durumunda PHP t\u0131klanabilir hata mesajlar\u0131 \u00fcretecektir. Kapal\u0131 olmas\u0131 g\u00fcvenlik i\u00e7in \u00f6nerilir. ba\u015f\u0131nda “;” i\u015fareti varsa kald\u0131r\u0131yoruz ve de\u011feri kapat\u0131yoruz.<\/p>\n

Code:
\nhtml_errors = off
\n“max_execution_time” (G\u00fcvenlik)
\nScriptinizi maksimum uygulamay\u0131 y\u00fcr\u00fctme zaman\u0131 mesela kullan\u0131c\u0131 bir linke t\u0131klad\u0131 ve bu linkin a\u00e7\u0131lmas\u0131 belirtilen saniyeden fazla olursa sayfa sitenizin serverda bulundu\u011fu tam yolu g\u00f6stererek hata verir. Bu hatalar\u0131n g\u00f6z\u00fckmesi g\u00fcvenlik a\u00e7\u0131s\u0131ndan sak\u0131ncal\u0131d\u0131r. 300 saniye yazan yeri istedi\u011finiz zaman ile de\u011fi\u015ftirebilirsiniz. bana kal\u0131rsa b\u0131rak\u0131n yolu g\u00f6rs\u00fcn \u00e7ok fazla sayfa beklerse extra y\u011funluk demektir. direk b\u0131rak\u0131n hata versin. s\u00fcreyi 30 yapal\u0131m.<\/p>\n

Code:
\nmax_execution_time = 30
\n“max_input_time” (G\u00fcvenlik)
\nScriptinizin ayn\u0131 \u015fekilde bir dataya ula\u015fmak i\u00e7in istek yollad\u0131\u011f\u0131nda maksimum ge\u00e7en zaman 60 yapal\u0131m. fazla bile<\/p>\n

Code:
\nmax_input_time = 60
\n“allow_call_time_pass_reference” (Performans)
\nFonksiyonlar\u0131n \u00e7a\u011fr\u0131lma zaman\u0131nda ya\u015fanan uyumsuzluklarla ilgili uyar\u0131 verir.
\n\u00f6rne\u011fin ilk belitti\u011fimiz yasak komutlarda hi\u00e7 bir uyar\u0131 vermeden bom bo\u015f sayfa \u00e7\u0131kar\u0131r kar\u015f\u0131ya. b\u00f6yle bir durumda scripte bakmaktansa tekrar bunu a\u00e7\u0131k duruma getirirsiniz hatay\u0131 g\u00f6rd\u00fckten sonra tekrar kapat\u0131n fonksiyonu.<\/p>\n

Code:
\nallow_call_time_pass_reference = off
\n“enable_dl” (G\u00fcvenlik)
\nBu de\u011ferin “off” kapal\u0131 olmas\u0131 gerekir aksi halde ki\u015filerin sistemde php mod\u00fcllerinde \u00e7al\u0131\u015fma yapmas\u0131na olanak sa\u011flar ve sistemde rahat dola\u015fmalar\u0131n\u0131 sa\u011flar g\u00fcvenlik i\u00e7in kesinlikle kapal\u0131 olmas\u0131 gerekir.<\/p>\n

Code:
\nenable_dl = off
\n“track_errors” (G\u00fcvenlik ve Performans)
\nS\u00fcr\u00fcc\u00fclerde meydana gelen hatalarda yetki verildi\u011fi taktirde hata mesaj\u0131 errormsg olarak de\u011fi\u015fkende g\u00f6sterilir.
\ntrack_errors = Off
\n“file_uploads” (G\u00fcvenlik)
\nE\u011fer sunucda tek site bar\u0131nd\u0131r\u0131yorsan\u0131z ve o sitede her hangi bir\u015fey sunucuya y\u00fckletilmiyorsa kapal\u0131 kalmas\u0131nda yarar var. Ama \u00e7oklu site bar\u0131nd\u0131r\u0131yorsan\u0131z. G\u00fcn\u00fcm\u00fczdeki t\u00fcm siteler art\u0131k avatard\u0131r, dosya v.s uploat ediyor karar sizin.
\nben yine kapat\u0131n diyeyimde.<\/p>\n

Code:
\nfile_uploads = off
\n“ignore_repeated_errors” (G\u00fcvenlik ve Performans)
\nKapal\u0131 olursa tekrarlanan hatalar\u0131 loglamaz.
\nignore_repeated_errors = Off
\n“ignore_repeated_source” (G\u00fcvenlik ve Performans)
\nTekrarlanan mesajlar engellendi\u011finde, mesaj kayna\u011f\u0131n\u0131 engeller Bu ayar a\u00e7\u0131k yap\u0131ld\u0131\u011f\u0131nda hatalar\u0131 loglamayacakt\u0131r farkl\u0131 dosyalardan ya da kaynaklardan tekrarlanan mesajlarla.
\nignore_repeated_source = Off
\n“display_startup_errors” (G\u00fcvenlik ve Performans)
\n“display_errors” de\u011feri “on” a\u00e7\u0131k olsa bile, Php’nin \u00e7al\u0131\u015fma s\u0131ras\u0131nda meydana gelen hatalar g\u00f6z\u00fckmeyecektir. Bu de\u011ferin \u015fiddetle “off” kapal\u0131 duruma getirilmesi \u00f6nerilir.<\/p>\n

Code:
\ndisplay_startup_errors = off
\n“safe_mode_gid” (G\u00fcvenlik)
\nUID – GID kontrollerini sadece UID ile yapmas\u0131na izin verir b\u00f6ylece ayn\u0131 grupta dosyalar bulunsa bile g\u00f6remezler yani serverda bulunan di\u011fer clientlar\u0131n scriptlerini v.s g\u00f6rmeleri engellenir.<\/p>\n

Code:
\nsafe_mode_gid = Off
\n“output_buffering = 4096” (Performans)
\n4 KB’lik bir tampon \u00e7\u0131kt\u0131s\u0131 ayarlar “output buffer”<\/p>\n

Code:
\noutput_buffering = 4096
\n“register_argc_argv” (Performans)
\nKapal\u0131 olursa gereksiz ARGV ve ARGC kay\u0131tlar\u0131n\u0131 \u00f6nler. PHP nin ARGV ve ARGC de\u011fi\u015fkenlerini bildirip bildirmemesini anlat\u0131r.<\/p>\n

Code:
\nregister_argc_argv = Off
\n“php_value session.use_trans_sid – php_value session.use_only_cookies”
\nBu \u015fekilde ayarlanmas\u0131 URL’deki PHPSESSID bilgilerini kald\u0131r\u0131r.
\nseo filan yapanlar i\u00e7in uygun. genlede smf, phpbb forumlarda ve sension koruma uygulad\u0131\u011f\u0131n\u0131z scriptler i\u00e7in PHPSESSID bilgilerini url ye eklemez. ba\u015flar\u0131nda ; i\u015fareti varsa kald\u0131r\u0131n.<\/p>\n

Code:
\nsession.use_trans_sid = 0
\nsession.use_only_cookies = 1
\n“session.auto_start”
\nOturum ba\u015flatmay\u0131 ba\u015flang\u0131\u00e7ta isteme
\nsession.auto_start = 0
\n“session.cookie_lifetime”
\nCookie’nin zaman ayar\u0131
\nsession.cookie_lifetime = 0
\n“memory_limit”
\nScriptin t\u00fcketti\u011fi maksimum haf\u0131za miktar\u0131
\nde\u011feri istedi\u011finizgibi verin. 8M \u00e7okfazla bir de\u011fer. sadece kendi siteniz bar\u0131n\u0131yorsa bu de\u011fer normal. ama host ile u\u011fra\u015f\u0131yorsan\u0131z 512K yapman\u0131z daha uygun.<\/p>\n

Code:
\nmemory_limit = 8M
\n“post_max_size”
\nPHP’nin kabul edece\u011fi maksimum POST data boyutu.
\niste\u011finize ba\u011fl\u0131 1 Mb vermek i\u00e7in 1M yaz\u0131n<\/p>\n

Code:
\npost_max_size = 256K
\n“upload_max_filesize”
\nUpload edilen dosyalar\u0131n maksimum boyutu
\nbuda sizin iste\u011finize ba\u011fl\u0131 isterseniz 50M yap\u0131n. o zaman kullan\u0131c\u0131 50 Mb’a kadar dosya upload edebilir.<\/p>\n

Code:
\nupload_max_filesize = 256K
\n“variables_order”
\n(Ortam, GET, POST, \u00c7erez, Sunucu) bunlar\u0131n i\u015flenmedeki s\u0131ralar\u0131n\u0131 belirler.
\nvariables_order = “EGPCS”
\nBu kadar ondan sonra ctrl x y diyip kaydediyoruz ve
\nservice httpd restart diyoruz.
\nGenelde \u00e7o\u011fu fonksiyon zaten b\u00f6yle dedi\u011fim de\u011ferdedir. 3-5 tanesi hari\u00e7 tabi. Yeni ba\u015flayan arkada\u015flar i\u00e7in anlatt\u0131mki hangisi ne i\u015fe yarar \u00f6\u011frenmi\u015f olsunlar.<\/p>\n","protected":false},"excerpt":{"rendered":"

“disable_functions” (G\u00fcvenlik) “disable_functions” ile server\u0131n\u0131zda bir\u00e7ok fonksiyonun \u00e7al\u0131\u015fmas\u0131n\u0131 engelleyebilirsiniz bu sayede sitenize inject edilen scriptler, sheller i\u00e7in g\u00fcvenli\u011finizi alm\u0131\u015f olursunuz. Bu kadar fonksiyon fazla gelebilir ama iyi bir g\u00fcvenlik i\u00e7in \u015fart. Code: disable_functions = foreach, glob, openbasedir, posix_getpwuid, f_open, system,dl, array_compare, array_user_key_compare, passthru, cat, exec, popen, proc_close, proc_get_status, proc_nice, proc_open, escapeshellcmd, escapeshellarg, show_source, posix_mkfifo, ini_restore, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-75","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/75","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/comments?post=75"}],"version-history":[{"count":0,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/posts\/75\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/media?parent=75"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/categories?post=75"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shukko.com\/x3\/wp-json\/wp\/v2\/tags?post=75"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}