Hi there. This is the last part of this tutorial where I tell you a few things about securing PHP on the server, about securing MySQL and Apache.
OBS: If you don’t administer your own server, this information will be useful to you while shopping for a Web host, so you better continue reading.
Before starting this part I would like to give you some tips to use when buying a host:
- shop for a secure Web host. Insist on knowing what Web server software (and
which version of it) the host is running and which version of each programming
language it has installed
- keep up with security alerts that affect the applications running on your Web host
- encourage your Web host’s system administrators to apply security patches and
Also, you have to keep in mind that you must know on what operating system your server runs in (UNIX, Linux, Mac OS or Windows) because this has to be secured too. This article is not intented to present this step, but I thought that is good to know that too.
Let’s start with some ideas about securing the Apache Web Server. These are a few steps for doing this:
1. upgrade or install the latest stable version of Apache
2. because Apache runs as a nobody user it better to create an unprivileged user (this implies the creation of a group too) for it; why? because if an attacker hijacks the nobody user he/she will gain access to Apache
3. hide sensitive information
By default, Apache show information about its version, the PHP and MySQL versions and on what operating system it is installed in its error messages. If a hacker grabs this kind of information you are in a real trouble, so you must hide this kind of information by setting a couple of directives in the httpd.conf file:
• Set ServerSignature to Off.
• Set ServerTokens to Prod.
4. restrict Apache to its own area of the server
5. disable any options you don’t’ explicitly need
6. install and enable ModSecurity (a tool that examines every packet coming into the Web server)
Ok, know lets see what we can do for MySQL (I choose MySQL, but this is valid for any relational database running on a UNIX, Linux or Mac platform). So, let see the steps for this:
1. upgrade or install the latest stable version of MySQL
2. disable remote access (this is the case when your Web server and your database server runs both on the save physical machine)
3. change admin username and password
4. delete default database users and create new accounts for each application
5. delete the sample databases
Now, let’s move on to the secure PHP on the server situation. Here the steps are:
1. upgrade or install the latest stable version of PHP
OBS: Here you should think of using a framework when building PHP application, the Zend Framework is the I would recommend you, because he dispose of a number of libraries for security checks (see Zend Optimizer)
2. use the Suhosin patch and extension
Suhosin is a safety (or tries to be) net that protects servers from insecure PHP coding practices like the ones described above, during the two articles. The Suhosin patch fixes a few key vulnerabilities in the core PHP language. The Suhosin extension adds several encryption schemes and protects against various remote file inclusion attacks, session attacks, and a long list of other vulnerabilities. It also includes a toolbox of ready-made data filters and some advanced logging capabilities.
Can be downloaded from http://www.hardened-php.net/suhosin/index.html.
3. use the security features available into PHP and Apache (like safe_mode or SUEXEC)
4. using ModSecurity
5. take care of the php.ini file (register_globals, session.cookie, display_errors, etc)
Well, that all I have to say about this. Hope you enjoyed.