|
From: Ivan R. <iv...@we...> - 2006-02-24 16:48:27
|
John Thomas wrote: > Andras Got wrote: > >> Just ban wget, fetch and other dl clients, suspicious name is URL-s and > > Apologies for my ignorance, but does this mean you add lines to the conf > file as follows: > > SecFilter wget > SecFilter fetch That would probably result in many false positives. But you may want to try something like this: SecFilterSelective ARGS_VALUES "^(http|https|ftp):/.+(wget|curl)" Of course, an even better thing would be to put php in a jail where there are no user programs at all :) >> of course you should secure your PHP (safe_mode, disable_functions, >> open_basedir). > > Does this apply if I am the only console user on the box? I read that > safe mode breaks some apps and it is most commonly useful when the box > is shared. > > Also, if I may, what are the most dangerous functions you disable with > disable_functions? I covered that in my book. Incidently, the PHP chapter is free: http://www.apachesecurity.net/download/apachesecurity-ch03.pdf -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
