Based on the environment

  • Pagoda Centos7 (Aliyun ECS)
  • Mysql 5.6(RDS)
  • PHP7.0 (ThinkPHP5.0)
  • redis6.0
  • jdk1.8

The image file directory disables PHP script execution

  • Statistics site under the picture file directory
  • Write NGINX configuration items
    location ~ public/Upload/(.*).(php)$ {
    	return 403;
    }
    Copy the code
  • Copy and paste it into pagodas, go to Website -> Select site -> Settings -> Config File, paste the code above above “# php-info-start PHP reference configuration, can be commented or modified”

PHP Basics

  • High risk function

    apache_setenv
    chgrp
    chown
    chroot
    dl
    eval
    exec
    imap_open
    ini_alter
    ini_restore
    openlog
    passthru
    pcntl_alarm
    pcntl_exec
    pcntl_exec
    pcntl_fork
    pcntl_get_last_error
    pcntl_getpriority
    pcntl_setpriority
    pcntl_signal
    pcntl_signal_dispatch
    pcntl_sigprocmask
    pcntl_sigtimedwait
    pcntl_sigwaitinfo
    pcntl_strerror
    pcntl_wait
    pcntl_waitpid
    pcntl_wexitstatus
    pcntl_wifcontinued
    pcntl_wifexited
    pcntl_wifsignaled
    pcntl_wifstopped
    pcntl_wstopsig
    pcntl_wtermsig
    phpinfo
    popen
    popepassthru
    proc_open
    putenv
    readlink
    shell_exec
    symlink
    syslog
    system
    Copy the code
  • Whether to output detailed error information display_errors=false

Site access log configuration

  • Change the log file storage directory after access_log/error_log in the configuration file to the data disk directory
  • Log segmentation
    • Scheduled Tasks -> New tasks
    • Task type: Log splitting
    • Execution period: 00:00 every day
    • Cut sites: all
    • Keep the latest: >=180 copies

PHP system background upload restrictions

  • The received file asserts that the file type must be an acceptable image typePNG, JPG, JPEG, webP
  • Upload the file to the OSS first and delete the local file after the upload is complete

Added site directory file monitoring – inotifyWait

  • The installationyum install inotify-tools -y
  • A shell script
    #! /bin/bash filePath=/mnt/wwwroot/xxx.com # exclude Log images and tp framework runtime folder inotifywait - MRQ - exclude '(. * / * \. Log |. * / * \. TXT |. * / * \. JPG |. * / * \. PNG | ^ $filePath/(runtime) *))' --timefmt '%y/%m/%d %H:%M' --format '%T %w%f %e' -e move,attrib $filePath/ | while read date time file event do case $event in ATTRIB | CREATE) echo 'ATTRIB echo $file # if it is a PHP file is moved to the shell script directory if [" ${file# # *.} "x =" PHP "x]; then # rm -rf $file # mv $file aaa.del mv $file aaa.del fi ;; If ["${file##*.}"x = "PHP "x]; if [${file##*.}"x =" PHP "x]; then # rm -rf $file # mv $file aaa.del mv $file aaa.del fi ;; *) echo 'other' echo $file ;; esac doneCopy the code
  • Set the shell script permission to744
  • Start the shell script
    nohup /mnt/wwwroot/script.xxx.com/xxx_change.sh &
    Copy the code
  • A nohup. Out file is generated in the project startup directory and logs the monitored files

Server port

  • 22- Remote connection
  • 80-http
  • 443-https
  • 8888- Pagoda panel, recommended replacement
  • 3306-mysql. You are advised to use the cloud database and disable port 3306 on the server
  • 21-FTP, it is recommended to use Git webhook or Docker to update the code
  • All other ports must be closed one by one in the security -> Firewall menu, especially if it is not clear where they are used

Ali cloud

  • AccessKey
    • Disable the AK of the primary account
    • You can use a subaccount to set permissions for the SMS service and object storage service
    • Do not store it in an application, especially if the application is publicly available on GitHub
  • Cloud Security Center
    • Bind mobile phone number, pay attention to ali Cloud product SMS notification
    • Priority should be given to the middle and high risk hints in the security warning processing menu (ECS remote login, discovering backdoor files, etc.)
    • Vulnerability repair and baseline check menu according to the security level of the time
    • AK leak detection menu should be the first attention

Cloud database RDS

  • Account Permission Setting
    • Create an account by service module
    • Assign the corresponding permissions to the account according to the table (minimum)
    • For example, if account A has the permission to access the user table, and the user table cannot be deleted in the system, delete the delete and drop permissions for the user table
    • For example, the trading record table cannot be deleted or updated in the system, so delete, drop and update the trading record table from all account permissions
  • Security Group Settings
    • The mode was changed to the high security whitelist mode
    • Added a server security group and set the network isolation mode to private network
    • Added a local development group and set the network isolation mode to classic network and external network addresses
  • SQL insight, you can view all SQL execution records after opening