SuPHP, mpm-worker + fastcgi, mpm-prefork.....oh my..
1. Do I need the suphp module at all ? Since I will be managing all 3 sites, would suPHP still benefit from a security stand point?
2. With a standard LAMP setup and wordpress install under virtual domains, is there anything else that I should be doing to secure the sites? I did quite a bit of reading up all afternoon and I've read about sites that got hacked on a standard debian LAMP setup ( presumably running just Apache2 + php + mysql ) , which makes me wonder what other steps that are required to keep a simple blog running.
3. Does the Apache2 install enable mpm-prefork by default? If not, would it be better to use a vanilla Apache2 or Apache2+prefork or Apache2+worker+fastcgi. I looked up on mpm-prefork and its not clear why I should use it at all considering all the efficiency issues that people are talking about.
4. With regards to the /tmp folder, if the permission is set to 777, how exactly does an attacker write files to the folder without getting ssh access ?
Many thanks in advance !
4 Replies
2. Wordpress has had a rather bad track record when it comes to security. Those PHP scripts contain tons of holes through which an attacker could hijack your site. You can try to minimize damages, though, by separating privileges and tightening some php.ini settings (openbasedir, safemode, allowurlfopen, display_errors, etc.)
And don't forget to secure SSH.
3. The php5 package in Debian pulls in prefork by default. If you want FastCGI, you should install php5-cgi instead.
4. PHP has numerous filesystem-related functions as well as a generic exec() tool. So if one of your PHP scripts gets hijacked by a cracker, the script can do pretty much anything a logged-in user would be able to do.
Example PHP code:
file_get_contents('/etc/passwd');
exec('/nasty/command');
I read up on setting up Apache + mpm worker + fastcgi + suexec and it seemed pretty complicated, so I installed lighttpd + fastcgi instead as the install process and configuring modules made a lot more sense. Seems to be working fine with virtual hosts, though I'm not sure if this setup is as secure as using suexec with Apache.
Checked my logs today and there are already hundreds of failed login attempts via ssh, so I changed the port and the attacks died down somewhat. Will read up on the php.ini configuration next, as neither php or mysql has been optimized yet. Thanks again for the insight !
@hybinet:
4. PHP has numerous filesystem-related functions as well as a generic exec() tool. So if one of your PHP scripts gets hijacked by a cracker, the script can do pretty much anything a logged-in user would be able to do.
To learn about some of the possibilities,is a pretty neat illustration of vulnerabilities implemented in PHP. It should go without saying (but I'll do it anyway) that you should not install it on your Linode. :) Mutillidae