Securing PHP Applications Part III – Securing PHP on the server / Securing MySQL and Apache

Hi there. This is the last part of this tutorial where I tell you a few things about securing PHP on the server, about securing MySQL and Apache.

OBS: If you don’t administer your own server, this information will be useful to you while shopping for a Web host, so you better continue reading.

Before starting this part I would like to give you some tips to use when buying a host:
- shop for a secure Web host. Insist on knowing what Web server software (and
which version of it) the host is running and which version of each programming
language it has installed
- keep up with security alerts that affect the applications running on your Web host
- encourage your Web host’s system administrators to apply security patches and
updates promptly

Also, you have to keep in mind that you must know on what operating system your server runs in (UNIX, Linux, Mac OS or Windows) because this has to be secured too. This article is not intented to present this step, but I thought that is good to know that too.

Let’s start with some ideas about securing the Apache Web Server. These are a few steps for doing this:
1. upgrade or install the latest stable version of Apache
2. because Apache runs as a nobody user it better to create an unprivileged user (this implies the creation of a group too) for it; why? because if an attacker hijacks the nobody user he/she will gain access to Apache
3. hide sensitive information

By default, Apache show information about its version, the PHP and MySQL versions and on what operating system it is installed in its error messages. If a hacker grabs this kind of information you are in a real trouble, so you must hide this kind of information by setting a couple of directives in the httpd.conf file:
• Set ServerSignature to Off.
• Set ServerTokens to Prod.
4. restrict Apache to its own area of the server
5. disable any options you don’t’ explicitly need
6. install and enable ModSecurity (a tool that examines every packet coming into the Web server)

Ok, know lets see what we can do for MySQL (I choose MySQL, but this is valid for any relational database running on a UNIX, Linux or Mac platform). So, let see the steps for this:
1. upgrade or install the latest stable version of MySQL
2. disable remote access (this is the case when your Web server and your database server runs both on the save physical machine)
3. change admin username and password
4. delete default database users and create new accounts for each application
5. delete the sample databases

Now, let’s move on to the secure PHP on the server situation. Here the steps are:
1. upgrade or install the latest stable version of PHP
OBS: Here you should think of using a framework when building PHP application, the Zend Framework is the I would recommend you, because he dispose of a number of libraries for security checks (see Zend Optimizer)
2. use the Suhosin patch and extension
Suhosin is a safety (or tries to be) net that protects servers from insecure PHP coding practices like the ones described above, during the two articles. The Suhosin patch fixes a few key vulnerabilities in the core PHP language. The Suhosin extension adds several encryption schemes and protects against various remote file inclusion attacks, session attacks, and a long list of other vulnerabilities. It also includes a toolbox of ready-made data filters and some advanced logging capabilities.

Can be downloaded from http://www.hardened-php.net/suhosin/index.html.
3. use the security features available into PHP and Apache (like safe_mode or SUEXEC)
4. using ModSecurity
5. take care of the php.ini file (register_globals, session.cookie, display_errors, etc)

Well, that all I have to say about this. Hope you enjoyed.

Related posts:

  1. Securing PHP Applications Part II – Securing PHP code
  2. Securing PHP applications Part I – Securing PHP code

3 Responses to “Securing PHP Applications Part III – Securing PHP on the server / Securing MySQL and Apache”

  1. ginecologie says:

    Excellent post. I was checking constantly this blog and I’m impressed! Very useful information specially the last part :) I care for such info much. I was looking for this particular info for a very long time. Thank you and best of luck.

  2. spondiloza says:

    This herb can be found to be best pain killer, and anti-inflammatory herb especially in the cases
    of arthritis and sciatica. Arthroplasty or combined replacement surgery are usually
    necesary in eroding types of osteoarthritis. One teaspoonful of
    triphala should be given to the sufferer, combined
    with a cup of warm milk and one spoon of sugar.

  3. ginecologie says:

    I believe what you published was actually very reasonable.
    But, consider this, suppose you composed a catchier title? I mean, I
    don’t want to tell you how to run your website, however what if you added a post title that grabbed a person’s attention?
    I mean Securing PHP Applications Part III – Securing PHP on
    the server / Securing MySQL and Apache | PHP Code is
    kinda vanilla. You should peek at Yahoo’s front page and note how they write news headlines to get viewers to open the links. You might try adding a video or a related picture or two to get readers interested about what you’ve got to say.
    In my opinion, it would bring your blog a little livelier.

Leave a Reply