Dotnetpanel Forums

Hi,

I have been hosting my own site (http://drhack.net) for quite a while. But now I want to start a small hosting company.

With shared hosting come security issues. What I have been trying to get around is protecting the server against PHP Shells (like c99 and r57 etc.)

I read in numerous forums to disable php functions like exec(), fopen and numerous more.

BUT this does not solve my problem. If i plant a c99 shell on my server, I can still see the 3 drive letters and a directory listings DO open up. Removing IUSR (under which PHP fastCGI is running i guess) from the permissions solves the problem of READING/WRITING content, but still directory listings for drives shows up.

I managed to get my hands on a .dll extension of "suhosin" (Hardened PHP Project). It does show up in phpinfo() indicating that it is working BUT I have not been able to cripple the c99 and r57 shells with it. Any suggestions ?

Any suggestions and solutions??

Regards,

 Fadi,

 Under each root drive only allow permissions for Administrators and System. This should secure it.

well, i found another way... separate PHP settings for each directory (can be a user's root which applies across all his/her websites... and can overwrite that even a single site (by giving that site different php settings)

Regards,

Fadi

 Fadi, are you using CGI for PHP then instead of ISAPI?

 Ok, so that explains why. We had issues with FASTCGI, once you get more than 50 - 100 app pools running it starts throwing errors, just random "CGI Error" errors.

this is totally off-topic but i really loved the site template of your site www.reliablesite.net Where can i find it ?

thanks

It's not a template, the entire design was developed in-house to match our advertising goal.

If ACLs are setup fine on server's drive root and its definately possible to stop shell scripts like c99 and r57.

 Running each site under its own app pool adds more security to it.