Results 1 to 6 of 6
  1. #1

    Apache, php, pureftpd, and security

    Hello, I am a very small ISP. I am not doing the 5.00 a month hosting plans. I started to build out a new server the other day. Running php 6 and Apache 2, MySql. Bind and postfix, Dovecot etc, run on another box that is not a shared one.

    I know all my clients, I am not worried about them being malicious. However, I want to be able to feel safer in a shared environment for them, so that a bad WordPress install, or some other app that is installed, would be sandboxed to a degree. No SSH access currently, just ftp and ftp with TLS. I will be mandating TLS on this one probably.

    I am building from source and managing via the command line. Not looking for a control panel. I spent the better part of an entire day looking into how to secure php, most data is old, about safe mode, a lot of it is all over the board. If there is a definitive guide I am missing?

    Current issue is that the usual tactic of file_get_contents(./../../ or exec(cat ../../../foo.txt) are going to allow someone to read others files. May ways to ../../ and recurse.

    I am using mod_php, from what I can gather, the other options (suexec etc), are performance hits, and share the same weakness if the users do not know what they are doing, which most of mine do not.

    Of course, I set a virtual host and a directory block in Apache 2, locking the httpd process to that directory. That does not stop php from looking elsewhere, as all files are owned by a user and group that Apache can serve.

    Looking into open_basedir, this seems to solve a lot of this, sandboxing a user to their own area. It does not appear, as far as I can tell, to sandbox system calls, like exec(). I will of course limit those, though how many off the shelf forums and other packages would break? Or is this really a case of those functions not being used in community software?

    I am looking for some general pointers in how to secure a shared hosting environment so users can not read files others than those that are in a defined directory, and that an exploit to something like WordPress would be locked to their files and DB as well.

    I am assuming every 5.00 a month host has figured this out, I just can not find anything current.

    Thank you.

  2. #2
    Join Date
    Mar 2003
    California USA

    I am using mod_php, from what I can gather, the other options (suexec etc), are performance hits, and share the same weakness if the users do not know what they are doing, which most of mine do not.
    Using something like suphp and correct permissions on the users base directory will overcome the issues you describe.

    Also there has been multiple vulnerabilities in openbase dir, that allows people to bypass the security.
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

  3. #3
    Hmmm, I've been trying suPHP, DSO and FastCGI. suPHP seems to be a memory eater or perhaps even a CPU killer (literally), FastCGI seems to be throwing loads of Error 500 and DSO (mod_php) seems to be okay so far... i'm just really really concerned about the security issues faced with it and hopefully someone can enlighten me about this?

  4. #4
    Join Date
    Jun 2006
    Compile Apache with mod_fcgid and PHP FCGI. Configure Apache to handle the child processes, timeouts, etc. You will see 500 errors when using fcgi with PHP handling the timeouts, etc. There is quite a bit of memory usage involved but if coupled with suexec then you can provide a pretty secure environment. Just get the permissions right on the system. I'm assuming all of this works correctly on Linux and memory management may be a little different with Linux. We run a similar config on all of our shared servers (FreeBSD). No problems.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @

  5. #5
    Hmm, that seems like a good configuration to try out. But what do you mean by configuring Apache to handle child processes, timeouts, etc? Is there any guide for it since I'm quite a beginner with these 500 errors im getting. Thanks.

  6. #6
    Join Date
    Feb 2004
    Check the Apache error log. Keep in mind, with suphp you can't use anything higher than 755 with file permissions.

Similar Threads

  1. mod security and apache
    By HD Fanatic in forum Hosting Security and Technology
    Replies: 2
    Last Post: 10-28-2006, 08:47 PM
  2. Apache security and PHP at ivhosting
    By TomW2 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 07-27-2006, 06:45 PM
  3. About security on Apache...
    By medions in forum Web Hosting
    Replies: 5
    Last Post: 06-13-2005, 07:43 PM
  4. Apache security
    By Misha in forum Hosting Security and Technology
    Replies: 7
    Last Post: 06-05-2004, 04:38 PM
  5. Security and PHP,MySQL, and Apache
    By jtrovato in forum Programming Discussion
    Replies: 4
    Last Post: 11-01-2002, 12:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts