On 2022-03-10, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote: > Hi, > Owasp has some cheat sheets for hardening PHP configurations, > > https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html > > you can combine it with httpd which would run the php app and website > inside a chroot jail, > > you can also review the php application for the functions that it uses and > then disable any functions not required by the php application > (care needs to be taken with obfuscated / encoded website applications) > > you can also restrict the extensions that you dont need to reduce the > attack surface.. > > You can also do limits on the sizes of post / upload size (if they are > needed or not) .. > > you can also restrict HTTP methods (for instance in a CMS site that doesnt > require updates / login publically (and allow posts from specific Ips )
Here's another useful one: if the software you run doesn't need to make outgoing network connections, or makes connections but only to certain identifiable IP addresses, block them with PF. Ideally log these blocked connections and check those logs to give you notice that there's a problem. PF rules can lookup the username - if you have different sites with different needs, run them under different uids (multiple config sections with FPM or nginx-unit+unit-php). -- Please keep replies on the mailing list.
