PHP Server Monitor is a PHP-based monitoring tool that checks websites, ping, SMTP, and other services. As a web application that performs network checks and stores monitoring data, proper security configuration is essential to prevent unauthorized access and abuse. This guide covers security measures for production PHP Server Monitor deployments.
PHP Server Monitor architecture includes these security-sensitive components:
Key security concerns include web application security, API access control, notification credential protection, database security, and preventing monitoring abuse.
Configure firewall rules for PHP Server Monitor:
# Web interface (Apache/Nginx)
ufw allow from 10.0.0.0/8 to any port 80 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# MySQL (restrict to localhost)
ufw allow from 127.0.0.1 to any port 3306 proto tcp
# Outbound for monitoring
ufw allow out to any port 80 proto tcp # HTTP checks
ufw allow out to any port 443 proto tcp # HTTPS checks
ufw allow out to any port 25 proto tcp # SMTP checks
# Block external access
ufw deny from any to any port 3306 proto tcp
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: phpservermonitor-network-policy
spec:
podSelector:
matchLabels:
app: phpservermonitor
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
Configure web server binding:
# /etc/apache2/sites-available/phpservermonitor.conf
<VirtualHost 10.0.1.100:443>
ServerName psm.company.com
DocumentRoot /var/www/html/phpservermonitor
SSLEngine on
SSLCertificateFile /etc/ssl/certs/psm.crt
SSLCertificateKeyFile /etc/ssl/private/psm.key
<Directory /var/www/html/phpservermonitor>
Require ip 10.0.0.0/8 192.168.0.0/16
Options -Indexes
AllowOverride None
</Directory>
</VirtualHost>
Configure HTTP authentication:
# /etc/apache2/sites-available/phpservermonitor.conf
<Directory /var/www/html/phpservermonitor>
AuthType Basic
AuthName "PHP Server Monitor Access"
AuthUserFile /etc/phpservermonitor/.htpasswd
Require valid-user
Require ip 10.0.0.0/8
</Directory>
Manage users:
# Create admin user
htpasswd -c /etc/phpservermonitor/.htpasswd admin
# Add additional users
htpasswd /etc/phpservermonitor/.htpasswd username
Configure PHP Server Monitor authentication:
// /var/www/html/phpservermonitor/config.php
$config = [
'security' => [
'login_attempts' => 5,
'login_timeout' => 300,
'session_lifetime' => 3600,
'password_min_length' => 12,
'password_require_uppercase' => true,
'password_require_lowercase' => true,
'password_require_number' => true,
'password_require_special' => true,
],
];
Configure user roles:
User Roles:
- Administrator: Full system access
- User: Can view and manage assigned servers
- Viewer: Read-only access
# Configure in PHP Server Monitor UI:
# Settings → Users → Edit User
Secure API access:
// /var/www/html/phpservermonitor/config.php
$config = [
'api' => [
'enabled' => true,
'key_required' => true,
'rate_limit' => 100, // requests per hour
],
];
Generate API keys:
# Via web UI: Settings → API
# Or via database
INSERT INTO psm_api_key (key, user_id, created)
VALUES ('${API_KEY}', 1, NOW());
Configure HTTPS:
# /etc/apache2/sites-available/phpservermonitor-ssl.conf
<VirtualHost *:443>
ServerName psm.company.com
DocumentRoot /var/www/html/phpservermonitor
SSLEngine on
SSLCertificateFile /etc/ssl/certs/psm.crt
SSLCertificateKeyFile /etc/ssl/private/psm.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
# Security headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self'; connect-src 'self'"
<Directory /var/www/html/phpservermonitor>
Options -Indexes
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Configure TLS for MySQL:
// /var/www/html/phpservermonitor/config.php
$config = [
'database' => [
'host' => 'localhost',
'port' => 3306,
'name' => 'phpservermonitor',
'user' => 'phpservermonitor',
'password' => '${DB_PASSWORD}',
'ssl' => [
'enabled' => true,
'ca' => '/etc/mysql/ca.crt',
'cert' => '/etc/mysql/client.crt',
'key' => '/etc/mysql/client.key',
],
],
];
Secure PHP application:
# /etc/php/8.1/apache2/php.ini
expose_php = Off
display_errors = Off
log_errors = On
error_log = /var/log/php/error.log
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = Strict
session.use_strict_mode = 1
# Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec
Secure API endpoints:
| Endpoint | Risk Level | Access Control |
|---|---|---|
GET /api/v1/server |
Low | API key required |
GET /api/v1/status |
Low | API key required |
POST /api/v1/server |
High | Admin API key |
PUT /api/v1/server/{id} |
High | Admin API key |
DELETE /api/v1/server/{id} |
Critical | Admin API key |
Implement rate limiting:
# Nginx rate limiting for API
limit_req_zone $binary_remote_addr zone=psm_api:10m rate=30r/s;
location /api/ {
limit_req zone=psm_api burst=50 nodelay;
proxy_pass http://localhost:80;
}
Restrict monitoring targets:
// /var/www/html/phpservermonitor/config.php
$config = [
'monitoring' => [
// Whitelist allowed target networks
'allowed_networks' => [
'10.0.0.0/8',
'192.168.0.0/16',
'172.16.0.0/12',
],
// Block private IP scanning
'block_private_ip' => false, // Set true to block
// Rate limit checks per target
'check_interval_min' => 1,
],
];
Secure notification credentials:
// /var/www/html/phpservermonitor/config.php
$config = [
'notifications' => [
'smtp_password' => getenv('SMTP_PASSWORD'),
'slack_webhook' => getenv('SLACK_WEBHOOK'),
'telegram_token' => getenv('TELEGRAM_TOKEN'),
'pushover_token' => getenv('PUSHOVER_TOKEN'),
],
];
Secure PHP Server Monitor database:
-- Create dedicated database user
CREATE USER 'phpservermonitor'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON phpservermonitor.* TO 'phpservermonitor'@'localhost';
GRANT CREATE TEMPORARY TABLES ON phpservermonitor.* TO 'phpservermonitor'@'localhost';
FLUSH PRIVILEGES;
-- Enable SSL requirement
ALTER USER 'phpservermonitor'@'localhost' REQUIRE SSL;
Implement database encryption:
-- Enable TDE (MySQL Enterprise)
ALTER TABLE psm_server ENCRYPTION='Y';
ALTER TABLE psm_user ENCRYPTION='Y';
Secure data directory:
# Set restrictive permissions
chown -R www-data:www-data /var/www/html/phpservermonitor
chmod -R 755 /var/www/html/phpservermonitor
# Protect configuration
chown root:www-data /var/www/html/phpservermonitor/config.php
chmod 640 /var/www/html/phpservermonitor/config.php
Secure sensitive configuration:
// /var/www/html/phpservermonitor/config.php
// Use environment variables
$config['database']['password'] = getenv('PSM_DB_PASSWORD');
$config['notifications']['smtp_password'] = getenv('SMTP_PASSWORD');
// Or use external secrets file
if (file_exists('/etc/phpservermonitor/secrets.php')) {
include '/etc/phpservermonitor/secrets.php';
}
Protect secrets file:
# Set restrictive permissions
chown root:www-data /etc/phpservermonitor/secrets.php
chmod 640 /etc/phpservermonitor/secrets.php
Secure PHP Server Monitor backups:
#!/bin/bash
# Secure backup script
BACKUP_DIR="/secure/backups/phpservermonitor"
DATE=$(date +%Y%m%d)
# Database backup
mysqldump phpservermonitor > ${BACKUP_DIR}/psm-db-${DATE}.sql
# Encrypt backup
gpg -e --recipient security@company.com ${BACKUP_DIR}/psm-db-${DATE}.sql
# Set restrictive permissions
chmod 600 ${BACKUP_DIR}/psm-db-${DATE}.sql.gpg
# Remove unencrypted backup
rm ${BACKUP_DIR}/psm-db-${DATE}.sql
Enable logging:
// /var/www/html/phpservermonitor/config.php
$config = [
'logging' => [
'enabled' => true,
'level' => 'INFO',
'file' => '/var/log/phpservermonitor/psm.log',
'audit' => [
'enabled' => true,
'file' => '/var/log/phpservermonitor/audit.log',
],
],
];
Configure web server access logging:
# /etc/apache2/sites-available/phpservermonitor.conf
CustomLog /var/log/apache2/psm_access.log combined
ErrorLog /var/log/apache2/psm_error.log
Monitor for security events:
#!/bin/bash
# /usr/local/bin/check-psm-security.sh
# Check for failed login attempts
FAILED_LOGINS=$(grep -c "Failed login" /var/log/phpservermonitor/psm.log 2>/dev/null || echo 0)
if [ "$FAILED_LOGINS" -gt 10 ]; then
echo "CRITICAL: Multiple failed login attempts"
exit 2
fi
# Check for API abuse
API_ERRORS=$(grep -c "401" /var/log/apache2/psm_access.log 2>/dev/null || echo 0)
if [ "$API_ERRORS" -gt 50 ]; then
echo "WARNING: Possible API abuse"
exit 1
fi
Forward logs to SIEM:
# /etc/rsyslog.d/phpservermonitor.conf
:programname, isequal, "phpservermonitor" /var/log/phpservermonitor/syslog.log
:programname, isequal, "phpservermonitor" @siem.company.com:514