PHP programmer of bangladesh
A PHP Programmer of Bangladesh

SECURING PHP & APACHE

August 15th 2007 in Apache Server, PHP

Few weeks ago i realized the importance of securing php and apache. But that time i know very little about security issue of php & apache. then i am jumped to google to know about this. then i found several things and i found something very interesting, but very important. here is some brief... and details will be found in the attached document.

PHP related Security assumptions

In case of security assumptions, the following have been added:

  • The PHP configuration should take advantage of built-in security mechanisms
  • PHP scripts must be executed in a chrooted environment
  • The Apache server must reject all requests (GET and POST), which contain HTML tags (possible Cross-Site-Scripting attack) or apostrophe/quotation marks (possible SQL Injection attack)
  • No PHP warning or error messages should be shown to the web application's regular users

It should be possible to store incoming GET and POST requests into a text file which will make it possible to use additional, host-based intruder detection system (HIDS), e.g. swatch.

Apache Security Assumptions

One of the most important elements of every computer project is the specification of security assumptions. This must be fulfilled before the project is implemented. The security assumptions for our Web server are as follows:

  • The operating system must be hardened as much as possible, both against local and remote attacks;
  • The server must not offer any network services except HTTP: (80/TCP);
  • Remote access to the server must be controlled by a firewall, which should block all outbound connections, and allow inbound connections only to the 80/TCP port of the Web server;
  • The Apache Web server must be the only service available on the system;
  • Only absolutely necessary Apache modules should be enabled;
  • Any diagnostic Web pages and automatic directory indexing service must be turned off;
  • The server should disclose the least amount of information about itself (security by obscurity);
  • The Apache server must run under a unique UID/GID, not used by any other system process;
  • Apache's processes must have limited access to the file systems (chrooting); and,
  • No shell programs can be present in the Apache's chrooted environment (/bin/sh, /bin/csh etc.).

Attached File: SECURING PHP & APACHERef: www.securityfocus.com


Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus

HELP NEEDED FOR BANGLADESHI FLOOD AFFECTED PEOPLE

Hello EVERYBODY

Bangladeshi People are fall in a natural Disaster and hereby they need help from all. I am collecting Helping funds.

So, I would like to request you all to contact me if you wish to help those people who really need us. I think every sensible person should step forward to help those people. Allah [...]

HELP NEEDED FOR BANGLADESHI FLOOD AFFECTED PEOPLEPrevious Entry

Apache 2 with SSL/TLS-Step by Step

 Secure Sockets Layer (SSL) is the most widely known protocol that offers privacy and good reliability for client-server communication over the Internet. SSL itself is conceptually quite simple: it negotiates the cryptography algorithms and keys between two sides of a communication, and establishes an encrypted tunnel through which other protocols (like HTTP) can be transported. [...]

Apache 2 with SSL/TLS-Step by StepNext Entry

Where i am ???



Currently I am working in Right Brain Solution(RBS) as a Software Engineer(Team Leader). I start my journey in RBS from 6th Nov, 2007.
Where i Was???
I am a php professional from Bangladesh. I start my journey as a professional from 1st july, 2006 in EVOKNOW Incorporation. I was there for one and half year. My Position was there "Software Engineer(Lead Developer)". I left EVOKNOW at 5th Nov, 2007.
Self Formed
I do some freelancing work with some of my friends under this name. Our dream is to make it world famous in the field of web development & solution. If you would like to work with us, send us your proposal to technopeoplebd@gmail.com
Social Networks
View Md. Mahabubul Hasan Masud's profile on LinkedIn
Moonrise: What i feeling???
Feelings from moonrise
More items See these feelings on moonrise