[CentOS] Apache Security

Sun Jul 9 11:57:42 UTC 2006
David Hrbáč <hrbac.conf at seznam.cz>

Mike napsal(a):
> Some suggestions:
> (Already mentioned) Keep php scripts up to date!  This is paramount
> (Already mentioned) mount /tmp on loop with noexec
> (Already mentioned) php.ini: allow_url_fopen = off
> (Already mentioned) Learn how to use mod_security effectively
> (Already mentioned) Block outbound tcp/80 with iptables/etc
> (Already mentioned) SELinux can provide more fine grain control over
> 	- "who" can do "what"
> (Already mentioned) Use UNIX permissions to restrict access to
> 	- wget/curl/ncftp/lynx/etc
> 
> Additional:
> php.ini: disable_functions = system,exec,passthru,shell_exec,pcntl_exec
> 
For php 4.x I would add also safe_mode=On.
sed -i 's/safe_mode = Off/safe_mode = On/' /etc/php.ini
David Hrbáč