Results 1 to 3 of 3

Thread: General PHP Security Questions

  1. #1
    Registered Member celliott's Avatar
    Join Date
    Jan 2006
    Location
    United Kingdom
    Posts
    460

    Default General PHP Security Questions

    Hi,

    Over the past few years I have always adapted a pretty common approach in security on cPanel servers. I've been lucky enough not to have any issues in this time, however with recent changes I have a few queries regarding PHP security in particular.

    At the moment I look after a couple of cPanel servers running PHP as standard Suexec with several unsafe functions added into the Disable_Functions variable of PHP such as exec and shell, which are pretty essential right? This is not ideal as some scripts still need certain functions, which can pose a security risk.

    I'm looking to go over the security of these boxes and from looking SuPHP and Suhosin Hardened PHP is now available in the new EasyApache3.

    How do you "Harden" or secure PHP on your boxes? I've noticed that a growing number of clients are coming over from other hosts who seem to be running default installs, at least they have not disabled any potentially dangerous functions.

    Perhaps what I am doing is still fine however with recent developments I am sure there may be better ways of securing PHP?

    Thanks for any info.

  2. #2
    Technical Product Specialist cPanelDavidG's Avatar
    Join Date
    Nov 2006
    Location
    Houston, TX
    Posts
    11,296
    cPanel/WHM Access Level

    Root Administrator

    Default

    We have a PHP Hardening guide in the EA3 documentation:

    http://www.cpanel.net/support/docs/e...ening_php.html

    To be honest, shell() and exec() in particular are two functions I've never seen a use for in PHP scripts with exception of bypassing restrictions on SSH access or those intended to run as root user (such as Fantastico).

    Generally, benign PHP scripts running in the user's account using such functions are simply coded without realizing that equivalent PHP functions exist for whatever action they are attempting to perform. Most distributed PHP applications are designed to avoid use of functions that are frequently forbidden on shared hosting providers anyway.

  3. #3
    Registered Member brianoz's Avatar
    Join Date
    Mar 2004
    Location
    Melbourne, Australia
    Posts
    1,150
    cPanel/WHM Access Level

    Root Administrator

    Default

    It's not so much a matter of just hardening PHP, I tend to harden the box. If you harden PHP you tend to end up making PHP less usable for real users. Hardening the box prevents most of the problems - for instance, use suphp/phpsuexec makes it impossible for hacked scripts to be used to search for mysql usernames and passwords.

    Things like:

    • move up to suphp, it's smarter than phpsuexec;
    • Install mod_security and patterns that catch a good spectrum of exploits;
    • Monitor user installed versions of software on your server as much as you can (ie Joomla/Mambo, phpBB, etc);
    • then,


    Install a solid firewall like CSF that can:

    • block all access off machine via port 25 to prevent spammers sending spam directly;
    • block IPs that attempt to hack (password failures, mod_security hits, htaccess failures, failed ssh logins);
    • Track attempts to send large amounts of email off machine via sendmail;
    • Has ability to block smaller DOS/DDOS attempts to keep the system resilient against them;
    • Ability to detect port scans and block the source;
    • Ability to block DSHIELD and Spamhaus hosts to keep out of the sights of the worst spammers and hacking sites;
    • Ability to block temporarily to avoid admin time unblocking users;
    Last edited by brianoz; 04-06-2008 at 05:55 PM.

Similar Threads

  1. Webdisk/WebDAV general questions
    By icoso in forum New User Questions
    Replies: 0
    Last Post: 02-17-2010, 10:16 AM
  2. General Questions:
    By Ashioni in forum cPGS Discussions
    Replies: 5
    Last Post: 01-27-2010, 10:43 AM
  3. General PHP Security Questions
    By celliott in forum cPanel & WHM Discussions
    Replies: 2
    Last Post: 04-06-2008, 08:57 AM
  4. Oops. Mail authentication / general questions.
    By nnnnoooo in forum cPanel & WHM Discussions
    Replies: 0
    Last Post: 06-04-2007, 10:20 AM
  5. General Cpanel questions
    By mabu in forum New User Questions
    Replies: 11
    Last Post: 06-14-2006, 11:39 PM
bargain