The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing/Hardening PHP

Discussion in 'General Discussion' started by sh4ka, Oct 14, 2005.

  1. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    I already have this options turned off in my php config:
    disable_functions = system,system_exec,passthru,shell,shell_exec,exec

    But I think that is not enough, so I'm working more on PHP security/hardening and investigating found that the followin things can be setted off:

    register_globals = off
    allow_url_fopen = off
    enable_dl = off
    expose_php = off

    Also I found that the sessions tmp directory can be changed to archive the sess_***** that always appear in the /tmp folder into another more hide folder created by ourselfs, stopping possible bad guys from looking into the /tmp to get sessions from another visitor to get his privileges.

    Please, I need suggestions from experienced users about this, should this be a good start ?
    What more can be done to improve security in PHP?
     
  2. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Anyone please ?
     
  3. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    Well, in addition to securing /tmp and editing php.ini, you may wish to investigate whether or not phpsuexec is an option for your server(s).

    As well, mod_security IMO is (as Martha S. says) "A wonderful thing." AND, ensure that your and your clients' php scripts are up to date and/or properly written.

    Many more things you can do, just google and you will find countless articles and resources on the subject.
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I second the above, mod_security is essential as it stops hackers getting through via old script tricks. The problem is usually not specifically with PHP, it's with old versions of scripts that users download and don't update.

    The other biggest tip is to bite the bullet and run phpsuexec. Simply, it's essential for security. If you don't have it all scripts run as nobody, which means not only can't you tell who started a script or who wrote a file in /tmp, but it also means that file system permissions need to be left wide open (777 etc) when scripts need to modify files. Not good. Also I don't think sessions are secure (all owned by user nobody) without this (if you run as nobody you should definitely remove read permission from /tmp so they can't search session files for credit card details).

    Also make sure /tmp is mounted with restricted permissions - noexec comes to mind, but there are others that may help (eg: removing read as above for the nobody user).

    Also make sure scripts can't send more than a few emails per hour (100-200 max) which will slow down/dissuade most spammers. You could have an even lower limit for new accounts for the first few weeks. Search for "/var/cpanel/maxemails" for more info from Chirpy on this elsewhere on these forums.
     
Loading...

Share This Page