Exploits happen but with some planning you can prevent the worst of them. Planning for an exploit includes considering how to mitigate the damage, how to recover from it, and prevention. Mitigating damage means trying to limit access to the system via exploited systems. In my case I run php as a cgi and have it run as the owner. This makes it more difficult to damage things that don’t belong to the owner of the script. Planning for recovery means having a backup, knowing how to restore from that backup, and knowing what other actions you’ll need to take to recover.

If your running PHP some of the worst exploits involve executing shell commands on your server. Luckily though it is also one of the most avoidable. A simple way to prevent this is to add all the functions that allow execution of shell commands to the “disable_functions” line in the php.ini file.

Here’s what how mine is configured:

disable_functions = system, exec, passthru, proc_open, shell_exec, popen

# I’m not a security professional but I’ve been around the block. Here are some places I go to for advice:

• Linux Security Cookbook - A good book by O’Rielly that presents simple “recipes” to configuring a secure server. The book is that it explains why you take the actions it lays out providing you with a good starting point when thinking abuot security.
  
• The forums over at Serverbeach are full of great howto’s and tutorials.
• Securityfocus has a great database that tracks vulnerabilities

Like it? Subscribe to the blog if you haven't already

Related Posts

Nine posts to help you succeed
Quick and dirty script to parse apache logs
Domain Hunter and other tools *Fixed*
Testing for Spiders and Smallscreens

RSS feed | Trackback URI

4 Comments »