Welcome to Server Circle. It's a friendly site and all levels of experience are welcome. Be aware that we use cookies for your login.
Server Circle - Ask questions about Servers and get answers from experts.
Beta (0.03 sec)
Best ways to secure PHP and Apache ?

Are there any good guides someone could please recommend ? That'd be great.
Asked by:
Moocher
625 points
 Report Abuse
 Share Page - Category: Linux Servers - Tags: Best ways to secure PHP and Apache ?
 Enter your response
Please use Pastie.org to paste lengthy code or to fix formatting issues with code
  • Responses in reverse (3)

The user the php runs as is the biggest issue imho.

mod_php generally executes all php code as the apache user the problem with this is that often one user can access another users files (and through this their db credentials and other secure stuff).

One way around this is to use suphp. This runs each users code as that user and as such reduces the risk of the above security breach happening. The main downside is that suphp must run with priviledge as it needs to setuid to the script owner and also a new process is started for each php request which may break some opcode caching solutions.


Response by:
darkflib
95 points
Depends on the distribution... in a nutshell,

1. Edit /etc/apache2/conf.d/security (if debian/ubuntu), turn off/down ServerTokens and the Trace stuff.

2. Tell PHP to not expose_php via /etc/php5/apache2/php.ini; check PHPs memory limits to make sure they're sane.

3. Make sure you apt-get update / upgrade (or equivalent) often.

Response by:
GingerDog
75 points
This is a good guide for hardening Apache:

http://xianshield.org/guides/apache2.0guide.html

Response by:
Trinity
2782 points


  • Related Questions

by Keith (432 points) in Linux Servers - 0 replies

by jesny (50 points) in Linux Servers - 0 replies

by tmtt (440 points) in Linux Servers - 2 replies


About Us : Contact Us : Etiquette : Terms : CDN Failover : ShorterURL : CDN Fallback : © 2013 Server Circle