| 1 |
Dan Cowsill wrote: |
| 2 |
> Actually, I'd be pretty interested in what you have to rant about PHP. |
| 3 |
> I run apache with php_mod installed and have the http port open. Is |
| 4 |
> there a security risk I should be aware of? |
| 5 |
> |
| 6 |
|
| 7 |
It really depends on how badly the PHP application you're running has |
| 8 |
been written. Assuming you're keeping up to date on PHP and your webapps |
| 9 |
and have funky applications .htaccess'ed off you're reasonably safe. |
| 10 |
|
| 11 |
However I'd highly recommend adding hardenedphp to your php USE flags as |
| 12 |
it stops a number of things. I've never had a problem with the hardened |
| 13 |
patch over the past year or so and frankly would not use any application |
| 14 |
that it broke. |
| 15 |
|
| 16 |
Another simple trick is to have an empty vhost as your primary and your |
| 17 |
real applications sites only accessible by name. This way little script |
| 18 |
kiddies scanning by IP or hostname hits Apache they are dumped to the |
| 19 |
first loaded vhost, your empty one, instead of your actual site. Then |
| 20 |
thay come up with nothing when they hit |
| 21 |
/var/www/localhost/htdocs/wordpress/ instead of the actual site tree. |
| 22 |
Doesn't stop a determined person, but has the added benifit of keeping |
| 23 |
x20x20x20x20 type crap out of your real logs. :-) |
| 24 |
|
| 25 |
kashani |
| 26 |
-- |
| 27 |
gentoo-user@g.o mailing list |
Archives