Simple Security Protection#

I. Server Protection#

1. Port Protection#

Disable ports as much as possible and avoid exposing them to the public network. Try to limit access to 127.0.0.1 only.
If not necessary, avoid exposing services to the public network, especially databases.
Set a time limit for temporary account lockout after consecutive login failures to prevent brute force attacks.

2. Website Protection#

Attackers often directly target the website using IP addresses. You can set only one homepage for IP access to the default website.
The above practice is not favorable for search engine indexing. You can add search engine domain names to the whitelist and use Nginx for redirection.
Avoid JavaScript operations on cookies and enable HTTP_ONLY.

3. Web Container Configuration#

Nginx provides access restriction modules to protect against CC and DDoS attacks.
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
limit_req_zone $binary_remote_addr zone=allips:10m rate=10r/s;

4. Independent Users#

Set up users to run specific services on the server. Users not associated with the service are not allowed to access or execute it.

II. PHP Protection#

1. Disable System Functions#

Extremely dangerous functions:
eval
system
exec
shell_exec
pcntl_exec
pcntl_fork
pcntl_exec
Strongly recommended to be disabled:
passthru
putenv
chroot
chgrp
chown
popen
proc_open
ini_alter
ini_restore
dl
openlog
syslog
readlink
symlink
popepassthru
pcntl_alarm
pcntl_waitpid
pcntl_wait
pcntl_wifexited
pcntl_wifstopped
pcntl_wifsignaled
pcntl_wifcontinued
pcntl_wexitstatus
pcntl_wtermsig
pcntl_wstopsig
pcntl_signal
pcntl_signal_dispatch
pcntl_get_last_error
pcntl_strerror pcntl_sigprocmask
pcntl_sigwaitinfo
pcntl_sigtimedwait
pcntl_getpriority
pcntl_setpriority
imap_open
apache_setenv

2. ThinkPHP#

1. Apply patches promptly and stay updated on vulnerability alerts issued by ThinkPHP to apply patches as soon as possible.
2. Set global filtering rules DEFAULT_FILTER to prevent XSS, SQL injection, and other attacks.
3. Use array-based query conditions whenever possible. If string-based conditions are necessary, it is recommended to use prepared statements.
4. Set the startup directory in the internal directory, as recommended by TP, under the public directory to prevent malicious directory scanning. Avoid placing any files other than static resources and startup entry points under the public directory.
5. Use Think\Upload class provided by TP to perform legal checks on file types, extensions, and sizes during file uploads.
6. Use strict routing mode to configure accessible routes in route.php. Undefined routes will automatically trigger exceptions.
7. For request variables with specific types, use type coercion when using the param method.