General PHP Security Questions

[celliott]

Hi,

Over the past few years I have always adapted a pretty common approach in security on cPanel servers. I've been lucky enough not to have any issues in this time, however with recent changes I have a few queries regarding PHP security in particular.

At the moment I look after a couple of cPanel servers running PHP as standard Suexec with several unsafe functions added into the Disable_Functions variable of PHP such as exec and shell, which are pretty essential right? This is not ideal as some scripts still need certain functions, which can pose a security risk.

I'm looking to go over the security of these boxes and from looking SuPHP and Suhosin Hardened PHP is now available in the new EasyApache3.

How do you "Harden" or secure PHP on your boxes? I've noticed that a growing number of clients are coming over from other hosts who seem to be running default installs, at least they have not disabled any potentially dangerous functions.

Perhaps what I am doing is still fine however with recent developments I am sure there may be better ways of securing PHP?

Thanks for any info.

[cPanelDavidG]

We have a PHP Hardening guide in the EA3 documentation:

http://www.cpanel.net/support/docs/e...ening_php.html

To be honest, shell() and exec() in particular are two functions I've never seen a use for in PHP scripts with exception of bypassing restrictions on SSH access or those intended to run as root user (such as Fantastico).

Generally, benign PHP scripts running in the user's account using such functions are simply coded without realizing that equivalent PHP functions exist for whatever action they are attempting to perform. Most distributed PHP applications are designed to avoid use of functions that are frequently forbidden on shared hosting providers anyway.

[brianoz]

It's not so much a matter of just hardening PHP, I tend to harden the box. If you harden PHP you tend to end up making PHP less usable for real users. Hardening the box prevents most of the problems - for instance, use suphp/phpsuexec makes it impossible for hacked scripts to be used to search for mysql usernames and passwords.

Things like:

• move up to suphp, it's smarter than phpsuexec;
  
• Install mod_security and patterns that catch a good spectrum of exploits;
  
• Monitor user installed versions of software on your server as much as you can (ie Joomla/Mambo, phpBB, etc);
  
• then,

Install a solid firewall like CSF that can:

• block all access off machine via port 25 to prevent spammers sending spam directly;
  
• block IPs that attempt to hack (password failures, mod_security hits, htaccess failures, failed ssh logins);
  
• Track attempts to send large amounts of email off machine via sendmail;
  
• Has ability to block smaller DOS/DDOS attempts to keep the system resilient against them;
  
• Ability to detect port scans and block the source;
  
• Ability to block DSHIELD and Spamhaus hosts to keep out of the sights of the worst spammers and hacking sites;
  
• Ability to block temporarily to avoid admin time unblocking users;