Page 1 of 1

How do I secure my php website when using a hosting service?

Posted: Sun Sep 14, 2008 4:47 pm
by XanderG
Hi all,

I am new to php & I've never used a commercial hosting service before and I was hoping someone could either help me or point me to some tutorials which will show me how to secure my php website once it's hosted on a commercial web hosting service. Also, if anyone can suggest a good low cost web hosting service which includes php and MySQL databases I would be very grateful.

My php website is a very simple app which just displays content from a MySQL db, it also allows me to update content to an events web page on my site.

I don't want anyone to be able to download my php pages or view my MySQL db login details which the site uses to execute select queries to display content when a user browses to the site.

I would be very grateful of any help.

Thanks in advance,

Xander

Re: How do I secure my php website when using a hosting service?

Posted: Mon Sep 15, 2008 1:55 am
by Mordred
Web security is a huge topic, your question is way too broad. If you need a quick solution, I suggest hiring a pen-tester. Otherwise - read security books, mailing lists, sites, blogs until you know enough about security to evaluate your own code and ask specific questions.

And nothing personal, but experience shows that if one starts worrying about security after the code is written, then there's definitely something to worry about :)

Re: How do I secure my php website when using a hosting service?

Posted: Mon Sep 15, 2008 2:10 am
by XanderG
Nothing personal but if you had read the question properly you would have realized that I'm not talking about the security of my app.

I tested my apps security in the dev environment and it is good but that is very different from a commercial hosting company env. From just looking around at the commercial hosting options available online you don't seem to have anywhere near the control over the apache/MySQL apps that you would in your own local env.

I tested a package with a commercial hosting company at the weekend and I was able to download my php files and view my db login details. There didn't seem to be a way to change the security options.

So, my question is... how do I secure my app once it has been put on to a commercial hosting company? Any useful help would be very much appreciated.

Xander.

Re: How do I secure my php website when using a hosting service?

Posted: Mon Sep 15, 2008 7:27 am
by Mordred
Fair enough, I haven't understood you properly.
Then again, pen-testing may also cover the server setup :)

Try this for some obvious pifalls: http://phpsec.org/projects/phpsecinfo/
As for the security of the hosting itself, it's again too broad a topic - it depends on the os and various servers and their configurations.
... and I was able to download my php files and view my db login details.
How did you manage this? Are you sure it's the hoster's fault?

I'm not sure about what "control" you need in the hosting env, an example? If the company doesn't allow something you need, just move away to someone who does.

Re: How do I secure my php website when using a hosting service?

Posted: Mon Sep 15, 2008 6:08 pm
by XanderG
Yeah that was my question basically, in my home testing environment I can setup the apache server, php software and MySQL db just the way I want them to be very secure but when I buy some web space and deploy my site into a hosting company servers I don't think I will have the same control.

That's why I was looking for someone to offer some advice or point me to some resources which can help show me how to stop people viewing my folder structure on a hosting companies site. If I can stop this, I can stop people being able to "save as..." in a web browser and saving my .php files. I want to do this as I have a config.php file which stores my db login details (including username, password, db name). The username in the file only has 'SELECT' permission set in my MySQL db but I still don't want users knowing this info, so I also need to know how to hide this file from people viewing my site.

My php code uses the select permission username to select content from my db and display it in my webpage.

Any help is much appreciated,

Thanks in advance...

Xander

Re: How do I secure my php website when using a hosting service?

Posted: Tue Sep 16, 2008 12:20 am
by alex.barylski
Depends on who you host your application with.

Just like quality source code...not every host is created equally. Most shared hosts are not configured for security but ease of implementation.

PHP is typically run as user apache/nobody or similar. This is what makes shared hosting so nasty.

Really on a shared host you have nothing to do except keep an eye on your site and report any wrong doings by other users of that host ASAP. If you want tighter security switch to a dedicated host where you have complete control.

You should (at a minimum) make sure you have not missed any SQL injection opportunities AND make sure you cannot remotely include PHP files.

Code: Select all

<?php
  $incfile = $_GET['module'];
  include($incfile); // Bad idea unless you make sure you sanitize that incoming GPC data really well
 
  echo 'Do something more';
Probably the two most frequent attacks which hosting companies care about.

Re: How do I secure my php website when using a hosting service?

Posted: Thu Sep 18, 2008 7:37 am
by Haravikk
XanderG wrote:That's why I was looking for someone to offer some advice or point me to some resources which can help show me how to stop people viewing my folder structure on a hosting companies site.
Easiest way to do this is to make sure every folder either has an index.php or index.html file inside it, you can use dummy (empty) documents and it will prevent it.
You can also set strict permissions on folders so they are not world-readable, most FTP programs give you simplified permission controls that make this fairly easy, but you need to find out what user your php scripts run as so you can make sure they still have access to resources they need.

However, I've never encountered this "exploit" before as you describe it; a properly configured apache host should not allow non-FTP users to get at the contents of a PHP script. Basically when apache opens any resource it looks up behaviour based on type, and PHP by default should be configured to execute when opened, so if anyone did right-click -> "Save As" then all they would get is the data your PHP script outputs, not the contents of the script itself.

Re: How do I secure my php website when using a hosting service?

Posted: Thu Sep 18, 2008 10:33 am
by Maugrim_The_Reaper
As to securing commercial hosting. Best thing you could do is sit down and outline the risks you see. Often they are pretty obvious and written about elsewhere in detail.

The main ones tend towards:

- Access control
- PHP/MySQL/Apache versions
- Control over configuration
- Control over installation/compilation
- Apache user account grouping
- Uptime rating

Noting these are the main ones - and from my perspective at least. There are others but it would be a long list and not strictly essential to basic security.

You really have three broad options for hosting. Shared Hosting, User Controlled Shared Hosting, and Virtual Private Servers. Each differs in the level of control over the hosting environment you can have.

The least secure is Shared Hosting - Apache runs under a common user account to other shared users which creates a common security risk. Sometimes the provider will offer Apache running under your user account which removes most of that risk, but not always (might be shared groups). This is the preferable option.

User Controlled Shared Hosting is quite rare but the whole PHP4 vs PHP5 problem has led to an uptake in availability - it's identical to shared hosting except you do have the option of compiling limited things to your own preferences. So you could compile PHP, Python and other libraries/extensions but need to keep the global version of Apache and MySQL. This adds a few benefits like being able to run the latest PHP, extensions, PEAR and even setup opcode caching which is generally impossible otherwise. Nearly always, Apache will run only under your username and separation from other accounts is very strict. The downside is that compilation is required - you can't avail of a Linux package manager. It also doesn't solve the performance issues of sharing resources with other accounts on the same server.

Virtual Private Servers (VPS) are the last step before you enter dedicated hosting. Basically it's getting a guaranteed slice of a dedicated server's RAM and CPU capacity in a virtualised instance of Linux you can customise to your heart's content. The downside is that it's usually a blank slate - you have to install and then maintain everything yourself. Usually this isn't a big deal if you're already Linux trained - a good package manager and common sense does wonders. The other downside is that it's more expensive, generally, and support for server problems is almost non-existent since you're responsible for all non-location maintenance. The upside is that you have dedicated resources no other virtual server can steal you of.

My 2c - I won't reiterate all the security risks/checks from others.

Re: How do I secure my php website when using a hosting service?

Posted: Sun Sep 21, 2008 11:35 pm
by phpeace-net
Is this the same thing as the https://?
Instead of http://
That is what I am looking for.
Thanks.