PDA

View Full Version : Security in Free Web Hosts


gamez
August 21st, 2007, 05:57
Ok hey all, I have got a reseller and I am offering free hosting to a certain number of people. I am hosted at a site called http://kwix-host.com.

Anyway, I want to keep this running for as long as possible, therefore I want to know what type of things should I ban so that everyone is safe.

I mean in the WHM, should I bad things like php_mail() - SO please could you tell me a list of things that I should not allow, and please also a guide how to get there and how to change it.

Thanks, I am hoping to keep everyone safe and secure - so please help out. This could also serve as a guide to other members who are running free webhosts, but don't know about these security issues, that can be ressolved.
amelen
August 23rd, 2007, 12:32
It's going to be kind of hard to keep something like that secure when you don't own the server. BUT I would start with modifying php.ini (if you have access to it). Things like php_mail(), fopen, fwrite, etc.. should be blocked to be safe. I would also recommend setting php to safe mode.
amelen
August 23rd, 2007, 12:33
You probably don't have access to it, but this would also help:

"If you want to take your PHP security a step further and you compile your own version from the source code as opposed to using pre-built binaries, you can apply a special set of patches called Hardened PHP that toughen up PHP's internals to make them more robust. For example, it runs so-called "canary checks" that ensure buffer overflows are spotted and stopped before they can cause problems, but it also monitors the Zend Engine's memory management routines to make sure all memory is allocated and freed safely.

Although it does undoubtedly improve the security of PHP as a whole, we'd probably not recommend Hardened PHP to everyone - unless you're really paranoid, Hardened PHP is best left to environments with shared resources, such as shared hosting web servers."

Source: http://www.linuxformat.co.uk/wiki/index.php/PHP_-_Secure_coding
Decker
August 23rd, 2007, 13:23
I'd ask Trexhost for their suggestions as it's their servers so they can insure nothing goes bad.
That and if it looks suspicious it may well be so check and recheck :)