I'm running a shared hosting environment and I'd like to know if it's even possible to secure the Apache while it's running mod_php. I know I could go suPHP with PHP-CGI, but that'd increase drastically the server load.
So what should I do to best secure the server?
So far now I did:
Installed mod_security and mod_evasive.
Set disable_functions = ini_restore, popen, exec, shell_exec, system, passthru, proc_open, proc_close
Set open_basedir to user's directory on virtualhost
Is that would be a secure environment for my users?
It's probably as secure as you'll get with mod_php, though no sane user would host with you with PHP restricted like that.
Ultimately it's never secure unless you use phpsuexec/suexec. There are always ways to avoid open_basedir and safemode restrictions. There's no way to work around phpsuexec/suexec file permissions. Yes, there's a performance hit, but it's negligible on all but extremely heavily loaded servers.