Home / server / Questions / 310975
Accepted
JMC
Asked: 2011-09-14 09:17:55 +0800 CST

Server Configuration to Prevent Code Injections

  • 772

Back story: I was cleaning up hacked web space on a shared host the other day, and found a script in the web directory that allows the attacker to inject code into all php and html files in the web directory. It had access to everything in the web directory, but I'm not sure which user permissions the file had.

Question: I think it would be difficult to prevent a php script running on a shared web host from having access to other web files (php, html, etc), due to lack of server configuration options. Is there a way to configure a linux apache http server (where you have full root access) so that even if the attacker was able to upload a script like that to the web directory, it wouldn't have access to modify other files on the server?

linux apache-2.2 security

4 Answers

  1. Best Answer

    At a bare minimum, you should:

    • Limit which web-accessable directories the webserver user has permissions to write to. (or not at all)
    • Don't process PHP, CGIs or any other scripts in directories the webserver is allowed to write to.

    suPHP and the like aren't as useful for this sort of problem, as changing the user that the PHP scripts run under often then gives them access to write to places they shouldn't be ... the only way around it is to manage even more users (one set that the webserver uses, one set that's allowed to update files), and you lose one of the main advantages of being able to have it test that the file ownership is clean before running the script.

    • 1

  2. A short answer is yes, sure. As soon as you have root access you can protect your source files from modifications by Apache user. But if your software relies on such modifications (for example, if a .php config file should be editable from the web app) it won't be possible to prevent Apache user from modification of your source files without stopping your app to work as designed.

    And I bet the problem is in your FTP/SFTP client configuration, not in your shared hosting Apache server configuration. I think your PC was trojaned and a trojan app uploaded malicious code to your account using your credentials from your FTP/SFTP client. This is quite common these days.

    • 0

  3. my favorite module to compile in to allow apache to run as a different uid/gid per vhost is itk.

    http://mpm-itk.sesse.net/

    It's pretty new so generally it's not compiled in by default. It's faster then like suexec or phpsuexec. You config a vhost entry to run as a certain user. Then you can chmod the webroot of each user to like 700 so only that user can get in there.

    You can then run a module like mod_security to help stop sql attacks

    • 0

  4. Install something like suphp. http://www.suphp.org/Home.html

    And then check the server all the time, to make sure none of your users does something silly like chmod 777 their directories..

    • 0