How to disable malicious PHP functions:
1. Log into your DirectAdmin server
2. Navigate to the custombuild directory:
cd /usr/local/directadmin/custombuild
3. Execute the command:
./build secure_php
[root@web ~]# cd /usr/local/directadmin/custombuild
[root@web custombuild]# ./build secure_php
PHP has been secured.
Restarting php-fpm74.
Restarting php-fpm80.
Restarting php-fpm70.
Restarting php-fpm72.
This command will secure your PHP environment. Besides the disable_functions directive, it will also add:
mysqli.allow_local_infile = Off
expose_php = Off
register_globals = Off
The list of the PHP functions that are added to the disable_functions directive are:
exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
To verify the addition after running the above commands, use:
grep disable_functions /usr/local/php*/lib/php.ini
What happens if you want to add more functions to the list? Do not add them to the php.ini files, as these files are overwritten by DirectAdmin. Instead, add them to the /usr/local/directadmin/custombuild/custom/php_disable_functions
file. Here is a list of the php functions you can add to that file:
proc_close,proc_open,proc_get_status,php_uname,exec,system,phpinfo,shell_exec,passthru,symlink,readlink,show_source,popen, disk_free_space,disk_total_space,diskfreespace, apache_child_terminate,apache_get_modules,apache_note,apache_setenv,posixc,proc_nice,proc_terminate,ps_aux,dl,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid, posix_setuid, posix_getpwuid,posix_uname,pcntl_exec, pcntl_fork,pcntl_signal, pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig,pcntl_wtermsig,pcntl_alarm,pcntl_wait,syslog,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask, pcntl_sigwaitinfo,pcntl_sigtimedwait, pcntl_getpriority,pcntl_setpriority
Don’t forget to run the commands:
cd /usr/local/directadmin/custombuild
./build secure_php