Johnny Hughes wrote: > Simon Jolle wrote: >> 2008/2/11, James A. Peltier <jpeltier at cs.sfu.ca>: >>> This is a very broad question to ask, however, I will appeal to the >>> basics. >>> >>> 1) Use HTTPS whenever possible to avoid any passwords crossing the wire >>> in clear text. >>> >>> 2) Ensure only the necessary modules are installed or enabled for your >>> CMS to operate. >>> >>> 3) Always think least permissions necessary to perform the task >>> >>> 4) Ensure that MySQL is locked down with least permissions necessary. >>> At the very least after you've installed MySQL make sure to run the >>> secure-mysql-installation script to assign a password to the MySQL root >>> user and lock down some of the basic tables. >>> >>> Each system is different and you should follow the guidelines outlined >>> by the CMS to properly secure. If you are not sure of what you are >>> deploying, that's kinda scary, you should be weary of that and tread >>> lightly. >> >> thank you >> >> I will deploy Wikka Wiki [0] - there are no explicit security settings >> or guidelines >> >> How to harden Apache and PHP (without using SELinux)? > > SELinux is the "best" hardening step available for securing RH based > php/httpd/mysql stacks (IMHO) ... why are you taking it off the table ??? Let me try: - because it's too much? complexity is the ennemy of security. lack of adequate documentation is the ennemy of usability. I couldn't find simple directions on how to make a service work correctly in presence of selinux (except disabling it). all docs I've seen place the discussion in a meta-world and require spending time understanding terminology and concepts that I am not sure to find useful. - because it doesn't secure apache/php. it secures the system against apache (to some extenst) but doesn't help securing apache itself. > > besides SELinux, you might want to look at php-suhosin: > > http://www.hughesjr.com/content/view/21/1/ It would be nice if RH included this by default...