October 21, 2014
Hot Topics:
RSS RSS feed Download our iPhone app

10 Simple Security Tasks for Locking Down Your LAMP Website

  • May 26, 2010
  • By Jason Gilmore
  • Send Email »
  • More Articles »

6. Upgrade Early and Often

Despite being actively developed for almost 15 years, PHP is still subject to the occasional serious security issue. Over the years the alarm bells, which used to ring with security-related announcements, seem to have waned (not due to any fault on the PHP developer's part but rather I suspect due to the fact that the Web is a much busier place than in years past). For instance, although PHP 5.3 has been out for several months now, chances are quite a few developers are still running a PHP 5.2.X release, which up until 5.2.13 happens to contain several significant security issues.

Given the deluge of other information you're regularly perusing online, hoping a relevant feed reader headline catches your eye probably isn't the best way to keep abreast of required security updates. Instead, you should proactively monitor for any security-related news pertinent to your software stack; the easiest way to do so is by subscribing to the various project's announcement mailing lists. These low-volume lists will announce significant releases, often with links to the change logs (PHP announce list , Apache announce list , MySQL announce list).

7. Restrict the MySQL User Privileges

MySQL offers a powerful user management feature, which not only makes it easy to create and delete users, but also to selectively assign privileges that determine how the user can interact with your databases at the database, table, or even column level. For instance, you can restrict a user to being able to insert and update rows only into a particular table of a given database. Think back to the earlier SQL injection example involving an attacker successfully executing a DROP TABLE command. Even if your site wasn't properly filtering user input, the attack would fail if you configured the database user responsible for running the website so that it was unable to execute the DROP TABLE command.

Given the goal of hampering attackers by introducing several levels of security into your website's operation, consider configuring your website's database user privileges to only those that are necessary to power the site. You can learn more about MySQL's access privilege system here.

8. Disable your phpinfo Script

Executing the phpinfo() function within a PHP script will produce a long list of PHP- and server-specific configuration data, including information about the PHP version, extensions configured, and configuration directive settings. This information can be useful during the development process, providing an easy way to diagnose issues involving settings such as the include_path directive and sessions.

This information could be equally beneficial to an attacker searching for ways to exploit your system, so be sure to remove this script when deploying the site. If you prefer to continue referencing it from the production server, configure Apache to restrict the file's access to your IP address.

9. Disable Potentially Dangerous PHP Functions

Continuing with the theme of layered security, consider adding potentially dangerous functions such as exec(), system(), and phpinfo() to the disable_functions directive within your php.ini file.

10. Mind the Document Root

Remember that unless your server is specifically configured to restrict access to certain files or directories, anything placed within your website's document root is subject to access via the browser! Therefore, be sure to remove image templates, development notes, documentation, and anything else that could provide an attacker with useful fodder for further exploitation.

Conclusion

The 10 tasks discussed in this article are all easily completed, and can greatly reduce the possibility of downtime due to an attack. What else are you doing to protect your site? Tell us about it in the comments!

About the Author

Jason Gilmore is the founder of EasyPHPWebsites.com. He also is the author of several popular books, including "Easy PHP Websites with the Zend Framework," "Easy PayPal with PHP," and "Beginning PHP and MySQL, Third Edition."


Tags: security best practices, LAMP, Web security, security vulnerabilities



Page 2 of 2



Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Sitemap | Contact Us

Rocket Fuel