Home > Forums > Linux Security

Hardening PHP with Cpanel

Hardening PHP with Cpanel

Examples of locking down these functions:
1. Use you preferred text editor to open the following file for edit:
/usr/local/lib/php.ini
2. Locate the line that starts with disable_functions.
3. Consider editing the disable_functions line to reflect the following:

disable_functions = exec, shell_exec, system, passthru, popen, virtual, show_source, readfile, pclose

This will directly help keep exploiters from being able to use less insecure our outdated CMS systems to gain access to your system through exec calls and tools like PHP shells.

Root user ssh login mail alert ›
by admin on Mon, 04/19/2010 - 22:00

Run scripts as the user instead of “nobody”

Run scripts as the user instead of “nobody”

You can run PHP as the user (like CGI scripts do with Apache's suEXEC), with EasyApache's PHP As User option. This will enable suPHP, greatly improving the permissions situation. Vulnerable scripts will be limited to the user in question, and are less likely to affect other users. It also changes how PHP interacts with Apache; for example, directives like php_$value are not valid for mod_suphp.

note Note: mod_suphp is considerably slower than mod_php.

by admin on Mon, 04/19/2010 - 22:02

Use hardening tools, like Suhosin

Use hardening tools, like Suhosin

The Suhosin extension "was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core."

by admin on Mon, 04/19/2010 - 22:07

Check out - http://www.milw0rm.com/

One of the most common methods an attacker will use is to use a search engine to isolate sites running content management systems with known security holes and using the known exploit to gain access to your system. Keeping a watchful eye on matters such as this is a very important task as system administrator.

by admin on Mon, 04/19/2010 - 22:33

WHM php configurations

WHM provides an interface that can assist you in configuring PHP. It is located in Service Configuration >> Apache Configuration >> PHP and SuExec Configuration. You are also able to access a command line interface that provides the same options through the following script:

/usr/local/cpanel/bin/rebuild_phpconf

Both interfaces function by rewriting php.conf and, when necessary, copying PHP binaries from /usr/bin/php and /usr/php4/bin/php to /usr/local/cpanel/cgi-sys.