Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112844 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 78159 invoked from network); 11 Jan 2021 21:07:43 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 11 Jan 2021 21:07:43 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 291881804E4 for ; Mon, 11 Jan 2021 12:45:31 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-io1-f49.google.com (mail-io1-f49.google.com [209.85.166.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 11 Jan 2021 12:45:30 -0800 (PST) Received: by mail-io1-f49.google.com with SMTP id n4so1047122iow.12 for ; Mon, 11 Jan 2021 12:45:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benramsey.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=XW36l87Zkk2+bVImUUdgd0qlpMuhm2XxExAJqNuhOBI=; b=LaIaSLn5qgh9kvbNxRWvL9juhS9uRVflzCr/gtV5SztKCnvpbetRhWdXa+/CYrTHVS pMBxHcMXJYt6rF/EnKGTsYsFtpYutHBzRxUbpvYZBwaiGYCWjDzyGF267slAlKYcfPCk rVt4PitMunJOdRt1DmKlgUYn+konfOffvaCmDLdIZNZskua2oyP/V67y++Kn4JYB1vyb Fj5qJ9o1gbb6vNfTarGWpDZt6dSVyeZgpWncImQptU/3a7D7QLQFM9b7Tz8yqgxLeMQ8 Uw4ZfBuwPBzx9pKQJMtABeJShrdzVnqAY8r9lJt6VZrPFmjFmzUf33iIMYtPajIk2Vq6 h4BA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=XW36l87Zkk2+bVImUUdgd0qlpMuhm2XxExAJqNuhOBI=; b=tqWSpupnZaJUTePVokHPvJqyJ00ByE15Ippd7iIfUuygJq9ZbQ0rrsbg+d8tAgFMxa CBoWtb9zg+nUf9/1AC8qvQAjyRemqqd0EUqw5BsRtD2YLUdW2V9yDD6H3fpVpXUso6np 1d5EFaG5FStiIL3ShNJpoJ+IDk9yuNTukI2G5RkfjLNRB5S99dLfM4BX4DFfStTuZsbR M+p1zAlMB95P3enBMqv/vj9qesmmuIGgjEA28N3M9g59StlIahKVdSGHl6uqw0oqxsRL ZBiK7C2uu1OKWDv0EuO0/wftWGXlhj7RkcY+syMIRmS9K5bBKrQ74QNP+mq4e290W2E6 79cw== X-Gm-Message-State: AOAM530infFX6kbaylyQAsqGsqXQQlgHHbHjl2sKohRyeCuH/OzWTdDO fdMNBeGVxgYc+lREMgCMKAg3jQ== X-Google-Smtp-Source: ABdhPJw3j/iLHLt78w/a4M1NN8fo0oOQuiGuwwttYiSFKWzPfJzEJt8jVmdeq5fi48repLCB1Syd+w== X-Received: by 2002:a02:778f:: with SMTP id g137mr1338501jac.41.1610397926492; Mon, 11 Jan 2021 12:45:26 -0800 (PST) Received: from [10.10.42.56] ([96.61.105.82]) by smtp.gmail.com with ESMTPSA id c9sm515532ili.34.2021.01.11.12.45.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jan 2021 12:45:25 -0800 (PST) Message-ID: Content-Type: multipart/signed; boundary="Apple-Mail=_546ADFDB-9781-433C-ACB3-60EBB5ECBA7A"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\)) Date: Mon, 11 Jan 2021 14:45:24 -0600 In-Reply-To: Cc: Internals To: Rene Veerman References: X-Mailer: Apple Mail (2.3654.40.0.2.32) Subject: Re: [PHP-DEV] silly question : what is more secure at the moment, php7, php8, or plain .sh shell scripts? From: ben@benramsey.com (Ben Ramsey) --Apple-Mail=_546ADFDB-9781-433C-ACB3-60EBB5ECBA7A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jan 10, 2021, at 02:10, Rene Veerman = wrote: >=20 > hi. >=20 > i run a website which i want to harden against hacking by 3rd parties. >=20 > i wrote this website back in 2002-2010, and then built apps on top of = the > base code. >=20 > now i want to upgrade the entire thing to the latest css3 standards = and > also include anti-hacking measures, because at one point i got kicked = off > the internet by my ISP because they detected the thing had indeed been > hacked, and someone installed phishing software on my site. >=20 > i want to employ cron jobs that run regularly, to do checksum testing = of > vital parts of my operating system. >=20 > ideally, i could have a script run indefinitely or every 2 seconds, as > root, from cron, to test for changes to my filesystem (well, the part = that > is governed by Directory section in > /etc/apache2/sites-enabled/001-localhost.conf) and vital OS config = files. > but i do wonder if this is going to wear out the SSD where the OS and > webserver files are stored on. > and i wonder if i should be writing this script as some sort of shell > script (bash? /bin/sh? i dunno (i run ubuntu 20.04)), or if i could be > using the convenient php for it. >=20 > and i would like to know if as far as exploits go, it's better to stay > (currently) on php7.4, or move my entire setup to php8. >=20 > thanks for your attention and any help you might provide me. :) For the most recent security fixes, always run the latest version of a = currently supported version of PHP: https://www.php.net/supported-versions.php Currently supported versions are 7.3, 7.4, and 8.0, so you should run = either 7.3.26, 7.4.14, or 8.0.1. Many Linux distributions back-port security fixes to earlier versions of = PHP, so if you=E2=80=99ve installed PHP using a package manager, check = with the maintainers to ensure your PHP version has the latest security = updates. Cheers, Ben --Apple-Mail=_546ADFDB-9781-433C-ACB3-60EBB5ECBA7A Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQToXQMR3fpbrPOmEOewLZeYnIwHGwUCX/y45AAKCRCwLZeYnIwH G94+AP4zoQnL4MSfSnEQZ192aeQDSoxpzcCRWcfVxiw2l4PD5AD8CJEmdZ7se4Rl u6DASzhWHWPMzZ2RXrgbs492xF59yx8= =/Nao -----END PGP SIGNATURE----- --Apple-Mail=_546ADFDB-9781-433C-ACB3-60EBB5ECBA7A--