Increasing PHP security php functions
dl — Loads a PHP extension at runtime
This function is required for loading ionCube on the fly. However if you have a popular sites using ionCube then the better way is to load it from php.ini anyway. Not only because of speed increase, also you would be in control of ionCube versions so you can make sure that they match with your PHP versions.
exec — Execute an external program
This function is required for XCart and spellcheck feature of Horde. There is no good thing about letting this function work. You could perhaps use safe_mode to designate a safebin environment where you let users to execute only the binaries you allow.
fsockopen — Open Internet or Unix domain socket connection
This function is unfortunately required for Virtuemart paypal module. Thus removed from the example above. You can add it if you are sure that it wont break anything in your system.
PHP Error Handling and Logging
Display_startup_errors
Even when display_errors is on, errors that occur during PHP’s startup sequence are not displayed. It’s strongly recommended to keep display_startup_errors off, except for debugging.
These are functions dealing with error handling and logging. They allow you to define your own error handling rules, as well as modify the way the errors can be logged. This allows you to change and enhance error reporting to suit your needs.
With the logging functions, you can send messages directly to other machines, to an email (or email to pager gateway!), to system logs, etc., so you can selectively log and monitor the most important parts of your applications and websites.
The error reporting functions allow you to customize what level and kind of error feedback is given, ranging from simple notices to customized functions returned during errors.
PHP hardening using session.cookie_httponly & session.referer_check
PHP hardening using session.cookie_httponly & session.referer_check
Setting this value to 1 prevents JavaScript from accessing PHP session cookies. This can help prevent attackers from stealing session cookies. However, you may be unable to use this directive if your users utilize PHP session cookies via JavaScript.
This parameter allows PHP to check HTTP referrer values. This allows you to specify a domain, ensuring that session information is only passed internally during the time a user is working with a web application. This will prevent your users from accidentally exposing session information that may allow malicious users to follow links and steal a session.
Cpanel Encoders available when PHP is enabled.
Suhosin for PHP
SourceGuardian Loader for PHP
Zend Optimizer for PHP
EAccelerator for PHP
IonCube Loader for PHP
A loader handles the reading and execution of encoded files at runtime.
Reference:
http://www.hardened-php.net/suhosin/
http://www.sourceguardian.com/encoder_help/index.html
http://www.zend.com/en/resources/zend-documentation/
http://eaccelerator.net/
PHP Memcache Extension with cpanel
Download the latest stable version of memcache from http://pecl.php.net/package/memcache
Download and Install
wget http://pecl.php.net/get/memcache-2.2.5.tgz
tar xvf memcache-2.2.5.tgz
cd memcache-2.2.5
phpize
./configure && make && make install
Update php.ini Configuration
Create an empty file called test.php and place this in it the php info.
Determine what php.ini file is configured.
root@host [~/php]# php -f test.php | grep “Loaded Configuration File”
Loaded Configuration File => /usr/local/lib/php.ini
