Tightening PHP

OK, let’s see what’s my point of view on this subject. Please note that nothing I say is a must, probably others would do in another way what I did, many would do things better or less good.
First of all, I would like to say a “thank you” to all of those who I manage their servers and have cPanel/WHM installed. Since the folks from cPanel integrated EasyApache in their software, the job got much easier for us. Less work, more time to drink coffee.

So. My very first suggestion is to install PHP as a mod. For example, on Apache there is mod_php4 or mod_php5. Security holes are in both setup, whatever you do, but if you install PHP as a mod, at least you have less headaches. Maybe it’s just me, but when installed as CGI it was a nightmare. First of all, the developer will have to work in the cgi-bin directory (if the web-server is well configured), secondly, sometimes you have to place the php executable in the CGI directory which is not good… at all. Thirdly, why bring even more security holes in the server by involving a CGI wrapper if PHP already has enough? Probably the last is the best reason, and please, don’t tell me the wrappers don’t have security holes.

OK, let’s step forward. We still remain at Apache, two other mods: mod_suphp and mod_security. None of these is a must, it depends on your needs and on what will you do with your server. mod_security is “just” a software firewall, it can do many things, live-protection, monitoring, etc, there are a lot of features, better have a read here on mod_security official page. it’s pretty cool, but if you already have a firewall installed like CSF, probably is just a waste of resource. On the other hand, mod_suphp will execute php scripts as the script’s owner. OK, will try to explain: php is called by default “nobody”. This can vary on systems as it can be changed easily. So, by default, every PHP script is executed as “nobody”, say “nobody” will be the owner of all PHP scripts. Sounds weird. Let’s say, you run many virtual hosts on your server, example1.com is John’s, your best friend from school, Ran, your girlfriend’s ex has example2.com on your server. If suphp is not installed (or not working correctly), if Ran or John writes a script and runs on your server, it will be run as “nobody” as, remember, by default every PHP script is nobody’s. If you have suphp installed, then Ran’s PHP scripts will be run as Ran’s, John’s as John’s, and so on. Why is good to have it installed? Well, everyone will be able to execute its own script but not the others’. Again, an example: John will be able to execute his own PHP scripts but not Ran’s and vice-versa, and definitely John will not be able to execute nobody’s scripts. This tool is a must if the server will not be used only by you, else you can live without it, but you will have a security hole!

Install always the most up to date and STABLE release of PHP. Why everyone thinks that this is not good? The folks from PHP releases new versions cos the fixed or upgraded something, not cos they were bored. If you think your users’ PHP scripts won’t be compatible with the new PHP, first let them know, give ‘em a few days to fix their codes, then throw them in the deep water and upgrade PHP. Sincerely, I saw the other day a webhost which still used PHP 3. When I asked their live support why the php 3, they said, well, thy poor girl from the support desk that their users aren’t prepared for the upgrade yet. Yup, 2 or 3 years isn’t enough time. Too bad PHP 6 is knocking on the door.

Next step, let’s disable functions which might be dangerous on production servers! Let’s give a straight-forward example: you definitely don’t want your users who are all potential black-hat hackers to be able to run commands on your system like
format c:
Right? So let’s disable some inbuilt PHP functions, consider the following:

ini_set
system
show_source
shell_exec
passthru
exec
proc_open
popen

system, exec, passthru, shell_exec, proc_open, popen are related to command line, thus are good to have them disabled, remember, format c:. strong>ini_set, you already configured your PHP, why would you let others to reconfigure it? Finally show_source, would you like to show your PHP script’s source to the hackers?
You may also disable phpinfo, as you don’t really want to let others know what is your PHP configuration. If you don’t want to send e-mails from your script, you may want to consider disabling the mail function as well.

Ok, another one: fopen() . Did you know it can be used to open remote files? For example to open a YouTube page and view through your webpage. That’s the less severe case anyway. It could be used to place exploits on your server or for many other purposes. So
allow_url_fopen = Off

That’s for now, I will talk later about how and when to limit the server resources PHP can eat up.