Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

General PHP Security Questions

Discussion in 'Security' started by celliott, Apr 4, 2008.

  1. celliott

    celliott Well-Known Member

    Jan 2, 2006
    Likes Received:
    Trophy Points:
    United Kingdom

    Over the past few years I have always adapted a pretty common approach in security on cPanel servers. I've been lucky enough not to have any issues in this time, however with recent changes I have a few queries regarding PHP security in particular.

    At the moment I look after a couple of cPanel servers running PHP as standard Suexec with several unsafe functions added into the Disable_Functions variable of PHP such as exec and shell, which are pretty essential right? This is not ideal as some scripts still need certain functions, which can pose a security risk.

    I'm looking to go over the security of these boxes and from looking SuPHP and Suhosin Hardened PHP is now available in the new EasyApache3.

    How do you "Harden" or secure PHP on your boxes? I've noticed that a growing number of clients are coming over from other hosts who seem to be running default installs, at least they have not disabled any potentially dangerous functions.

    Perhaps what I am doing is still fine however with recent developments I am sure there may be better ways of securing PHP?

    Thanks for any info.
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Nov 29, 2006
    Likes Received:
    Trophy Points:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    We have a PHP Hardening guide in the EA3 documentation:

    To be honest, shell() and exec() in particular are two functions I've never seen a use for in PHP scripts with exception of bypassing restrictions on SSH access or those intended to run as root user (such as Fantastico).

    Generally, benign PHP scripts running in the user's account using such functions are simply coded without realizing that equivalent PHP functions exist for whatever action they are attempting to perform. Most distributed PHP applications are designed to avoid use of functions that are frequently forbidden on shared hosting providers anyway.
  3. brianoz

    brianoz Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    It's not so much a matter of just hardening PHP, I tend to harden the box. If you harden PHP you tend to end up making PHP less usable for real users. Hardening the box prevents most of the problems - for instance, use suphp/phpsuexec makes it impossible for hacked scripts to be used to search for mysql usernames and passwords.

    Things like:

    • move up to suphp, it's smarter than phpsuexec;
    • Install mod_security and patterns that catch a good spectrum of exploits;
    • Monitor user installed versions of software on your server as much as you can (ie Joomla/Mambo, phpBB, etc);
    • then,

    Install a solid firewall like CSF that can:

    • block all access off machine via port 25 to prevent spammers sending spam directly;
    • block IPs that attempt to hack (password failures, mod_security hits, htaccess failures, failed ssh logins);
    • Track attempts to send large amounts of email off machine via sendmail;
    • Has ability to block smaller DOS/DDOS attempts to keep the system resilient against them;
    • Ability to detect port scans and block the source;
    • Ability to block DSHIELD and Spamhaus hosts to keep out of the sights of the worst spammers and hacking sites;
    • Ability to block temporarily to avoid admin time unblocking users;
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 brianoz, Apr 6, 2008
    Last edited: Apr 6, 2008

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice