10 Simple Security Tasks for Locking Down Your LAMP Website, Page 2
6. Upgrade Early and Often
Despite being actively developed for almost 15 years, PHP is still subject to the occasional serious security issue. Over the years the alarm bells, which used to ring with security-related announcements, seem to have waned (not due to any fault on the PHP developer's part but rather I suspect due to the fact that the Web is a much busier place than in years past). For instance, although PHP 5.3 has been out for several months now, chances are quite a few developers are still running a PHP 5.2.X release, which up until 5.2.13 happens to contain several significant security issues.
Given the deluge of other information you're regularly perusing online, hoping a relevant feed reader headline catches your eye probably isn't the best way to keep abreast of required security updates. Instead, you should proactively monitor for any security-related news pertinent to your software stack; the easiest way to do so is by subscribing to the various project's announcement mailing lists. These low-volume lists will announce significant releases, often with links to the change logs (PHP announce list , Apache announce list , MySQL announce list).
7. Restrict the MySQL User Privileges
MySQL offers a powerful user management feature, which not only makes it easy to create and delete users, but also to selectively assign privileges that determine how the user can interact with your databases at the database, table, or even column level. For instance, you can restrict a user to being able to insert and update rows only into a particular table of a given database. Think back to the earlier SQL injection example involving an attacker successfully executing a
DROP TABLE command. Even if your site wasn't properly filtering user input, the attack would fail if you configured the database user responsible for running the website so that it was unable to execute the
DROP TABLE command.
Given the goal of hampering attackers by introducing several levels of security into your website's operation, consider configuring your website's database user privileges to only those that are necessary to power the site. You can learn more about MySQL's access privilege system here.
8. Disable your phpinfo Script
phpinfo() function within a PHP script will produce a long list of PHP- and server-specific configuration data, including information about the PHP version, extensions configured, and configuration directive settings. This information can be useful during the development process, providing an easy way to diagnose issues involving settings such as the
include_path directive and sessions.
This information could be equally beneficial to an attacker searching for ways to exploit your system, so be sure to remove this script when deploying the site. If you prefer to continue referencing it from the production server, configure Apache to restrict the file's access to your IP address.
9. Disable Potentially Dangerous PHP Functions
Continuing with the theme of layered security, consider adding potentially dangerous functions such as
phpinfo() to the
disable_functions directive within your
10. Mind the Document Root
Remember that unless your server is specifically configured to restrict access to certain files or directories, anything placed within your website's document root is subject to access via the browser! Therefore, be sure to remove image templates, development notes, documentation, and anything else that could provide an attacker with useful fodder for further exploitation.
The 10 tasks discussed in this article are all easily completed, and can greatly reduce the possibility of downtime due to an attack. What else are you doing to protect your site? Tell us about it in the comments!