PHP & Security Configuration Q's

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
User avatar
peerless
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Oct 05, 2007 8:30 am

PHP & Security Configuration Q's

Post by peerless » Sun Jul 25, 2021 2:28 am

Howdy All,

I am running down the security checklist and have some questions regarding php, also just kind of running through the security check list as I go along so any recommendations from the seasoned users here would be welcome.

I am having some slight confusion regarding the php security directive within the following article:

https://docs.joomla.org/Special:MyLangu ... rver_Setup
Use local php.ini files
On shared servers you can't edit the main php.ini file, but you may be able to add custom, local php.ini files. If so, you'll need to copy the php.ini files to every sub-directory that requires custom settings.
I am running on a VPS server and my only php.ini file is located in /etc/php/7.4/fpm. I do not have any other php.ini files located on my system.

Code: Select all

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
I either do not even have these functions within my php.ini file or they are commented out, and the .ini file already has a lengthy 'disable_functions =' listed.
Consider Using PHP open_basedir
You might consider enabling open_basedir. This directive limits the files that can be opened by PHP to the specified directory-tree.
I have this directive currently commented out, tell me why I need to use it? Also I am assuming I would use my web root directory such as /var/www/my-site:/tmp appended with the tmp to force it to use the systems temp folder.

allow_url_include and allow_url_fopen are already set correctly.

Also any comments regarding the base installation of mysql 8.0 in its base configuration would be appreciated.

Alright going to go check on directory and file permission settings to make sure they are set correctly.

Oh Ya, Server config
Debian 10
Nginx 1.20.1
PHP 7.4.21
MySql 8.0
Joomla 3.9.28

Thanks,
Last edited by peerless on Sun Jul 25, 2021 4:10 am, edited 1 time in total.
Robert
Automotive Specialist
Joomla Enthusiast
Linux Enthusiast

User avatar
peerless
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Oct 05, 2007 8:30 am

Re: PHP Security Configuration Q's

Post by peerless » Sun Jul 25, 2021 4:07 am

Ok since we are on the subject of security, I have verified my file permissions, no 777's on this server at all anywhere. I only have 2 ports open, 443:https and 21:ssh so the server is pretty well locked down.

Speaking of ssh, I have PAM and password log ins disabled, ssh key pairs only. You got the password, that is nice, going no where with that. You would have to somehow get the key off my local machine, only draw back to this is if I lose the key, then I am screwed, I would literally lose access to the server.

So with that said, back up strategy is next. I am thinking rsync over ssh, or possibly scp. I use secure copy to push content from my local to the server over the ssh connection. Hmmm, I will have to do a little research.

Any strategies or recommendations using secure open source solutions?

Thanks
Robert
Automotive Specialist
Joomla Enthusiast
Linux Enthusiast

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 28056
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: PHP & Security Configuration Q's

Post by Per Yngve Berg » Sun Jul 25, 2021 7:14 am

allow_url_include must be off.
allow_url_fopen must be on


I will not recommend using open_basedir. It will slow down the server.

Configure fpm-cgi so that each site is running as it own Linux User. That way, if one site get hacked, it cannot write to other sites files.

User avatar
peerless
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Oct 05, 2007 8:30 am

Re: PHP & Security Configuration Q's

Post by peerless » Sun Jul 25, 2021 7:58 pm

Thank You for the sage advice. I have verified the 'allow_url_' settings as correct, not using 'open_basedir' and I confirmed all my php settings are correct and everything that can be is set to 'unwrittable' within Joomla.

Thanks for the tip regarding fpm-cgi configuration. I currently have them set as www-data for user and group as I am currently only running a single site. Perhaps in the future I would name the user and group as 'my_site' for each individual site, Clever tip, I appreciate that.

I think I am set on the security front for the moment, only thing being setting up backups and I will work on that today. Going with rsync over ssh, makes sense and doesn't expose me to 3rd party applications.
Per Yngve Berg wrote:
Sun Jul 25, 2021 7:14 am
allow_url_include must be off.
allow_url_fopen must be on


I will not recommend using open_basedir. It will slow down the server.

Configure fpm-cgi so that each site is running as it own Linux User. That way, if one site get hacked, it cannot write to other sites files.
Robert
Automotive Specialist
Joomla Enthusiast
Linux Enthusiast


Post Reply

Return to “Security in Joomla! 3.x”