How to Secure Web Server and PHP

Posted by

As Programmers and IT Specialist apart from worrying on code security,installation and configuration of servers we use is a a large security concern to us.As part of our work in ensuring security of our systems we have to ensure that our web servers and PHP are well configured.these are some of the key features to take note of when setting up.

Updating our Software

every new update to our system always come with an enhanced security feature,hence you are encouraged to always run the latest software.For PHP,Apache HTTP Server, and Microsoft Internet Information (IIS),it is advisable that you go to the appropriate website like (http://www.php.net,httpd.apache.org, or www.microsoft.com/iis) on regular basis because these bare the trusted sites and downloads from these sites are free from viruses and those malicious codes also these updates comes with security related bug fixes.

Setting up Software New version

we are advised to always follow the laid down steps in configuring and installation of these software programs.these is always because these will ensure we get all the right modules and extension correct.whenever you follow installation of new version of the software you are assured not to forget something important,which only cause trouble later on .these steps are quiet many such that we may not be able to remember.

Setting of the php.ini file

These file contains the large number of configuration options for the module we need not to use ,if these modules are disabled then we need not to to worry but just ignore but for more guide we neen to check on the documentation that is provided online at http://www.php.net/manual to see each and every options that those modules offers

The trick behind these settings is on user if to choose to use legacy software vwritten in PHP hence will require that all register_globals or register_long_arrays to be on.we also have to evaluate whether using the software is worth the security risk, and to mitigate the risk we can frequently be checking on the updates.

Web Server Configuration

We have to look at our web server that is after configuring the PHP language engine.each server has own security configuration and procedure, the common servers are :

Apache HTTP Server

With using these server configuration options is done at the httpd.conf located in the /conf directory on the base installation of httpd( program Files/apache Software Foundation/Apache2.2/conf),for more obtain from these online documentation http://httpd.apache.org/docs-project

In addition to these also carry out the following:

  •  Ensure that the httpd run as a user without the high priorities
  •  Ensure that the file permissions on the apache installation are well set
  •  Ensure that the server is able tohandle the require number of connection
  •  Hide files that you do not want to be seen including appropriate directives found in httpd.conf example to exclude .inc add the following

Microsoft IIS

With IIS configuration

  •  We should avoid having websites residing on same drive as operating system.
  •  We use the NTFS file system and we remove the the write permissions from other locations
  •  We should delete all the files installed by IIS into the document root by default.
  •  We should avoid using common names

You are advised to read the documentation for IIS to learn on security features.

Leave a Reply

Your email address will not be published. Required fields are marked *