9 Jul
2006
9 Jul
'06
1:57 p.m.
Mike napsal(a):
Some suggestions: (Already mentioned) Keep php scripts up to date! This is paramount (Already mentioned) mount /tmp on loop with noexec (Already mentioned) php.ini: allow_url_fopen = off (Already mentioned) Learn how to use mod_security effectively (Already mentioned) Block outbound tcp/80 with iptables/etc (Already mentioned) SELinux can provide more fine grain control over
- "who" can do "what"
(Already mentioned) Use UNIX permissions to restrict access to
- wget/curl/ncftp/lynx/etc
Additional: php.ini: disable_functions = system,exec,passthru,shell_exec,pcntl_exec
For php 4.x I would add also safe_mode=On. sed -i 's/safe_mode = Off/safe_mode = On/' /etc/php.ini David Hrbáč