Re: PHP security (or the lack thereof)
On Jun 16, 2006, at 5:21 AM, Darren Reed wrote:
[Funny commentary picking on PHP deleted]
For those of us that have to administer shared hosting servers where
customers can and do build/install very poorly written web
applications it can be a full time job trying to protect your
server. The fact that the majority of these target PHP is
interesting, but frankly not really relevant to those of us that need
to maintain the environment. Due to the aggressive attempts to
exploit these web applications we found we needed to do something
more, and we found an excellent tool that helps out a lot with this,
at least on servers running apache:
http://www.modsecurity.org/
It is essentially an application layer firewall that blocks certain
known bad patterns from being passed through to the underlying web
applications. This is in no way a substitute for good security
policies on your web servers and ultimately fixing the underlying
security problems of the web applications. When tuned well it can be
a useful additional layer to help defend your server. It won't stop
the underlying application from having terrible logic that is
exploitable, but as you tune your modsecurity setup over time you can
at least mitigate some of it.
I just wanted to pass this on in case any admins reading this list
didn't know about it. It's really saved us a lot of time and energy.
Cheers,
Neil