HomeBuilding Your WebsiteServer Management

Tightening Apache 2.x and PHP 5.2

methode posted this at 14:10 — 3rd July 2008.

They have: 17 posts

Joined: Jun 2008

Hello,

First of all hello to everyone, new member here and glad i found this forum (sounds pinky a bit but don't be afraid, won't hug anybody Laugh )

I'm quite new to server management, especially Linux servers and recently with my partner decided we'd try to create a bit of concurrence for the web hosting companies. I think at least one will ask why do i manage production server if i don't have the knowledge. Well, the answer is easy: basically i was thrown in the deep water, we had managed server then the firm which managed the server went out of business.

The server which will be used for the purpose is part of a seven server cluster, the OS is CentOS 4.x, the server software is Apache 2.x.
I know that if we start this new service, some of our users' will try to find the weak-points of the server they have been assigned to.
This is something i would like to avoid, and sincerely have no idea where to start at the moment the server's tightening.

Could somebody enlighten me the road i should work on?

Confused

OK, better said, what would be the recommended tightening on Apache's and PHP's level to ensure that no-one can access other users websites or the files or temp details such as the session etc, especially our own that are also hosted on the cluster?

Thanks in advance

greg posted this at 15:58 — 4th July 2008.

greg's picture

He has: 1,581 posts

Joined: Nov 2005

Hey Methode, welcome to TWF Laugh

Does anyone have any ideas about this at all?
Mainly this bit:

Ensuring that no-one can access other users websites or the files or temp details such as the session etc, especially our own that are also hosted on the cluster?

As currently with testing creating Cpanel accounts we had some nasty surpises with what info we could obtain from site-wide sessions etc, and only using basic PHP scripts loaded in a cpanel accounts domain folder (so basically anyone with an account on the server could do the same).

Obviously with allowing the general public to create an account it has to be secure so no-one can access the tmp sessions or other dir's for the main hosting website and other people's websites.

So looking for general security tips for creating cpanel accounts for setup in apache/php etc. But mainly the above. What do we have wrong that allows a dir listing for the entire server?

methode posted this at 20:58 — 4th July 2008.

They have: 17 posts

Joined: Jun 2008

Hey gerg, nice to see you again Sticking out tongue
Maybe I just chose a subject which is less popular than a snail's as*.

Plain

What about throttling per virtual host, lets say with mod_bw. Any experience with it, a why yes or why not to do it?

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.