How to disable malicious PHP functions in DirectAdmin

Some PHP functions can be used in malicious ways. They are, of course, not malicious per se, but can be used for malicious things. DirectAdmin provides a simple way to disable such PHP functions.

How to disable malicious PHP functions:

1. Log into your DirectAdmin server

2. Navigate to the custombuild directory:

cd /usr/local/directadmin/custombuild

3. Execute the command:

./build secure_php
[root@web ~]# cd /usr/local/directadmin/custombuild
[root@web custombuild]# ./build secure_php
PHP has been secured.
Restarting php-fpm74.
Restarting php-fpm80.
Restarting php-fpm70.
Restarting php-fpm72.

This command will secure your PHP environment. Besides the disable_functions directive, it will also add:

mysqli.allow_local_infile = Off
expose_php = Off
register_globals = Off

The list of the PHP functions that are added to the disable_functions directive are:

exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

To verify the addition after running the above commands, use:

grep disable_functions /usr/local/php*/lib/php.ini

What happens if you want to add more functions to the list? Do not add them to the php.ini files, as these files are overwritten by DirectAdmin. Instead, add them to the /usr/local/directadmin/custombuild/custom/php_disable_functions file. Here is a list of the php functions you can add to that file:

proc_close,proc_open,proc_get_status,php_uname,exec,system,phpinfo,shell_exec,passthru,symlink,readlink,show_source,popen, disk_free_space,disk_total_space,diskfreespace, apache_child_terminate,apache_get_modules,apache_note,apache_setenv,posixc,proc_nice,proc_terminate,ps_aux,dl,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid, posix_setuid, posix_getpwuid,posix_uname,pcntl_exec, pcntl_fork,pcntl_signal, pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig,pcntl_wtermsig,pcntl_alarm,pcntl_wait,syslog,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask, pcntl_sigwaitinfo,pcntl_sigtimedwait, pcntl_getpriority,pcntl_setpriority

Don’t forget to run the commands:

cd /usr/local/directadmin/custombuild
./build secure_php

Leave a Reply