Few weeks ago i realized the importance of securing php and apache. But that time i know very little about security issue of php & apache. then i am jumped to google to know about this. then i found several things and i found something very interesting, but very important. here is some brief… and details will be found in the attached document.
PHP related Security assumptions
In case of security assumptions, the following have been added:
- The PHP configuration should take advantage of built-in security mechanisms
- PHP scripts must be executed in a chrooted environment
- The Apache server must reject all requests (GET and POST), which contain HTML tags (possible Cross-Site-Scripting attack) or apostrophe/quotation marks (possible SQL Injection attack)
- No PHP warning or error messages should be shown to the web application’s regular users
It should be possible to store incoming GET and POST requests into a text file which will make it possible to use additional, host-based intruder detection system (HIDS), e.g. swatch.
Apache Security Assumptions
One of the most important elements of every computer project is the specification of security assumptions. This must be fulfilled before the project is implemented. The security assumptions for our Web server are as follows:
- The operating system must be hardened as much as possible, both against local and remote attacks;
- The server must not offer any network services except HTTP: (80/TCP);
- Remote access to the server must be controlled by a firewall, which should block all outbound connections, and allow inbound connections only to the 80/TCP port of the Web server;
- The Apache Web server must be the only service available on the system;
- Only absolutely necessary Apache modules should be enabled;
- Any diagnostic Web pages and automatic directory indexing service must be turned off;
- The server should disclose the least amount of information about itself (security by obscurity);
- The Apache server must run under a unique UID/GID, not used by any other system process;
- Apache’s processes must have limited access to the file systems (chrooting); and,
- No shell programs can be present in the Apache’s chrooted environment (/bin/sh, /bin/csh etc.).