#1  
Old 4th November 2006, 12:11
sysconfig sysconfig is offline
Junior Member
 
Join Date: Nov 2006
Location: (.)
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to sysconfig
 
Thumbs up Secure php settings

Securing PHP

PHP is one of the most popular applications that run on Linux and Windows servers today. It's also one of the main sources for servers and user accounts getting compromised. Hence, here is the steps to securing php and securing php.ini

First off you want to figure out how you can edit php.ini This is the main configuration file for PHP. You can find it by logging into shell and typing in the following:

Quote:
# php -i |grep php.ini
Turn on safe_mode

Safe mode is an easy way to lock down the security and functions you can use. PHP.net explains php safe_mode as, "The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now."

I highly recommend you enable safe_mode on production servers, especially in shared environments. This will stop exec functions and others that can easily prevent a security breach.


Disable Dangerous PHP Functions


PHP has a lot of potential to mess up your server and hack user accounts and even get root. I've seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control.

Search the php.ini file for:
disable_functions =

Add the following:

disable_functions = dl,system,exec,passthru,shell_exec


Turn off Register Globals

Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier.
See http://us2.php.net/register_globals
Quote:
register_globals = On

Replace it with

register_globals = Off
Run PHP through PHPsuexec Preventing Nobody Access
__________________
Linux Web Administrator
Optimize, secure and performance tunning for Apache || MySQL5.1 Cluster How To
The visionary conceives the impossible, The missionary makes it possible. ...Gita.
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freebsd 6.1 support misterm Installation/Configuration 10 9th April 2009 10:29
Slightly Confused (DNS & Server Help) JohnnyBGoode Installation/Configuration 26 14th August 2007 10:54
VirtualHosts marra87 General 9 12th September 2006 05:09
2 domains, 1 site wadims Installation/Configuration 13 31st May 2006 01:21
Downgrade php5 to php4.4.2 llizards Installation/Configuration 4 14th March 2006 00:58


All times are GMT +2. The time now is 15:17.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.