Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:112863 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 60051 invoked from network); 13 Jan 2021 11:10:42 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 13 Jan 2021 11:10:42 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 1C23F1804E2 for ; Wed, 13 Jan 2021 02:48:53 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 13 Jan 2021 02:48:52 -0800 (PST) Received: by mail-wm1-f53.google.com with SMTP id e25so1177015wme.0 for ; Wed, 13 Jan 2021 02:48:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BlRnAaGMwccjJDa3LBYEtFbP62+3V1KWyAXNMIJQghM=; b=CEnHLUoqGBwHA0IFfphoTQHZ5F24q/jQSt4QJcaVEhQ2MkLBLPBbVM7ScixR1OpykP 6Oya7HRC8MXA7v2d93x34LXbUThX+grhngSmuVp+LlKWdEhzDt37WF75Z8eDPdwvA+iO RkUOGxEMBI3QFSTtSVAiaBxfZNDQ8nifWR2AI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BlRnAaGMwccjJDa3LBYEtFbP62+3V1KWyAXNMIJQghM=; b=ILDA47YAAbslAjk7ThEPmAfF80Cj+D0hDLJsDdIOER7GN7mvXD8FMnKGr0q8y2vmsY c4/UeQTwPjJNEmi7SUxJEP/wL2tE7kYJS5G0adM8kXX10eutLF7fcObiI4cislyE8xnH /DH7fKoIhBIQ1eaGGxD1UOlXMIbw+/0iPAl48aHsN9hiiXLsF1b+Q7q0PUnOZKiPHnAd lCvLEybeXfn65AovDegJvAwCMLnOdP4WLFYKhDumAjcxEp9hWTZQo+N/SHDy0bRL4j/6 8Ybx3Y2+jLnJ0E0kQM96/ISxWMaGs8tmh1rsOu63Etc+2kiCIhL9pkjjQql0N0c5Kw9P gX2A== X-Gm-Message-State: AOAM531ngdg6QkJD4VJ9C7p0SVFqPlBVlT5WzAmQ9wnbmcgB5KXaGlyi UQurCQwcn+SqF0Zn6WsMVju0NV6T4eq/sj1UhaGRgA== X-Google-Smtp-Source: ABdhPJyNykMyW30aeNLlhYohm4o905Lqn6KQm/noJljOyDkArpIpDvDYPh2wkz21jiGBJ4kFxEmgF1qqkWY7LrInIB0= X-Received: by 2002:a7b:c208:: with SMTP id x8mr1591436wmi.179.1610534929206; Wed, 13 Jan 2021 02:48:49 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Wed, 13 Jan 2021 10:48:38 +0000 Message-ID: To: Rene Veerman Cc: Internals Content-Type: multipart/alternative; boundary="0000000000005aa1bf05b8c5e237" Subject: Re: [PHP-DEV] silly question : what is more secure at the moment, php7, php8, or plain .sh shell scripts? From: craig@craigfrancis.co.uk (Craig Francis) --0000000000005aa1bf05b8c5e237 Content-Type: text/plain; charset="UTF-8" On Sun, 10 Jan 2021 at 08:10, Rene Veerman < rene.veerman.netherlands@gmail.com> wrote: > i run a website which i want to harden against hacking by 3rd parties. Hi Rene, I'm not sure the PHP Internals mailing list is the best place to ask for this kind of help. And what you're talking about covers a lot of different things. As to your specific questions... Considering you are using Ubuntu 20.04, which is the current LTS version, make sure the software patches are being installed automatically, every night (via `apt`), and restart your server every now and again to make sure it's using the latest Linux Kernel. Don't compile PHP yourself, unless you're prepared to re-compile as soon as a new version of PHP is available. But that's just about fixing the security issues in the OS and PHP itself, which are (fortunately) fairly rarely the way attackers get in. The PHP scripts (and other things you install/write) on your server are often the main issue... 3rd party code, like frameworks, libraries, systems like WordPresss, and plugins; these need to be kept to do date as well, because they have a lot of people looking for and exploiting issues in them (e.g. if someone finds an issue with WordPress, it's fairly trivial to use a service like Shodan to quickly find all websites running that bit of software, and start exploiting them). The scripts you have written yourself, that's something completely different, and I'd suggest getting someone to check over your code, as there are many mistakes that can be made (see the OWASP Top 10 for an introduction)... or at the least, try to use a tool that can check for common security issues/mistakes (there are many vulnerability scanning tools out there). As to looking for file changes on your system, I'd suggest this isn't a good use of your time, as things frequently change, and to create a system that can give you good reports (i.e. not filled with hundreds of perfectly good changes), that's difficult to get right. That said, there is already software that's already been written to do this, for example `tripwire`. This is a basic guide that should still work: https://computingforgeeks.com/how-to-install-and-configure-tripwire-on-ubuntu-18-04/ One simple technique for mitigating the risk of malicious files is user permissions. If your webserver is running under the 'www-data' account, make sure that account cannot create/edit/delete any files on your system (at the very least, not in the DocumentRoot). Yes, that can be tricky if people are legitimately uploading files (e.g. images), but the more restrictions you can apply, the better (because you, like everyone, will make mistakes). And I hate to say this, but these are just the basics, server admin is a big subject, so is the whole area of security... and while I'd encourage people to get involved (as it's good fun), it's often much easier to get a 3rd party to host your website; or (if you can) use things like use a static site generator (less things to go wrong). Hope that helps, Craig On Sun, 10 Jan 2021 at 08:10, Rene Veerman < rene.veerman.netherlands@gmail.com> wrote: > hi. > > i run a website which i want to harden against hacking by 3rd parties. > > i wrote this website back in 2002-2010, and then built apps on top of the > base code. > > now i want to upgrade the entire thing to the latest css3 standards and > also include anti-hacking measures, because at one point i got kicked off > the internet by my ISP because they detected the thing had indeed been > hacked, and someone installed phishing software on my site. > > i want to employ cron jobs that run regularly, to do checksum testing of > vital parts of my operating system. > > ideally, i could have a script run indefinitely or every 2 seconds, as > root, from cron, to test for changes to my filesystem (well, the part that > is governed by Directory section in > /etc/apache2/sites-enabled/001-localhost.conf) and vital OS config files. > but i do wonder if this is going to wear out the SSD where the OS and > webserver files are stored on. > and i wonder if i should be writing this script as some sort of shell > script (bash? /bin/sh? i dunno (i run ubuntu 20.04)), or if i could be > using the convenient php for it. > > and i would like to know if as far as exploits go, it's better to stay > (currently) on php7.4, or move my entire setup to php8. > > thanks for your attention and any help you might provide me. :) > --0000000000005aa1bf05b8c5e237--