Securing/Hardening PHP

[sh4ka]

I already have this options turned off in my php config:
disable_functions = system,system_exec,passthru,shell,shell_exec,exec

But I think that is not enough, so I'm working more on PHP security/hardening and investigating found that the followin things can be setted off:

register_globals = off
allow_url_fopen = off
enable_dl = off
expose_php = off

Also I found that the sessions tmp directory can be changed to archive the sess_***** that always appear in the /tmp folder into another more hide folder created by ourselfs, stopping possible bad guys from looking into the /tmp to get sessions from another visitor to get his privileges.

Please, I need suggestions from experienced users about this, should this be a good start ?
What more can be done to improve security in PHP?

[sh4ka]

Anyone please ?

[bamasbest]

Well, in addition to securing /tmp and editing php.ini, you may wish to investigate whether or not phpsuexec is an option for your server(s).

As well, mod_security IMO is (as Martha S. says) "A wonderful thing." AND, ensure that your and your clients' php scripts are up to date and/or properly written.

Many more things you can do, just google and you will find countless articles and resources on the subject.

[brianoz]

I second the above, mod_security is essential as it stops hackers getting through via old script tricks. The problem is usually not specifically with PHP, it's with old versions of scripts that users download and don't update.

The other biggest tip is to bite the bullet and run phpsuexec. Simply, it's essential for security. If you don't have it all scripts run as nobody, which means not only can't you tell who started a script or who wrote a file in /tmp, but it also means that file system permissions need to be left wide open (777 etc) when scripts need to modify files. Not good. Also I don't think sessions are secure (all owned by user nobody) without this (if you run as nobody you should definitely remove read permission from /tmp so they can't search session files for credit card details).

Also make sure /tmp is mounted with restricted permissions - noexec comes to mind, but there are others that may help (eg: removing read as above for the nobody user).

Also make sure scripts can't send more than a few emails per hour (100-200 max) which will slow down/dissuade most spammers. You could have an even lower limit for new accounts for the first few weeks. Search for "/var/cpanel/maxemails" for more info from Chirpy on this elsewhere on these forums.