[CentOS] Apache Security

Sun Jul 9 02:40:34 UTC 2006
Mike <ekkikrist at yahoo.com>

On Thu, Jun 22, 2006 at 12:53:09PM -0400, Matthew T. O'Connor wrote:
> Is this a know problem?  Have others seen it?  What can I do to help 
> prevent this?
> Thanks,
> Matt

Yes, it's a problem with non secure php configuration and vulnerable
php scripts.

Some suggestions:
(Already mentioned) Keep php scripts up to date!  This is paramount
(Already mentioned) mount /tmp on loop with noexec
(Already mentioned) php.ini: allow_url_fopen = off
(Already mentioned) Learn how to use mod_security effectively
(Already mentioned) Block outbound tcp/80 with iptables/etc
(Already mentioned) SELinux can provide more fine grain control over
	- "who" can do "what"
(Already mentioned) Use UNIX permissions to restrict access to
	- wget/curl/ncftp/lynx/etc

php.ini: disable_functions = system,exec,passthru,shell_exec,pcntl_exec

Lots of times I find something in httpd's crontab to re-infect /tmp
so use cron.deny:

echo apache/httpd/www/etc >> /etc/cron.deny

I also block outbound access to tcp/6666-6669 (irc) and tcp/6881-6889
(bittorrent) as well as non-essential outbound udp (essential: dns, ntp)
to "contain" any damage caused by malware.

It is still possible to circumvent noexec.
mod_security will only protect you from disclosed vulnerabilities.

Security is a trade off with convenience.  So you must evaluate your
options.  Shared web hosts tend to require convenience, while dedicated
needs lean more towards security.  Become familiar with the scripts you
are running, their requirements, their security track record, and
any alternatives if they exist.

- Mike