php.ini
+ expose_php =Off
+ memory_limit = 64M
+post_max_size= upload_max_size= 20M
+ display_error =Off
+ disable_function : proc_open,show_source,dl,exec,shell_exec,system,passthru,popen,pclose,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_access,posix_getpwuid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,imap_open,imap_reopen,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,eval,mail
(Chú ý Disable hàm mail đi nhé)
+ enable_dl =Off
+ magic_quotes_gpc = Off
=============================
WHM – Server setup – Tweak Security:
Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection
WHM – Account Functions:
Disable cPanel Demo Mode
Disable shell access for all accounts(except root)
WHM – Service Configuration – FTP Configuration:
Disable anonymous FTP access
WHM – MySQL:
Set some MySQL password(Don’t set the same password like for the root access)
-If you didn’t set MySQL password someone will be able to login into the DB with
username “root” without password and delete/edit/download any db on the server.
WHM – Service Configuration – Apache Configuration – PHP and SuExec Configuration
Enable suEXEC – suEXEC = On
When PHP runs as an Apache Module it executes as the user/group of the
webserver which is usually “nobody” or “apache”. suEXEC changes this so
scripts are run as a CGI. Than means scripts are executed as the user
that created them. With suEXEC script permissions can’t be set to
777(read/write/execute at user/group/world level)
PHP installation/update, configuration and optimization + Suhosin patch
First download what you need, type the following into SSH:
cd /root wget http://www.php.net/get/php-5.2.9.tar.bz2/from/this/mirror wget http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gz wget http://download.suhosin.org/suhosin-0.9.27.tgz
Untar PHP:
tar xvjf php-5.2.9.tar.bz2
Patch the source:
gunzip < suhosin-patch-5.2.8-0.9.6.3.patch.gz | patch -p0
Configure the source. If you want to use the same config as you used for
the last php build it’s not a problem but you will have to add:
enable-suhosin to old config. To get an old config type this into SSH:
php -i | grep ./configure cd php-5.2.9 ./configure --enable-suhosin + old config(add old config you got from "php -i | grep ./configure" here) make make install
Note: If you get an error like make: command not found or patch: Command
not found, you will have to install “make” and “patch”. It can be done
easly. Just type this into SSH:
yum install make yum install patch
Now check is everything as you want. Upload php script like this on the server:
<? phpinfo(); ?>
And open it via your browser and you will see your PHP configuration there.
Suhosin
We will install Suhosin now, it’s an advanced protection system for PHP.
tar zxvf suhosin-0.9.27.tgz cd suhosin-0.9.27 phpize ./configure make make install
After you installed suhosin you will get something like this: It’s installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
Now edit your php.ini. If you don’t know where php.ini located is, type this into SSH.
php -i | grep php.ini
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
It means you have to edit /usr/local/lib/php.ini
Type into SHH:
nano /usr/local/lib/php.ini
If you get an error, nano: Command not found, then:
yum install nano
Find “extension_dir =” and add:
extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
To save it, CTRL + O and press the enter button on your keyboard.
Zend Optimizer:
Download Zend Optimizer from http://www.zend.com/store/products/zend-optimizer.php
tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz cd ZendOptimizer-3.3.3-linux-glibc23-i386 ./install.sh
Welcome to Zend Optimizer installation….. – Press Enter button
Zend licence agreement… – Press Enter button
Do you accept the terms of this licence… – Yes, press Enter button
Location of Zend Optimizer… – /usr/local/Zend, press Enter button
Confirm the location of your php.ini file…- /usr/local/lib, press Enter button
Are you using Apache web-server.. – Yes, press Enter button
Specify the full path to the Apache control utility(apachectl)…-/usr/local/apache/bin/apachectl, press Enter button
The installation has completed seccessfully…- Press Enter button
Now restart apache, type this into SSH:
service httpd restart
php.ini & disabled functions
Edit php.ini like this:
nano /usr/local/lib/php.ini
