Securing Apache/PHP
Nathan wrote in earlier with attempts to exploit PHP file inclusion that his server had automatically thwarted. He's promoting the use of mod_security, mod_evasive, fail2ban and suhosin in a Apache/PHP environment.
Since knowledge and experience is a way to win from the bad guys, how about sharing your favorite setup for Apache/PHP security (Basically a "LAMP" environment although I'd rather not focus on the OS part in there) and we'll summarize on this page. Also let us know what you like of the components you use, why they are your favorite etc.
mod_security
mod_security works inside the web server and gives many features you could expect from a intrusion prevention perspective if combined with the free core rules.
mod_evasive
http://www.zdziarski.com/projects/mod_evasive/
mod_evasive is a tool that evades DDoS and brute force attacks. It only works within every single instance of the httpd and as such should be safe for proxies and NAT-ed visitors. See also httpd-guardian in the Apache Security Tools.
fail2ban
Nathan used this tool to ban IP addresses doing repeated 404/501 error results. He catches attempts to hack forums based on PHP this way, and was able to trace it back to owned servers doing those attacks towards him.
suhosin
http://www.hardened-php.net/suhosin.127.html
Suhosin works more directly on the PHP engine itself, see the feature list.
Apache Security Tools
http://www.apachesecurity.net/tools/
Ivan Ristic has a collection of tools for monitoring and securing apache, check them out.
Secure Apache/PHP settings
- We had diaries on this subject before.
- Ivan Ristic has a chapter of his Apache Security book online.
- CISecurity's Apache benchmark: http://www.cisecurity.org/tools2/apache/CIS_Apache_Benchmark_v1.6.pdf
- NIST publication 800-44 (dated 2002 and wider than Apache alone)
I want to thank Ryan and Nathan as well as fellow handlers for the discussions.
--
Swa Frantzen -- net2s.com
Comments