PHP & Security Configuration Q's

[peerless]

Howdy All,

I am running down the security checklist and have some questions regarding php, also just kind of running through the security check list as I go along so any recommendations from the seasoned users here would be welcome.

I am having some slight confusion regarding the php security directive within the following article:

https://docs.joomla.org/Special:MyLangu ... rver_Setup

Use local php.ini files
On shared servers you can't edit the main php.ini file, but you may be able to add custom, local php.ini files. If so, you'll need to copy the php.ini files to every sub-directory that requires custom settings.

I am running on a VPS server and my only php.ini file is located in /etc/php/7.4/fpm. I do not have any other php.ini files located on my system.

Code: Select all

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

I either do not even have these functions within my php.ini file or they are commented out, and the .ini file already has a lengthy 'disable_functions =' listed.

Consider Using PHP open_basedir
You might consider enabling open_basedir. This directive limits the files that can be opened by PHP to the specified directory-tree.

I have this directive currently commented out, tell me why I need to use it? Also I am assuming I would use my web root directory such as /var/www/my-site:/tmp appended with the tmp to force it to use the systems temp folder.

allow_url_include and allow_url_fopen are already set correctly.

Also any comments regarding the base installation of mysql 8.0 in its base configuration would be appreciated.

Alright going to go check on directory and file permission settings to make sure they are set correctly.

Oh Ya, Server config
Debian 10
Nginx 1.20.1
PHP 7.4.21
MySql 8.0
Joomla 3.9.28

Thanks,

[peerless]

Ok since we are on the subject of security, I have verified my file permissions, no 777's on this server at all anywhere. I only have 2 ports open, 443:https and 21:ssh so the server is pretty well locked down.

Speaking of ssh, I have PAM and password log ins disabled, ssh key pairs only. You got the password, that is nice, going no where with that. You would have to somehow get the key off my local machine, only draw back to this is if I lose the key, then I am screwed, I would literally lose access to the server.

So with that said, back up strategy is next. I am thinking rsync over ssh, or possibly scp. I use secure copy to push content from my local to the server over the ssh connection. Hmmm, I will have to do a little research.

Any strategies or recommendations using secure open source solutions?

Thanks

[Per Yngve Berg]

allow_url_include must be off.
allow_url_fopen must be on


I will not recommend using open_basedir. It will slow down the server.

Configure fpm-cgi so that each site is running as it own Linux User. That way, if one site get hacked, it cannot write to other sites files.

[peerless]

Thank You for the sage advice. I have verified the 'allow_url_' settings as correct, not using 'open_basedir' and I confirmed all my php settings are correct and everything that can be is set to 'unwrittable' within Joomla.

Thanks for the tip regarding fpm-cgi configuration. I currently have them set as www-data for user and group as I am currently only running a single site. Perhaps in the future I would name the user and group as 'my_site' for each individual site, Clever tip, I appreciate that.

I think I am set on the security front for the moment, only thing being setting up backups and I will work on that today. Going with rsync over ssh, makes sense and doesn't expose me to 3rd party applications.

allow_url_include must be off.
allow_url_fopen must be on


I will not recommend using open_basedir. It will slow down the server.

Configure fpm-cgi so that each site is running as it own Linux User. That way, if one site get hacked, it cannot write to other sites files.