<<< Date Index >>>     <<< Thread Index >>>

Re: PHP security (or the lack thereof)




On Jun 16, 2006, at 5:21 AM, Darren Reed wrote:

[Funny commentary picking on PHP deleted]

For those of us that have to administer shared hosting servers where customers can and do build/install very poorly written web applications it can be a full time job trying to protect your server. The fact that the majority of these target PHP is interesting, but frankly not really relevant to those of us that need to maintain the environment. Due to the aggressive attempts to exploit these web applications we found we needed to do something more, and we found an excellent tool that helps out a lot with this, at least on servers running apache:

http://www.modsecurity.org/

It is essentially an application layer firewall that blocks certain known bad patterns from being passed through to the underlying web applications. This is in no way a substitute for good security policies on your web servers and ultimately fixing the underlying security problems of the web applications. When tuned well it can be a useful additional layer to help defend your server. It won't stop the underlying application from having terrible logic that is exploitable, but as you tune your modsecurity setup over time you can at least mitigate some of it.

I just wanted to pass this on in case any admins reading this list didn't know about it. It's really saved us a lot of time and energy.

Cheers,
        Neil