IT_Architect
Verified User
- Joined
- Feb 27, 2006
- Messages
- 1,088
Situation:
- I'm using FreeBSD and PHP CLI.
- There are no general hosters on this machine, only sites that belong to the same or related domains.
- I will be storing customer contact information in a database.
- I will be taking in credit card information and sending it in XML along with the customer's contact and CC information using a third party proprietary API for processing. I don't think I want to store CC informatin.
What I've done:
- I've read http://help.directadmin.com/item.php?id=247
- /tmp & /tmp/var are handled
- Register globals is off
- open_basedir is set up
- I plan to use pf for the firewall
Questions about http://help.directadmin.com/item.php?id=247:
- It appears ./build secure_php simply makes a list of disabled functions in the php.ini. From there I can comment out the ones I need or find work-arounds. It appears safemode is the similar, stronger, but without the control you get with the php.ini to re-enable functions. SafeMode doesn't look very realistic. From what I read it creates issues with mkdir, and doesn't even exist in in PHP 6, so I will need a way to live without it at some point anyway.
- Mod_Security I haven't tried yet.
- To block other users on the system from seeinng in each other's home directories doesn't look relevant for a server where the domains all belong to the same organization.
- On the binding of MySQL to 127.0.0.1, I wonder how much that helps when they need to be listed in Access hosts to have access anyway.
- One thing not on the list is Suhosin. I don't understand if that would be beneficial for me or not.
- Another question is, which of these these actions be undone when DA does an update?
Any other ideas appreciated.
Thanks!
- I'm using FreeBSD and PHP CLI.
- There are no general hosters on this machine, only sites that belong to the same or related domains.
- I will be storing customer contact information in a database.
- I will be taking in credit card information and sending it in XML along with the customer's contact and CC information using a third party proprietary API for processing. I don't think I want to store CC informatin.
What I've done:
- I've read http://help.directadmin.com/item.php?id=247
- /tmp & /tmp/var are handled
- Register globals is off
- open_basedir is set up
- I plan to use pf for the firewall
Questions about http://help.directadmin.com/item.php?id=247:
- It appears ./build secure_php simply makes a list of disabled functions in the php.ini. From there I can comment out the ones I need or find work-arounds. It appears safemode is the similar, stronger, but without the control you get with the php.ini to re-enable functions. SafeMode doesn't look very realistic. From what I read it creates issues with mkdir, and doesn't even exist in in PHP 6, so I will need a way to live without it at some point anyway.
- Mod_Security I haven't tried yet.
- To block other users on the system from seeinng in each other's home directories doesn't look relevant for a server where the domains all belong to the same organization.
- On the binding of MySQL to 127.0.0.1, I wonder how much that helps when they need to be listed in Access hosts to have access anyway.
- One thing not on the list is Suhosin. I don't understand if that would be beneficial for me or not.
- Another question is, which of these these actions be undone when DA does an update?
Any other ideas appreciated.
Thanks!