What Security Issues I should have in PHP Hosting

Just wanted to know what could be the security cautions I should know about PHP Hosting?开发者_运维问答

Thanks

Here are some of the things:

• Disable functions like eval, passthru, shell_exec,etc
• Remote url injection, disable allow_url_fopen
• Disable register_globals

And don't forget:

• You are responsible too. Write secure code, read security tutorials out there.

PHP Security Guide

Finally as suggested by Rook, you should run:

PHPSecInfo script to see security settings of your host.

http://phpsec.org/projects/phpsecinfo/

For webhosts and Development Teams

In development environments make sure you have appropriate coding standards. If you feel you are hosting insecure code which you did not write, consider installing a Web Application Firewall. Also consider steps to prevent bruteforce attacks (for example if you are hosting popular CMS tools), an Intrusion Prevention System like Fail2Ban can help you do this. A lot of these issues are covered in this talk Practical Web Security – Junade Ali, the video of the talk is here.

For PHP you can also consider using Suhosin which adds a number of security features to the PHP core. Be careful installing it first and test your sites afterwards to ensure it doesn't break anything.

If you speak as developer (and not as hoster), then don't rely on the server -- write secure code and you won't be harmed by any php configuration directive ever.

Clients often have access to Perl, PHP and shell accounts which makes it easy for a client to DoS or Denial of Service all the other clients with a badly written program. External DoS on the whole hosting service, which means that if an IP is experiencing a DoS attack, you also suffer the same problem with the others. Most often than not, clients of shared hosting solutions also share an IP address with other clients. This arrangement often works out fine but it is important to know that whatever happens to your neighbours sharing the same IP with you will also get to you. If your neighbour using the same IP will be placed on a spam blacklist, everybody else using the IP will also share the same fate. It is very vulnerable to malware attacks. Other harmful data can be uploaded in the other sites easily, putting your site at risk. These can be introduced to the server through vulnerabilities of a legitimate clients’ website and can be used steal data. DDoS attacks launched by software loaded into the server allow hackers to control an entire hosting server and then attack other server, either from the same network or from other networks.