Hardened PHP deployment on Ubuntu

security linux ubuntu php

Here is a list of things that I was about to type up. There are other things you can do, like Suhosin, but the first link is a good start to this.


As you can't really trust your app developers to write secure code, you'll have to limit the attack vectors non-secure php code could provide. Using user input without proper sanitizing as SQL or as an argument to open() are classic examples of things that go wrong.

My brief list:

  • put the php environment inside a chroot jail, to limit the risks to the host.
  • make sure the php apps don't access the same databases which are used otherwise.
  • rate-limit (and monitor) outgoing mail. If there's a way to send email with user-specified content and address, some spammer will sooner or later find and exploit it.

I'm sure there are plenty of other things I either don't know about or I can't remember any more.

There are also plenty of stuff you as an administrator can't prepare for. For example, it's very hard to control cross-site scripting risks and to make sure mechanics inside the apps don't encourage any malicious use cases, such as using the app as a drop box for bad stuff like rootkits.

Related

Migrating from Sql Server Express 2005 to express 2008
Finding out the Version of Lotus Domino Server from Lotus Notes Client
What server monitoring tools will scale to 10K-100K nodes? [closed]
Is it possible to access a vm from Hyper-V server locally?
debian python2.6 as default?
How to redirect https://domain.com to https://www.domain.com using IIS?
Replace SATA controller without re-installing Windows
PostgreSQL: Permission to execute function (that inserts into a table) but no permission to insert directly
How can I determine how much memory a process is using in AIX?
Daily Activity Report On Linux [closed]
What would cause "Device not ready (errno=-16), forcing hardreset?
How to block Baidu from indexing MP3 files?