1、实现虚拟主机笼环境
a.upl.com /wwwroot/a.upl.com/
b.upl.com /wwwroot/b.upl.com/
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot “/wwwroot/a.upl.com/”
ServerName a.upl.com
ErrorLog “logs/a.upl.com-error_log”
CustomLog “logs/a.upl.com.com-access_log” common
<IfModule mod_php5.c>
php_admin_value open_basedir “/wwwroot/a.upl.com/:/tmp:/var/lib/php/session”
</IfModule>
<IfModule suexec.c>
SuexecUserGroup daemon daemon
</IfModule>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot “/www”
ServerName b.upl.com
ErrorLog “logs/b.upl.com-error_log”
CustomLog “logs/b.upl.com-access_log” common
<Directory “/wwwroot/b.upl.com/”>
Order deny,allow
allow from all
</Directory>
<IfModule mod_php5.c>
php_admin_value open_basedir “/wwwroot/b.upl.com/:/tmp:/var/lib/php/session”
</IfModule>
<IfModule suexec.c>
SuexecUserGroup daemon daemon
</IfModule>
</VirtualHost>
2、实现禁止php后门执行系统指令
# vim /usr/local/lib/php.ini
disable_functions = phpinfo,gzcompress,apache_note,apache_setenv,proc_get_status,exec,passthru,proc_nice,proc_open,proc_terminate,shell_exec,system,popen,ini_restore,syslog,define_syslog_variables,symlink,link,error_log,leak,dbmopen,openlog,closelog,popen,pclose,stream_socket_server
关健是passthru函数,是它使后门可以执行系统指令
3、隐藏掉php信息
expose_php = On
4、关闭错误提示
display_errors = Off
5、使用php过滤单引号等特殊字符
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = On
; Use Sybase-style magic quotes (escape ‘ with ” instead of ’).
magic_quotes_sybase = On
如果打开了,有些php应用工作不正常
6、让php工作在安全模式(一般不用,设定很严格)
safe_mode = On