Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 51808 invoked from network); 19 Feb 2010 15:26:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 19 Feb 2010 15:26:16 -0000 Received: (qmail 46694 invoked by uid 500); 19 Feb 2010 15:26:13 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 46667 invoked by uid 500); 19 Feb 2010 15:26:13 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 46658 invoked by uid 99); 19 Feb 2010 15:26:13 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Feb 2010 15:26:13 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [209.17.170.205] (HELO mail.pil.net) (209.17.170.205) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 19 Feb 2010 15:26:03 +0000 Received: (qmail 12140 invoked from network); 19 Feb 2010 10:25:42 -0500 Received: from unknown (HELO localhost) (127.0.0.1) by 0 with SMTP; 19 Feb 2010 10:25:42 -0500 Date: Fri, 19 Feb 2010 10:25:42 -0500 (EST) From: James Smallacombe X-X-Sender: up@mail.pil.net To: users@httpd.apache.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Suhosin vs. mod_security After a recent php compromise of the www user on my web server via the Zen Cart "record company" exploit, I installed the Suhosin extension (patch was already there). Suhosin helped a great deal. It enabled me to block certain php functions globally and re-enable them on a per-vhost basis, as needed. Perhaps just as importantly, it logged violations, along with IP addresses, which not only enabled me to track down attackers, but also troubleshoot which vhosts needed which functions to work properly. After having customers' content providers patch their respective Zen Carts and purging/disabling the several c99shells and other nasty scripts uploaded by kiddies, we found that the patched Zen carts wouldn't function properly and wasn't logging what part of Suhosin was blocking functionality. Neither Zen developers nor the Suhosin author responded to requests for a workaround for this. Sadly, there doesn't appear to be any current development or support for the Suhosin extension, no forum or mailing list. This leaves one wondering what the best way is to manage php (and other) security on the web server. Does mod_security allow some of the same funtionality, and is there current support and development of it? What's the best current practive WRT Apache and php security? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am ========================================================================= --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org