Making PHP secure for hosting

[tecno40]

So I'm about to open a hosting website, and will be letting the users use PHP and MySQL on my server. Since I will be allowing users to host their PHP code on this server I would like to make sure everyone's site is secure from hack attempts. Below is a list of what I've done so far to make it secure. Please tell me if this is enough to stop hacking, or if I need to add additional security.

 

 

1. Enabled disable_functions in php.ini with (NOTE: ini_set is not disabled)

disable_functions = "apache_child_terminate, apache_setenv,

define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec,

fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput,

ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all,

ini_restore, inject_code, openlog, passthru, php_uname,

phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode,

phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo,

posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname,

proc_close, proc_get_status, proc_nice, proc_open, proc_terminate,

shell_exec, syslog, system, xmlrpc_entity_decode,mysql_select_db"

 

2. Used ini_set() in a header PHP code to set open_basedir to the user's website directory

 

3. Put a string of 7 random characters as the password for my MySQL database to protect it

 

4. I will create a new user account on MySQL for every user

[phpSensei]

You want to allow your users to create php scripts and run it on your site...? your getting into a very risky proceedure here if i understood correctly.

[teynon]

If you're serious about running a hosting site / server, get cPanel / WHM. I guarantee you're going to have a hard time managing a server with your own code.

 

http://www.cpanel.net/

[Ninjakreborn]

As mentioned, I would be careful going down this path.  It's really hard to setup your own hosting system.  It is do-able, but requires a great deal of work, and a server technician.  I would make sure you get consulting from an actual server tech, as well as make sure you have the start up capital for something like that. A friend of mine started his own hosting company and did quite well (Stealth Central) but it cost him an arm and a leg for the first year.

[gizmola]

Start with fastcgi + suexec.  You might want to look at the hardened php project.  There's a nice tool here:  http://www.idontplaydarts.com/2011/02/hardening-and-securing-php-on-linux/

[tecno40]

I'm using IIS with FastCgi, and have written most of the hosting code myself so I have that part taken care of, but I still want to make sure everything is secure before I start letting testers in.

[gizmola]

Wouldn't be my platform of choice, but I guess you're running on a windows os?

 

Since it seems part of your concern is trying to keep people from having insecure sites: http://www.hardened-php.net/suhosin.127.html

[tecno40]

Wouldn't be my platform of choice, but I guess you're running on a windows os?

 

Since it seems part of your concern is trying to keep people from having insecure sites: http://www.hardened-php.net/suhosin.127.html

Thanks, I'll take a look at that.