View Single Post
  #1  
Old 14th December 2011, 11:04
vaio vaio is offline
Member
 
Join Date: Nov 2010
Posts: 48
Thanks: 21
Thanked 1 Time in 1 Post
Post PHP.ini security

Hello dear ISP community.

I would like to ask you about php.ini settings to have security in mind.
I have run ISP now for about a year and thought that i since i have followed great How to forges about installation and security - that server is quite safe.

Now on WP i have installed plugin which showed me:

allow_url_fopen
The allow_url_fopen directive is set to ON. It is recommended that you disable allow_url_fopen in the php.ini file for security reasons. This allows PHP file functions, such as include, require, and file_get_contents(), to retrieve data from remote locations (Example: FTP, web site). According to PHP Security Consortium, a large number of code injection vulnerabilities are caused by the combination of enabling allow_url_fopen, and bad input filtering.

How can turn it off and what (possible) changes can that bring? Will it somehow affect wordpress working?

display_errors
The display_errors setting in php.ini is set to ON. This means that PHP errors, and warnings are being displayed. Such warnings can cause sensitive information to be revealed to users (paths, database queries, etc.).

How can we turn this off?

magic_quotes_gpc
Magic Quotes is set to ON. This feature has been depreciated as of PHP 5.3 and removed as of PHP 6.0. Relying on this feature is highly discouraged. It is preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

I thought i had it off. How can we turn this off?

ModSecurity
Unable to determine if mod_security for Apache is installed. This can happen if a host uses a different name for the Apache module, or if the apache_get_modules() function is not available in your PHP installation. ModSecurity can help protect your server against SQL injections, XSS attacks, and a variety of other attacks. The Apache module is available for free at http://www.modsecurity.org.

Is this because i use Vserver?



Is there any other list of reccomended security settings? I have used some of them from How to Forge and this forum .

Is it possible to see server load usage by users? I mean i have 5 users on ISP and is it possible to see for each individual?



Hope your advices will also help others to better protect your servers which are running ISP config!
Thank you,
V.
Reply With Quote
Sponsored Links