phpSysInfo is a PHP-based system information script that displays hardware and OS information through a web interface. As a tool that exposes detailed system information, proper security configuration is essential to prevent information disclosure and unauthorized access. This guide covers security measures for production phpSysInfo deployments.
phpSysInfo architecture includes these security-sensitive components:
Key security concerns include web interface exposure, command execution security, system information disclosure, plugin security, and API access control.
Configure firewall rules for phpSysInfo:
# Web interface (Apache/Nginx)
ufw allow from 10.0.0.0/8 to any port 80 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# Block external access
ufw deny from any to any port 80 proto tcp
ufw deny from any to any port 443 proto tcp
Configure web server binding:
# /etc/apache2/sites-available/phpsysinfo.conf
<VirtualHost 10.0.1.100:443>
ServerName phpsysinfo.company.com
DocumentRoot /var/www/html/phpsysinfo
SSLEngine on
SSLCertificateFile /etc/ssl/certs/phpsysinfo.crt
SSLCertificateKeyFile /etc/ssl/private/phpsysinfo.key
<Directory /var/www/html/phpsysinfo>
Require ip 10.0.0.0/8 192.168.0.0/16
Options -Indexes
AllowOverride None
</Directory>
</VirtualHost>
Configure reverse proxy:
# /etc/nginx/sites-available/phpsysinfo
server {
listen 80;
server_name phpsysinfo.company.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name phpsysinfo.company.com;
ssl_certificate /etc/nginx/certs/phpsysinfo.crt;
ssl_certificate_key /etc/nginx/certs/phpsysinfo.key;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Configure HTTP authentication:
# /etc/apache2/sites-available/phpsysinfo.conf
<Directory /var/www/html/phpsysinfo>
AuthType Basic
AuthName "phpSysInfo Access"
AuthUserFile /etc/phpsysinfo/.htpasswd
Require valid-user
Require ip 10.0.0.0/8
</Directory>
Manage users:
# Create admin user
htpasswd -c /etc/phpsysinfo/.htpasswd admin
# Add additional users
htpasswd /etc/phpsysinfo/.htpasswd username
Configure phpSysInfo authentication:
<!-- /var/www/html/phpsysinfo/config.php -->
<?php
define('PSI_AUTH', true);
define('PSI_AUTH_TYPE', 'Basic');
define('PSI_AUTH_USERS', [
'admin' => '${HASHED_PASSWORD}',
]);
?>
Configure access levels:
Access Levels:
- Admin: Full access to all information
- User: Standard system information
- Guest: Limited information only
# Configure in config.php
Secure JSON API:
<!-- /var/www/html/phpsysinfo/config.php -->
<?php
// Restrict API access
define('PSI_API_AUTH', true);
define('PSI_API_ALLOWED_IPS', ['10.0.0.0/8', '192.168.0.0/16']);
?>
Configure HTTPS:
# /etc/apache2/sites-available/phpsysinfo-ssl.conf
<VirtualHost *:443>
ServerName phpsysinfo.company.com
DocumentRoot /var/www/html/phpsysinfo
SSLEngine on
SSLCertificateFile /etc/ssl/certs/phpsysinfo.crt
SSLCertificateKeyFile /etc/ssl/private/phpsysinfo.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
# Security headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self'; connect-src 'self'"
<Directory /var/www/html/phpsysinfo>
Options -Indexes
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Generate and manage certificates:
# Generate self-signed certificate
openssl req -new -x509 -days 365 -nodes \
-out /etc/ssl/certs/phpsysinfo.crt \
-keyout /etc/ssl/private/phpsysinfo.key \
-subj "/CN=phpsysinfo.company.com/O=Company"
# Or use Let's Encrypt
certbot --apache -d phpsysinfo.company.com
Secure PHP application:
# /etc/php/8.1/apache2/php.ini
expose_php = Off
display_errors = Off
log_errors = On
error_log = /var/log/php/error.log
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = Strict
# Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
Secure shell command execution:
<!-- /var/www/html/phpsysinfo/config.php -->
<?php
// Restrict command execution
define('PSI_USE_VCOMMAND', false); // Disable virtual commands
define('PSI_ALLOWED_COMMANDS', [
'uname',
'hostname',
'uptime',
'free',
'df',
]);
?>
Secure plugin system:
<!-- /var/www/html/phpsysinfo/config.php -->
<?php
// Disable sensitive plugins
define('PSI_PLUGINS', [
'PSI_Plugin_Hello' => false, // Example plugin
'PSI_Plugin_Sensitive' => false, // Disable sensitive plugins
]);
// Only allow specific plugins
define('PSI_ALLOWED_PLUGINS', [
'Status',
'Clock',
]);
?>
Limit exposed system information:
<!-- /var/www/html/phpsysinfo/config.php -->
<?php
// Hide sensitive information
define('PSI_HIDE_USERS', true);
define('PSI_HIDE_GROUPS', true);
define('PSI_HIDE_PROCESSES', true);
define('PSI_HIDE_NETWORK', false); // Allow network info
define('PSI_HIDE_HARDWARE', false); // Allow hardware info
// Limit output
define('PSI_MAX_PROCESSES', 50);
define('PSI_MAX_LOG_LINES', 100);
?>
Protect phpSysInfo configuration:
# Set restrictive permissions
chown root:www-data /var/www/html/phpsysinfo/config.php
chmod 640 /var/www/html/phpsysinfo/config.php
# Encrypt sensitive configuration
gpg -c /var/www/html/phpsysinfo/config.php
Restrict file access:
# Deny access to sensitive files
<FilesMatch "^\.">
Require all denied
</FilesMatch>
<FilesMatch "\.(php|inc|sql|log|conf|xml)$">
Require all denied
</FilesMatch>
<Directory /var/www/html/phpsysinfo>
Options -Indexes
</Directory>
Secure log files:
# Set restrictive permissions
chown www-data:adm /var/log/phpsysinfo
chmod 750 /var/log/phpsysinfo
# Configure log rotation
cat > /etc/logrotate.d/phpsysinfo << EOF
/var/log/phpsysinfo/*.log {
weekly
rotate 4
compress
delaycompress
missingok
notifempty
create 640 www-data adm
}
EOF
Secure JSON data endpoints:
<!-- /var/www/html/phpsysinfo/config.php -->
<?php
// Restrict JSON API
define('PSI_JSON_ALLOWED_IPS', ['127.0.0.1', '10.0.0.0/8']);
define('PSI_JSON_AUTH', true);
define('PSI_JSON_RATE_LIMIT', 100); // requests per minute
?>
Enable logging:
<!-- /var/www/html/phpsysinfo/config.php -->
<?php
define('PSI_LOG_ENABLED', true);
define('PSI_LOG_FILE', '/var/log/phpsysinfo/phpsysinfo.log');
define('PSI_LOG_LEVEL', 'INFO');
define('PSI_AUDIT_LOG', true);
define('PSI_AUDIT_FILE', '/var/log/phpsysinfo/audit.log');
?>
Configure web server access logging:
# /etc/apache2/sites-available/phpsysinfo.conf
CustomLog /var/log/apache2/phpsysinfo_access.log combined
ErrorLog /var/log/apache2/phpsysinfo_error.log
Monitor for security events:
#!/bin/bash
# /usr/local/bin/check-phpsysinfo-security.sh
# Check for failed authentication
FAILED_AUTH=$(grep -c "401" /var/log/apache2/phpsysinfo_access.log 2>/dev/null || echo 0)
if [ "$FAILED_AUTH" -gt 10 ]; then
echo "CRITICAL: Multiple authentication failures"
exit 2
fi
# Check for command injection attempts
INJECTION=$(grep -cE "(\.\.\/|;|\||\$)" /var/log/apache2/phpsysinfo_access.log 2>/dev/null || echo 0)
if [ "$INJECTION" -gt 5 ]; then
echo "CRITICAL: Possible command injection attempts"
exit 2
fi
Forward logs to SIEM:
# /etc/rsyslog.d/phpsysinfo.conf
/var/log/apache2/phpsysinfo_access.log @siem.company.com:514
/var/log/apache2/phpsysinfo_error.log @siem.company.com:514