Security
Re: Security
I think open_basedir should help you to resolve this problem: http://php.net/manual/en/ini.core.php#ini.open-basedir
-
grayfolk
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Security
What about open_basedir in CLI?dreiggy wrote: ↑Thu Aug 30, 2018 8:32 pmI think open_basedir should help you to resolve this problem: http://php.net/manual/en/ini.core.php#ini.open-basedir
Re: Security
Think you should check the sftp chroot module from vesta: http://vestacp.com/features/
Re: Security
First of all no matter you have extra security on server on not but when you are really worried about security then you must first go for vestacp chroot plugin and then go for malware solution.
Solution 1: https://github.com/rfxn/linux-malware-detect
Solution 2: https://revisium.com/aibo/
Install these on your server and add a cron job via vestacp so these tools keep scanning your server time to time. But if i talk about myself i do not rely on softwares i do check the code myself for the file changes and that is the only best solution to beat the hackers as some codes cannot be detected by anti-virus (clamv) or these type of malware detectors. reason is hackers use obfuscate the php shells to decrease the detection so it is better to have a look on server files.
If you are a hosting and you have too many sites and you cannot spend time to check each file then i use another solution.
That is actually a bit awkward but i still do this. which is i have install a windows virtual machine on my system and installed 3 major antivirus Bitdefender / Kaspersky / Eset NOD and 1 malware scanner (Malwarebytes). Download all server backup to that virtual machine and scan it with all these 4 tools. if they come up with clean results there is nothing to worry but if not then find out the file on server and do what ever you like.
Solution 1: https://github.com/rfxn/linux-malware-detect
Solution 2: https://revisium.com/aibo/
Install these on your server and add a cron job via vestacp so these tools keep scanning your server time to time. But if i talk about myself i do not rely on softwares i do check the code myself for the file changes and that is the only best solution to beat the hackers as some codes cannot be detected by anti-virus (clamv) or these type of malware detectors. reason is hackers use obfuscate the php shells to decrease the detection so it is better to have a look on server files.
If you are a hosting and you have too many sites and you cannot spend time to check each file then i use another solution.
That is actually a bit awkward but i still do this. which is i have install a windows virtual machine on my system and installed 3 major antivirus Bitdefender / Kaspersky / Eset NOD and 1 malware scanner (Malwarebytes). Download all server backup to that virtual machine and scan it with all these 4 tools. if they come up with clean results there is nothing to worry but if not then find out the file on server and do what ever you like.
Re: Security
I use sftp chroot module. And all exactly from the account you can see any information on the otherScIT wrote: ↑Fri Aug 31, 2018 5:31 amThink you should check the sftp chroot module from vesta: http://vestacp.com/features/
Re: Security
Security is always first and you need to pay attention.
Re: Security
Funny everyone here, in ignorance, says use sftp plugin.
That does nothing for php. It ONLY restricts ssh.
open_basedir is what others suggested, and it is one of the first steps. Next would be to disable dangerous php functions that nearly ALL shared hosting providers disable.
OS? Nginx + Apache? Things needed to know.
I switched to PHP-FPM using the guide on the forum. (It worked perfectly for ubuntu 18.04). It is much more secure as it runs as the user. (NEVER run sites under admin, create a user).
:-)
That does nothing for php. It ONLY restricts ssh.
open_basedir is what others suggested, and it is one of the first steps. Next would be to disable dangerous php functions that nearly ALL shared hosting providers disable.
OS? Nginx + Apache? Things needed to know.
I switched to PHP-FPM using the guide on the forum. (It worked perfectly for ubuntu 18.04). It is much more secure as it runs as the user. (NEVER run sites under admin, create a user).
:-)
Re: Security
This is a MUST starting point for any shared hosting...
I use that even for my personal sites, just in case joomla exploit happens, php shell kits fail.
This will hinder some plugins, but... remove the plugin. Never compromise security for an addition to a site, EVER.
Code: Select all
disable_functions = exec,shell_exec,passthru,system,proc_open,popen,show_source
This will hinder some plugins, but... remove the plugin. Never compromise security for an addition to a site, EVER.
Last edited by chrisf on Sun Oct 21, 2018 8:28 pm, edited 1 time in total.
Re: Security
You can disable some php functions, read the message from chrisf