Summary of safety protection

Based on the environment

• Pagoda Centos7 (Aliyun ECS)
• Mysql 5.6(RDS)
• PHP7.0 (ThinkPHP5.0)
• redis6.0
• jdk1.8

The image file directory disables PHP script execution

• Statistics site under the picture file directory
• Write NGINX configuration items

  location ~ public/Upload/(.*).(php)$ {
  	return 403;
  }
  Copy the code

• Copy and paste it into pagodas, go to Website -> Select site -> Settings -> Config File, paste the code above above “# php-info-start PHP reference configuration, can be commented or modified”

PHP Basics

• High risk function

  apache_setenv
  chgrp
  chown
  chroot
  dl
  eval
  exec
  imap_open
  ini_alter
  ini_restore
  openlog
  passthru
  pcntl_alarm
  pcntl_exec
  pcntl_exec
  pcntl_fork
  pcntl_get_last_error
  pcntl_getpriority
  pcntl_setpriority
  pcntl_signal
  pcntl_signal_dispatch
  pcntl_sigprocmask
  pcntl_sigtimedwait
  pcntl_sigwaitinfo
  pcntl_strerror
  pcntl_wait
  pcntl_waitpid
  pcntl_wexitstatus
  pcntl_wifcontinued
  pcntl_wifexited
  pcntl_wifsignaled
  pcntl_wifstopped
  pcntl_wstopsig
  pcntl_wtermsig
  phpinfo
  popen
  popepassthru
  proc_open
  putenv
  readlink
  shell_exec
  symlink
  syslog
  system
  Copy the code

• Whether to output detailed error information display_errors=false

Site access log configuration

• Change the log file storage directory after access_log/error_log in the configuration file to the data disk directory
• Log segmentation
  • Scheduled Tasks -> New tasks
  • Task type: Log splitting
  • Execution period: 00:00 every day
  • Cut sites: all
  • Keep the latest: >=180 copies

PHP system background upload restrictions

• The received file asserts that the file type must be an acceptable image typePNG, JPG, JPEG, webP
• Upload the file to the OSS first and delete the local file after the upload is complete

Added site directory file monitoring – inotifyWait

• The installationyum install inotify-tools -y
• A shell script

  #! /bin/bash filePath=/mnt/wwwroot/xxx.com # exclude Log images and tp framework runtime folder inotifywait - MRQ - exclude '(. * / * \. Log |. * / * \. TXT |. * / * \. JPG |. * / * \. PNG | ^ $filePath/(runtime) *))' --timefmt '%y/%m/%d %H:%M' --format '%T %w%f %e' -e move,attrib $filePath/ | while read date time file event do case $event in ATTRIB | CREATE) echo 'ATTRIB echo $file # if it is a PHP file is moved to the shell script directory if [" ${file# # *.} "x =" PHP "x]; then # rm -rf $file # mv $file aaa.del mv $file aaa.del fi ;; If ["${file##*.}"x = "PHP "x]; if [${file##*.}"x =" PHP "x]; then # rm -rf $file # mv $file aaa.del mv $file aaa.del fi ;; *) echo 'other' echo $file ;; esac doneCopy the code

• Set the shell script permission to744
• Start the shell script

  nohup /mnt/wwwroot/script.xxx.com/xxx_change.sh &
  Copy the code

• A nohup. Out file is generated in the project startup directory and logs the monitored files

Server port

• 22- Remote connection
• 80-http
• 443-https
• 8888- Pagoda panel, recommended replacement
• 3306-mysql. You are advised to use the cloud database and disable port 3306 on the server
• 21-FTP, it is recommended to use Git webhook or Docker to update the code
• All other ports must be closed one by one in the security -> Firewall menu, especially if it is not clear where they are used

Ali cloud

• AccessKey
  • Disable the AK of the primary account
  • You can use a subaccount to set permissions for the SMS service and object storage service
  • Do not store it in an application, especially if the application is publicly available on GitHub
• Cloud Security Center
  • Bind mobile phone number, pay attention to ali Cloud product SMS notification
  • Priority should be given to the middle and high risk hints in the security warning processing menu (ECS remote login, discovering backdoor files, etc.)
  • Vulnerability repair and baseline check menu according to the security level of the time
  • AK leak detection menu should be the first attention

Cloud database RDS

• Account Permission Setting
  • Create an account by service module
  • Assign the corresponding permissions to the account according to the table (minimum)
  • For example, if account A has the permission to access the user table, and the user table cannot be deleted in the system, delete the delete and drop permissions for the user table
  • For example, the trading record table cannot be deleted or updated in the system, so delete, drop and update the trading record table from all account permissions
• Security Group Settings
  • The mode was changed to the high security whitelist mode
  • Added a server security group and set the network isolation mode to private network
  • Added a local development group and set the network isolation mode to classic network and external network addresses
• SQL insight, you can view all SQL execution records after opening